Solved

Exchange 2010 CAS array question

Posted on 2010-11-12
5
1,015 Views
Last Modified: 2012-05-10
can someone please clarify the following questions:
we are using hardware load balancers, both internal and external facing.
we have 2 CAS servers.

1. if i create a new CAS array. call it: CASarray.domain.net, would i need to publish this name on the internal load balancers? i.e. would the internal host A DNS record point to the load balancers for CASarray.domain.net?

2. we are publishing OWA as mail.domain.net. would i set the internal name on the CAS servers, and create a host A record to point to the internal load balancers?

3. for the external facing load balancers, would for example the mail.domain.net external DNS record point to the VIP on the external load balancers, and would then in turn route to the internal load balancer that is publishing mail.domain.net?

4. do we require an SSL certificate to publish EWS? I was planning on using the name:mail.domain.net to publish activesync/OA/OWA/ECP. is this acceptable?

thank you very much in advance,

S.
0
Comment
Question by:siber1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 34125318

>> would i need to publish this name on the internal load balancers? i.e. would the internal host A DNS record point to the load balancers for CASarray.domain.net?

Yes, in general. All traffic should go to the load balancer internally. You also want to update the RPCClientAccessServer value on your mailbox databases to point to that CAS array DNS name. If you don't, Outlook could be using just one of your CAS servers and therefore no chance of redundancy.

>> we are publishing OWA as mail.domain.net. would i set the internal name on the CAS servers, and create a host A record to point to the internal load balancers?

Yes, you would create a mail.domain.net record in both public and private DNS (this is known as split DNS). The public one points to your externally facing CAS publishing system, the private to the internally facing balancer. You can then set your internal and external URLs on the OWA, ECP, Activesync etc. virtual directories to the same mail.domain.net, which means users use just one value to log in to OWA whether internal or external to the network.

>> for the external facing load balancers, would for example the mail.domain.net external DNS record point to the VIP on the external load balancers, and would then in turn route to the internal load balancer that is publishing mail.domain.net?

To be honest, I'd publish everything through one set of load balancers, rather than have two different sets.

However, if you do need to use two, I wouldn't recommend pointing the external through the internal balancers. Point both direct to the CAS servers. It depends on how you configure it, but you could run into affinity issues otherwise with all traffic from one external load balancer passing to one particular CAS server (which clearly you don't want to be the case).

>> do we require an SSL certificate to publish EWS? I was planning on using the name:mail.domain.net to publish activesync/OA/OWA/ECP. is this acceptable?

Yes, but the certificate you install for OWA and the other features will cover this too.

Matt
0
 

Author Comment

by:siber1
ID: 34125336
thanks Matt, one last question. would i also publish the "autodiscover" service on the external and internal load balancers?
im not clear on how this would work. can you please clarify? would this require a separate IP?

thx - S.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34125638

Autodiscover can run from the same IP as the VIP for your external and internal load balancers. Just make sure you create the record in both internal and external DNS and that it is load balanced correctly.

You'll also need to make sure you change the AutodiscoverServiceInternalUri (using Set-ClientAccessServer) on every client access server so all requests for autodiscover internally using the SCP go through the load balanced array.

External requests for autodiscover can go to your load balancers as standard and will simply be passed to one of the CAS servers for processing,

Finally, don't forget that when you purchase your SAN SSL certificate, you need to include the autodiscover name on your certificate request as well as any others names you will require.

Matt
0
 

Author Comment

by:siber1
ID: 34125669
thx Matt. quick question, you mentioned that you would only use one set of load balancers. how would you use a single set of load balancers to publish internal MAPI / OWA etc as well as internet facing OWA/ OA etc?
would you really route your internal users through the load balancers in the DMZ?
just trying to wrap my head around how you would do it with a single set of F5's

thx - S.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34125699

Good point on putting them in the DMZ.

Personally, in your scenario, I would use something like a Forefront TMG  farm (which would also be a firewall between the public/private/DMZ networks) and therefore eliminate the issue with DMZ routing entirely. The one issue with FTMG is that it won't handle MAPI traffic, but forcing Outlook into Outlook Anywhere mode is quite a popular solution to eliminate that issue.

Of course, there's nothing stopping you using two sets of load balancers, and it would probably turn out to be a very elegant solution. Having an external set for the DMZ is a very valid security point and one I hadn't considered (we don't use a DMZ for the reason in my last paragraph). If you do go ahead and do this, I just wouldn't route requests through the external balancers into the internal ones, but rather, publish the CAS servers in the private network directly out to the external load balancer. I know that's a pain with firewall rules, but it means you don't run the risk of swamping a CAS through hops between two separate sets of load balancers.

Matt
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
how to add IIS SMTP to handle application/Scanner relays into office 365.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question