Solved

CAS Proxy OWA to different sites

Posted on 2011-02-22
14
3,458 Views
Last Modified: 2012-05-11
I have a problem with proxying OWA that doesn't work between sites.

This is my setup:
1: Site A/CAS/Mailbox/DAG
2: Site A/CAS

3: Site B/CAS/Mailbox/DAG
4: Site B/CAS

Between all server there is connection and connection with a VPN link between Site A and Site B. I have only one Mailbox that is on the DAG and mounted on Server 1.

Server 1 has OWA internal url set to the host and authentication to integrated. Sames goes for Server 3. External url is left empty. These servers are only internal.

Server 2 and 4 have both external url and internal url set to the same name https://webmail.comany.com/owa. Log in is form based. They are both internet facing.

So to my problem. If a user logs in on Server 2 everything works fine since they are proxyed to the same site to server 1.

However if a user enter Server 4 they get a error message:
"A server configuration change is temporarily preventing access to your account. Please close all Internet Explorer windows and try again in a few minutes. If the problem continues, contact your helpdesk."

If I do a swithcover so that the mailbox is situated at Server 3 then it works great to log on to Server 4 and the same problem as before if you log on to Server 2.

Can somebody tell me where I can start looking for a solution? Don't really find any logs that helps me.
0
Comment
Question by:Findwise
  • 7
  • 4
  • 3
14 Comments
 
LVL 33

Expert Comment

by:Busbar
ID: 34950363
external name should be different and internal name should point to the internal CAS server FQDN. set it like that, reset IIS and try again
0
 

Author Comment

by:Findwise
ID: 34950471
If I set them to different external names I get a redirect. Can't I always get it to proxy to the cas on the mailbox server? When Server 4 is searching for a CAS server that can connect to the mailbox why cant it just return Server 1 instead och Server 2?
0
 
LVL 33

Expert Comment

by:Busbar
ID: 34950482
you will have it from a single site, you cannot have it in 2 sites. you can do that by removing the external name of the FQDN from server 2.
0
 

Author Comment

by:Findwise
ID: 34950524
Can't I trick Server 4 in someway so that it doesn't find server 2 and instead finds Server 1?
0
 

Author Comment

by:Findwise
ID: 34950617
I think I got it working. I removed the internal url on Server 2 and Server 4 and have the same url on external for them. It looks like its working now actually.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 34950638
but how external traffic will be sent.
0
 

Author Comment

by:Findwise
ID: 34950693
Or not. After doing a swithcover to Server 3 it stoped working again :-(. I guess that some settings where saved for a short time and not updated. However when the sitchover accured it updated it and now it stoped working :-(.

Why should it be so hard :-(. I don't want to have different urls exposed the users they should only know about one (what ever site they are on or if they are internally or externally). Think how easy it would be if Server 4 looked for a CAS in the other site that has integrated authentication/no external url enabled which would be Server 1. Then everything would work. Don't understand why it returns the  CAS Server 2.

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 33

Expert Comment

by:Busbar
ID: 34950705
it is hard because it is not designed to work like that. it simply won't
0
 

Author Comment

by:Findwise
ID: 34950831
Will it always just look for one CAS? And if that fails everything fails? I cant stop access between Server 2 and Server 4? So it will go for the next CAS in the Site? How come it always chose Server 2?
0
 
LVL 12

Expert Comment

by:Nenadic
ID: 34950846
Findwise, the simple way to look at it is that you are trying to use the same street address in two different countries and you expect the same people to live there. It's not possible.

Any attempt to trick servers, will backfire at site failover. The simple approach is as follows:
While the databases are on Server 1, keep external OWA coming from that site. Server 2 should have External URL configured and your external DNS record for webmail.company.com should point to Site A's external addresses.
If you have a site failure, configure External URL on Server 4, repoint your DNS and users will be able to access the database.  That way, your network traffic is always optimised and site failure is handled with relative ease.
The alternative is to go back to original statement from busbar. Your need a separate namespace and you redirect.
0
 
LVL 12

Expert Comment

by:Nenadic
ID: 34950883
What do you have on the network edge that translates external requests for webmail.company.com to internal servers?  ISA, TMG, firewall NAT? That determines which server is connected to.
0
 

Author Comment

by:Findwise
ID: 34950920
Bummer bu thanks for you help.

Is it the same behavior for ActiveSync and EWS webservice? Because I guess they can't return a redirect link for you?
0
 
LVL 12

Accepted Solution

by:
Nenadic earned 500 total points
ID: 34950962
A few differences:
First of all, you need to configure ECP in the same manner as OWA.
EWS will be returned based on OA configuration, as per user's mailbox, so no redirection.
ActiveSync perform redirection for 6.1+ clients by relying on Error 451 in HTTP.
0
 

Author Closing Comment

by:Findwise
ID: 35034407
It did not really help me but explained good how it works
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now