systemnet
asked on
Exchange 2010 Multiple Site Outlook Anywhere / CAS question
Hi Guys
I have a question on best practice for the following scenario and have not been able to find any conclusive information anywhere.
Before going any further, here is the Exchange layout:
Site A
Internet Facing CAS with Outlook Anywhere enabled
Valid Trusted SSL Cert
Internal / external URLs match, eg mail.externaldomain.com + autodiscover.externaldomai
Site B
Non-Internet Facing CAS
Mailbox Server
Internal URL only
Self-signed SSL cert
Site C
Non-Internet Facing CAS
Mailbox Server
Internal URL only
Self-signed SSL cert
Now here is the problem. Outlook Anywhere and Proxying from the Internet facing CAS in Site A to the Mailbox Servers in Site B and Site C is working perfectly. As a matter of fact, Outlook Anywhere connections from any clients internally via the CAS in Site A is also working perfectly. However, this is not entirely desirable for the following reasons:
- WAN bandwidth between Site A and Sites B & C is not fantastic. We do not want clients sitting on Sites B and C to connect via the slow WAN connection to Site A just to be proxied back to their own Mailbox Servers which are sitting locally on the same LAN. Traffic is effectively traversing the WAN links twice and adding unnecessary load which is also impacting other non-Exchange services.
- There are Terminal Servers in use at both Site B and Site C. Consequently, Cached Mode is not setup and Outlook is far more sensitive to latency when effectively working "online" against a remote CAS.
To get around this, we disabled Outlook Anywhere via Group Policy at Sites B and C to force the clients to connect directly to the local CAS / Mailbox Servers. This worked, but the clients were then presented with a certificate warning (see attached) stating that the certificate is from a non-trusted authority. This was then remedied by adding the cert to the local trusted authority certificate store.
But this amount of messing around made me question what the best practice for this type of design would be? Surely there must be many cases where you don't want to back-haul Exchange traffic via low bandwidth WAN links just to get it back to Exchange servers which is local to you? Furthermore, shouldn't need to configure your non-Internet facing CAS servers with trusted third party certs, as a matter of fact Microsoft does not recommend it. So a bit puzzled.
Can anybody assist with clarifying this for me?
Many thanks
JM
certwarning.JPG
I have a question on best practice for the following scenario and have not been able to find any conclusive information anywhere.
Before going any further, here is the Exchange layout:
Site A
Internet Facing CAS with Outlook Anywhere enabled
Valid Trusted SSL Cert
Internal / external URLs match, eg mail.externaldomain.com + autodiscover.externaldomai
Site B
Non-Internet Facing CAS
Mailbox Server
Internal URL only
Self-signed SSL cert
Site C
Non-Internet Facing CAS
Mailbox Server
Internal URL only
Self-signed SSL cert
Now here is the problem. Outlook Anywhere and Proxying from the Internet facing CAS in Site A to the Mailbox Servers in Site B and Site C is working perfectly. As a matter of fact, Outlook Anywhere connections from any clients internally via the CAS in Site A is also working perfectly. However, this is not entirely desirable for the following reasons:
- WAN bandwidth between Site A and Sites B & C is not fantastic. We do not want clients sitting on Sites B and C to connect via the slow WAN connection to Site A just to be proxied back to their own Mailbox Servers which are sitting locally on the same LAN. Traffic is effectively traversing the WAN links twice and adding unnecessary load which is also impacting other non-Exchange services.
- There are Terminal Servers in use at both Site B and Site C. Consequently, Cached Mode is not setup and Outlook is far more sensitive to latency when effectively working "online" against a remote CAS.
To get around this, we disabled Outlook Anywhere via Group Policy at Sites B and C to force the clients to connect directly to the local CAS / Mailbox Servers. This worked, but the clients were then presented with a certificate warning (see attached) stating that the certificate is from a non-trusted authority. This was then remedied by adding the cert to the local trusted authority certificate store.
But this amount of messing around made me question what the best practice for this type of design would be? Surely there must be many cases where you don't want to back-haul Exchange traffic via low bandwidth WAN links just to get it back to Exchange servers which is local to you? Furthermore, shouldn't need to configure your non-Internet facing CAS servers with trusted third party certs, as a matter of fact Microsoft does not recommend it. So a bit puzzled.
Can anybody assist with clarifying this for me?
Many thanks
JM
certwarning.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can modify RPCClientAccess Array on existing databases as well with
Set-Mailboxdatabase cmdlet
Please check below article
http://exchangeserverpro.com/exchange-server-2010-cas-array/
I forgot to look after self sign certificate which you already mentioned in question description since you have not mentioned any certificate issues, connectivity failure, outlook or OWA password prompt symptons.
Anyways, u have done correct steps regarding CA
You are still facing any issues ?
Thnaks
Set-Mailboxdatabase cmdlet
Please check below article
http://exchangeserverpro.com/exchange-server-2010-cas-array/
I forgot to look after self sign certificate which you already mentioned in question description since you have not mentioned any certificate issues, connectivity failure, outlook or OWA password prompt symptons.
Anyways, u have done correct steps regarding CA
You are still facing any issues ?
Thnaks
ASKER
Thanks Mahesh, your insights have been very helpful!
ASKER
Thanks for your reply, It was good reading and I can see how the use of a CAS array can assist in this situation by keeping the TCP traffic local.
It is unfortunate that the mailbox databases and malboxes are already in place - the guides suggest that the creation of a CAS array should have taken place before the mailbox databases were populated. But definitely something I will keep in mind for future deployments. The following blog also went some way towards clearing up the use of a CAS array: http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx
I suspect however that despite using a CAS array, we will still be faced with certificate warnings when using Outlook 2010 or later. See the following forum post which discusses the same issue: http://social.technet.microsoft.com/Forums/exchange/en-US/6d000de1-4549-4135-946a-4c5abeac4859/outlook-2010-certificate-alert-when-connecting-to-exchange-2010-server?forum=exchange2010
We ended up setting up an internal CA which resolved it, but still a bit of a pain!
Thanks again for your assistance so far.
JM