Meaning of Internet-facing CAS server

When you install Exchange server 2010, there is a checkbox to enable "Internet-facing CAS server"
I am not sure what this means. is this applicable only when you have more that one site with Exchange servers installed on each site ?
I worked in environment where all Exchange servers are in the same site , and I do not think they have the option Internet-facing CAS server enabled.

Any Expert to clear this up?

Thank you
Who is Participating?
tigermattConnect With a Mentor Commented:
Checking / unchecking the box simply directs Exchange as to what URL (if any) to configure on the "ExternalURL" parameter of the OWA, ECP etc virtual directories. Simple.

So, since that has already been posted, your question actually seems to segue into asking:
"What is the purpose of the 'externalURL' attribute, and when should I worry about it?"

In "simple" deployments (single AD site, handful of servers running the CAS role) you might not immediately appreciate the importance of the {Internal, External} URL parameters on the various virtual directories, particularly if you are only using OWA rather than any of Exchange's more advanced features. IIS is bound to port 443 (and 80, but you use TLS to remotely access your mail, right?) on all IP addresses on a Client Access Server, so will terminate and respond to any traffic reaching the box on that (those) port(s). Whether that traffic comes from an internal or external source is not differentiated at that stage; you will always get SOMETHING back. It is just luck that in the common case, not configuring the server according to recommendation does not cause the functionality to break.

The complexity originates if you have either (a) Exchange deployments across multiple AD sites, or (b) if you plan to use the Outlook Anywhere service from outside the network, where Autodiscover presents the information listed in the "ExternalURL" attributes to provide access to sundry Exchange services (OAB, ECP, availability, out-of-office management, etc.). (There are other cases I have glossed over for simplicity).

Configuring the "ExternalURL" is all about informing Exchange WHAT your external URL namespaces are, and HOW it can access them.

If you have Exchange running across multiple Active Directory sites, the CAS role uses the ExternalURL information as a hint to determine which CAS servers are published directly to the Internet, and what URL they are accessible at. Suppose you have two sites, Europe and Asia, each of which have an Exchange deployment consisting of one or more mailbox servers, and a CAS array behind a load-balanced virtual IP (VIP). Both deployments are accessible remotely as follows:

European users access their mailbox via is a DNS host record pointing at the VIP of the CAS array in the European data center.
Asian users access their mailbox via is configured identically to above, except it is terminated at the Asian facility.

Suppose a European user tries to access their mailbox via the Asian URL (perhaps they have travelled to Asia and are using a terminal pre-configured with that URL). The user's mailbox is in Europe, and the mailbox must be accessed via a CAS in the Europe site. Exchange now has two choices: proxy and redirect.

In the proxy case, the Asian CAS communicates with a European CAS behind-the-scenes and the user will be oblivious to this communication taking place; the user continues to browse via, and all their requests are relayed via the Asian CAS. This occurs if the European CAS servers are not configured with the ExternalURL parameter.
In the redirect case, the Asian CAS overtly redirects the user's session to a CAS in the European site. The URL in the browser will change to, the Asian CAS will completely drop out of the loop, and the user communicates directly with Europe. This occurs if the European CAS servers are configured with a non-null ExternalURL parameter, since Exchange now has a "hint" that they are accessible on a public IP address, and hence there is no need to bounce packets via Asia unnecessarily.

Note that Outlook might use the OWA URL in several locations in its UI, to provide links into the web interface for users. The URL selection process depends upon whether the Outlook client is operating in "internal" mode -- determined by being able to read the Autodiscover Service Connection Point (SCP) -- or "external" mode.

This situation is similar for the ECP, which is also used in various locations by Outlook. There are slightly varied steps which take place for EWS, ActiveSync, etc. You can read all about it for Exchange 2010 here, and I strongly recommend you do so:

The second case in which those URLs is used is Outlook Anywhere's EXPR provider, which publishes connection information for the various Exchange services accessed via the web. If Outlook is running in "external" mode, it will appeal to the CAS for these URLs, and Exchange expects to be able to reply with the data contained in the respective virtual directory externalURL attributes. I suggest reviewing this post at Elan Shudnow's blog for details; it is written for Exchange 2007, but the high-level details are similar:


In response to some points above, I am concerned to see the implication that a CAS array does load balancing. We must take care with phrasing to ensure these types of implications are not made.

Adding a CAS array object in Exchange does NOTHING to load balance traffic between Client Access Servers; it is simply a hint to Exchange as to the logical topology and mutual request handling capability of the CAS in each site.

You still have to configure DNS with the single URL namespace correctly, and you have to implement the load balancing solution separately. You also have to configure the virtual directory URLs to refer to the relevant load-balanced DNS name; the TechNet article I linked above carries further particulars in this regard.
Sudhir BidyeConnect With a Mentor Commented:
It is the server which has direct internet connectivity, where users will be accessing the Exchange services like OWA/ActiveSync/OA  from the internet directly and the requests will go to this server.
jskfanAuthor Commented:
Usually CAS server is installed in the same box with Mailbox server, and they are inside the network. That's how we configured it in the environment I worked in the recent past, and users were able to connect with OWA and with their Phones without having CAS server  configured with internet-facing option.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

AmitConnect With a Mentor IT ArchitectCommented:
Not required in your case. What does that means? Read this;
jskfanAuthor Commented:
So what is the meaning of << the option Internet-facing CAS server>> if it is not checked ?
and when should it be checked ?
jskfanAuthor Commented:

Can you just past the explanation here. I want to know why should I check that box and what is the effect behind checking it ?
jskfanAuthor Commented:
I found the link above, and Paul Cunningham answer was:
That checkbox during setup takes the external URL you enter in that dialog and makes it the external URL for the CAS virtual directories such as OWA, ActiveSync etc automatically for you.

 If you don't tick it you can simply go along later and configure those external URLs manually.

 To answer your question, yes you should either check that box or later manually configure the URLs for the internet-facing CAS, even if they are being published by ISA/TMG.

He did not go into too much details , but if someone can explain it better that might help
AmitConnect With a Mentor IT ArchitectCommented:
That means if you configure the External URL on your CAS1 Server, then your external DNS record should point to CAS1 Server.

Say your OWA url for External user is

Now first you need to register this DNS record on public DNS. Now when user will access this url from outside, it will hit your CAS1. If it is behind any firewall or HLB, then that device will be redirect the traffic back to your CAS1 server and hence CAS1 server will act as Internet-Facing server.

Normally, we configure this setting later and keep it unchecked during installation, as you need certificate, however, if you have all in place already, you can define during installation as well.

Hope this clears your query.
jskfanAuthor Commented:

Most of environments have at least 2 CAS servers , they create CAS array and the Hardware NLB will point to the IP address of the CAS array.

How should I manually configure Internet-facing server ? considering the number of cas servers are at least 2.
Assuming CAS roles are in the same servers as Mailbox roles and they are members of the same DAG
AmitIT ArchitectCommented:
Read my answer one more time , it explains everything.
jskfanAuthor Commented:
I did ...
first you are mentioning CAS1, it sounds like you are targeting just one CAS server, if it fails then the other CAS server will not be seen...That's why I mentioned CAS array

Second ...I do not see the manual configuration of Internet-facing CAS server
MAS (MVE)Connect With a Mentor Technical Department HeadCommented:
As mentioned above Internet-facing CAS name will be used to configure URLs such as OWA, activesync etc.
And you need to have a CAS array created for the CAS servers. It is recommended to create CAS array even if you have only one CAS server.  So you can do the load balancing either by load balancer or by DNS RoundRobin.

Please let me know if you are not clear or if you have more queries
MaheshConnect With a Mentor ArchitectCommented:
If you would just look at the easy meaning of that word "Internet-facing CAS server" there shouldn't be a confusion.

It is just asking if you want to make this server internet facing, then all virtual directories external URL to be set as per what FQDN you set in next screen
The FQDN is just set on virtual directories not means it should start working immediately, Exchange is doing that setting in advance for you and you still need to create required DNS records, name resolution etc.

U might have planned deployment of multiple CAS servers and decide to deploy CAS array, in that case your entered FQDN must be pointing CAS array (HLB \ NLB FQDN)

If this CAS server is offsite \ another site server from where you don't want to flow internet mail traffic directly, don't select that checkbox, which will keep all virtual directories external URL same as internal server FQDN
Probably you would keep external URL of virtual directories blank so that requests would automatically passed to internet facing CAS server
jskfanAuthor Commented:
I will read your comments later
AmitIT ArchitectCommented:
Let us know, if you still have doubts.
jskfanAuthor Commented:
we have 2 Exchange servers in the DAG and none of them has that checkbox checked.
We have Forefront hosted by third party.
So since we have not checked those checkboxes, I do not see anything else that  we are missing.
This is why I posted this question wanting to know the purpose of checking or unchecking the checkbox.
SteveConnect With a Mentor Commented:
'internet facing' means accessible from the internet in general.

if you do not check that box, your exchange setup assumes the CAS boxes are only accessed from within your network and leaves references to 'ExternalURL' empty.
If you check the box, a few additional settings are added to the CAS boxes, which mostly results in the appropriate web address being added to the 'ExternalURL' fields.

that's pretty much it really.
MAS (MVE)Technical Department HeadCommented:
Agree with totallytonto
jskfanAuthor Commented:
In our Exchange 2010 environment, all CAS servers do not have "Internet-facing CAS server""selected, but everything flows fine..
email goes in and out and there is no problem...This is why I posted this question about the role of "Internet-facing CAS server"
SteveConnect With a Mentor Commented:
The CAS server doesn't handle mailflow until 2013 onwards. its the Hub Transport that handles mailflow in 2010.

An internet facing CAS server deals with OWA, activesync etc. if that's working OK then don't change it!
jskfanAuthor Commented:
Will check it later
Thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.