Solved

Meaning of Internet-facing CAS server

Posted on 2015-01-02
23
565 Views
Last Modified: 2015-06-16
When you install Exchange server 2010, there is a checkbox to enable "Internet-facing CAS server"
I am not sure what this means. is this applicable only when you have more that one site with Exchange servers installed on each site ?
I worked in environment where all Exchange servers are in the same site , and I do not think they have the option Internet-facing CAS server enabled.

Any Expert to clear this up?

Thank you
0
Comment
Question by:jskfan
  • 10
  • 4
  • 2
  • +4
23 Comments
 
LVL 3

Assisted Solution

by:Sudhir Bidye
Sudhir Bidye earned 63 total points
ID: 40527667
It is the server which has direct internet connectivity, where users will be accessing the Exchange services like OWA/ActiveSync/OA  from the internet directly and the requests will go to this server.
0
 

Author Comment

by:jskfan
ID: 40527732
Usually CAS server is installed in the same box with Mailbox server, and they are inside the network. That's how we configured it in the environment I worked in the recent past, and users were able to connect with OWA and with their Phones without having CAS server  configured with internet-facing option.
0
 
LVL 41

Assisted Solution

by:Amit
Amit earned 126 total points
ID: 40527749
Not required in your case. What does that means? Read this;
http://blogs.technet.com/b/exchange/archive/2009/12/02/3408921.aspx
0
 

Author Comment

by:jskfan
ID: 40541585
So what is the meaning of << the option Internet-facing CAS server>> if it is not checked ?
and when should it be checked ?
0
 

Author Comment

by:jskfan
ID: 40548118
Amit

Can you just past the explanation here. I want to know why should I check that box and what is the effect behind checking it ?
0
 

Author Comment

by:jskfan
ID: 40553768
http://exchangeserverpro.com/forums/exchange-server-2010/1337-cas-behind-tmg.html
I found the link above, and Paul Cunningham answer was:
That checkbox during setup takes the external URL you enter in that dialog and makes it the external URL for the CAS virtual directories such as OWA, ActiveSync etc automatically for you.

 If you don't tick it you can simply go along later and configure those external URLs manually.

 To answer your question, yes you should either check that box or later manually configure the URLs for the internet-facing CAS, even if they are being published by ISA/TMG.


He did not go into too much details , but if someone can explain it better that might help
0
 
LVL 41

Assisted Solution

by:Amit
Amit earned 126 total points
ID: 40553981
That means if you configure the External URL on your CAS1 Server, then your external DNS record should point to CAS1 Server.

Say your OWA url for External user is https://owa.domain.com

Now first you need to register this DNS record on public DNS. Now when user will access this url from outside, it will hit your CAS1. If it is behind any firewall or HLB, then that device will be redirect the traffic back to your CAS1 server and hence CAS1 server will act as Internet-Facing server.

Normally, we configure this setting later and keep it unchecked during installation, as you need certificate, however, if you have all in place already, you can define during installation as well.

Hope this clears your query.
1
 

Author Comment

by:jskfan
ID: 40581306
Amit.


Most of environments have at least 2 CAS servers , they create CAS array and the Hardware NLB will point to the IP address of the CAS array.

How should I manually configure Internet-facing server ? considering the number of cas servers are at least 2.
Assuming CAS roles are in the same servers as Mailbox roles and they are members of the same DAG
0
 
LVL 41

Expert Comment

by:Amit
ID: 40581632
Read my answer one more time , it explains everything.
0
 

Author Comment

by:jskfan
ID: 40581816
I did ...
first you are mentioning CAS1, it sounds like you are targeting just one CAS server, if it fails then the other CAS server will not be seen...That's why I mentioned CAS array

Second ...I do not see the manual configuration of Internet-facing CAS server
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 24

Assisted Solution

by:-MAS
-MAS earned 62 total points
ID: 40616118
As mentioned above Internet-facing CAS name will be used to configure URLs such as OWA, activesync etc.
And you need to have a CAS array created for the CAS servers. It is recommended to create CAS array even if you have only one CAS server.  So you can do the load balancing either by load balancer or by DNS RoundRobin.

Please let me know if you are not clear or if you have more queries
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 62 total points
ID: 40616165
If you would just look at the easy meaning of that word "Internet-facing CAS server" there shouldn't be a confusion.

It is just asking if you want to make this server internet facing, then all virtual directories external URL to be set as per what FQDN you set in next screen
The FQDN is just set on virtual directories not means it should start working immediately, Exchange is doing that setting in advance for you and you still need to create required DNS records, name resolution etc.

U might have planned deployment of multiple CAS servers and decide to deploy CAS array, in that case your entered FQDN must be pointing CAS array (HLB \ NLB FQDN)

If this CAS server is offsite \ another site server from where you don't want to flow internet mail traffic directly, don't select that checkbox, which will keep all virtual directories external URL same as internal server FQDN
Probably you would keep external URL of virtual directories blank so that requests would automatically passed to internet facing CAS server
0
 

Author Comment

by:jskfan
ID: 40649025
I will read your comments later
0
 
LVL 41

Expert Comment

by:Amit
ID: 40649173
Let us know, if you still have doubts.
0
 

Author Comment

by:jskfan
ID: 40655152
we have 2 Exchange servers in the DAG and none of them has that checkbox checked.
We have Forefront hosted by third party.
So since we have not checked those checkboxes, I do not see anything else that  we are missing.
This is why I posted this question wanting to know the purpose of checking or unchecking the checkbox.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 62 total points
ID: 40706319
Checking / unchecking the box simply directs Exchange as to what URL (if any) to configure on the "ExternalURL" parameter of the OWA, ECP etc virtual directories. Simple.

So, since that has already been posted, your question actually seems to segue into asking:
"What is the purpose of the 'externalURL' attribute, and when should I worry about it?"

In "simple" deployments (single AD site, handful of servers running the CAS role) you might not immediately appreciate the importance of the {Internal, External} URL parameters on the various virtual directories, particularly if you are only using OWA rather than any of Exchange's more advanced features. IIS is bound to port 443 (and 80, but you use TLS to remotely access your mail, right?) on all IP addresses on a Client Access Server, so will terminate and respond to any traffic reaching the box on that (those) port(s). Whether that traffic comes from an internal or external source is not differentiated at that stage; you will always get SOMETHING back. It is just luck that in the common case, not configuring the server according to recommendation does not cause the functionality to break.

The complexity originates if you have either (a) Exchange deployments across multiple AD sites, or (b) if you plan to use the Outlook Anywhere service from outside the network, where Autodiscover presents the information listed in the "ExternalURL" attributes to provide access to sundry Exchange services (OAB, ECP, availability, out-of-office management, etc.). (There are other cases I have glossed over for simplicity).

Configuring the "ExternalURL" is all about informing Exchange WHAT your external URL namespaces are, and HOW it can access them.

If you have Exchange running across multiple Active Directory sites, the CAS role uses the ExternalURL information as a hint to determine which CAS servers are published directly to the Internet, and what URL they are accessible at. Suppose you have two sites, Europe and Asia, each of which have an Exchange deployment consisting of one or more mailbox servers, and a CAS array behind a load-balanced virtual IP (VIP). Both deployments are accessible remotely as follows:

European users access their mailbox via https://europe.owa.company.com/owa. europe.owa.company.com is a DNS host record pointing at the VIP of the CAS array in the European data center.
Asian users access their mailbox via https://asia.owa.company.com/owa. asia.owa.company.com is configured identically to above, except it is terminated at the Asian facility.

Suppose a European user tries to access their mailbox via the Asian URL (perhaps they have travelled to Asia and are using a terminal pre-configured with that URL). The user's mailbox is in Europe, and the mailbox must be accessed via a CAS in the Europe site. Exchange now has two choices: proxy and redirect.

In the proxy case, the Asian CAS communicates with a European CAS behind-the-scenes and the user will be oblivious to this communication taking place; the user continues to browse via asia.owa.company.com, and all their requests are relayed via the Asian CAS. This occurs if the European CAS servers are not configured with the ExternalURL parameter.
In the redirect case, the Asian CAS overtly redirects the user's session to a CAS in the European site. The URL in the browser will change to europe.owa.company.com, the Asian CAS will completely drop out of the loop, and the user communicates directly with Europe. This occurs if the European CAS servers are configured with a non-null ExternalURL parameter, since Exchange now has a "hint" that they are accessible on a public IP address, and hence there is no need to bounce packets via Asia unnecessarily.

Note that Outlook might use the OWA URL in several locations in its UI, to provide links into the web interface for users. The URL selection process depends upon whether the Outlook client is operating in "internal" mode -- determined by being able to read the Autodiscover Service Connection Point (SCP) -- or "external" mode.

This situation is similar for the ECP, which is also used in various locations by Outlook. There are slightly varied steps which take place for EWS, ActiveSync, etc. You can read all about it for Exchange 2010 here, and I strongly recommend you do so: https://technet.microsoft.com/en-us/library/bb310763%28v=exchg.141%29.aspx.

The second case in which those URLs is used is Outlook Anywhere's EXPR provider, which publishes connection information for the various Exchange services accessed via the web. If Outlook is running in "external" mode, it will appeal to the CAS for these URLs, and Exchange expects to be able to reply with the data contained in the respective virtual directory externalURL attributes. I suggest reviewing this post at Elan Shudnow's blog for details; it is written for Exchange 2007, but the high-level details are similar: http://www.shudnow.net/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/

---

In response to some points above, I am concerned to see the implication that a CAS array does load balancing. We must take care with phrasing to ensure these types of implications are not made.

Adding a CAS array object in Exchange does NOTHING to load balance traffic between Client Access Servers; it is simply a hint to Exchange as to the logical topology and mutual request handling capability of the CAS in each site.

You still have to configure DNS with the single URL namespace correctly, and you have to implement the load balancing solution separately. You also have to configure the virtual directory URLs to refer to the relevant load-balanced DNS name; the TechNet article I linked above carries further particulars in this regard.
0
 
LVL 27

Assisted Solution

by:Steve
Steve earned 125 total points
ID: 40716968
'internet facing' means accessible from the internet in general.

if you do not check that box, your exchange setup assumes the CAS boxes are only accessed from within your network and leaves references to 'ExternalURL' empty.
If you check the box, a few additional settings are added to the CAS boxes, which mostly results in the appropriate web address being added to the 'ExternalURL' fields.

that's pretty much it really.
0
 
LVL 24

Expert Comment

by:-MAS
ID: 40717142
Agree with totallytonto
0
 

Author Comment

by:jskfan
ID: 40757105
In our Exchange 2010 environment, all CAS servers do not have "Internet-facing CAS server""selected, but everything flows fine..
email goes in and out and there is no problem...This is why I posted this question about the role of "Internet-facing CAS server"
0
 
LVL 27

Assisted Solution

by:Steve
Steve earned 125 total points
ID: 40760087
The CAS server doesn't handle mailflow until 2013 onwards. its the Hub Transport that handles mailflow in 2010.

An internet facing CAS server deals with OWA, activesync etc. if that's working OK then don't change it!
0
 

Author Closing Comment

by:jskfan
ID: 40831958
Will check it later
Thank you
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now