Upload
o365infocom
View
225
Download
0
Embed Size (px)
DESCRIPTION
Exchange CAS server | Providing Exchange clients access to their mailbox | Part 06#36 http://o365info.com/exchange-cas-server-providing-exchange-clients-access-to-their-mailbox-part-06-of-36 A high-level review on the relationship that exists between the Exchange client and his Exchange CAS server. Eyal Doron | o365info.com
Citation preview
Page 1 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Exchange CAS server | Providing
Exchange clients access to their
mailbox |Part 06#36
In this article, I would like to review the secret romance of Exchange mail clients
and “his” Exchange CAS server.
Exchange clients have very special and interesting relationships with their Exchange
CAS server and, the Autodiscover infrastructure is the glow that unified these two
lovers.
Page 2 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Continue with our romantic metaphor, the truth is that the Exchange client can
have these “relationships” with any available Exchange CAS server.
Page 3 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In simple words – the Exchange client totally depends on an Exchange server who
holds the CAS server role but the Exchange client is not “tied up” to a specific
Exchange CAS server.
Page 4 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
So what is so special about these “secret relationships” between Exchange client
and the Exchange CAS server?
In the following article, we will analyze the charters of these relationships and how
the Autodiscover does is related or involved in these relationships.
Page 5 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
What is the Exchange CAS server?
In a modern Exchange environment, each of the Exchange servers is “holding” a
specific role (or a couple of Exchange server roles).
Page 6 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
We will not get into the specific charters for each of the “Exchange server roles” and
a comparison of the difference between: Exchange 2007, 2010 and Exchange 2013
environment, but instead, emphasize two of the Exchange server roles: Exchange
CAS role and Exchange Mailbox role.
To be able to connect the Exchange infrastructure, an Exchange client will need to
find + connect an Exchange CAS server.
The way that the Exchange mail client finds or locates “his Exchange CAS server” is
by using the Autodiscover service.
For this reason, the Autodiscover process takes up such an important part in the
Exchange infrastructure because, without a proper completion of the Autodiscover
process, Exchange client:
Cannot create a new Outlook mail profile.
Cannot connect to his mailbox.
Cannot get information about available Exchange web services.
Page 7 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Cannot recover from errors and respond to changes in the Microsoft
Exchange environment automatically.
Additional reading about the Exchange server role architecture
Exchange Server 2013 SP1 Architecture Poster
Exchange 2013 Server Role Architecture
Understanding Exchange 2013 Server Roles in the Simplest way
Server roles in Exchange 2013 hybrid deployments
Server roles in Exchange 2013/Exchange 2010 hybrid deployments
Server roles in Exchange 2013/Exchange 2007 hybrid deployments
The Exchange CAS server responsibilities
Before we go into the “details” or the relationships, let’s review the Exchange CAS
server “responsibilities” in high-level view.
The following screenshot is taken from the- Exchange Server 2010 Architecture
Poster – in the diagram, we can see a detailed description of the “responsibilities” of
the Exchange 2010 server that hold the CAS role.
Page 8 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The Exchange CAS server provides many types of services to “his clients.”
We can be even more dramatic and say that – without the Exchange CAS server,
Exchange client cannot communicate or connect to the Exchange infrastructure.
As we can see in the following diagram, we can classify the Exchange CAS server
“services” into four major groups.
Each of these “groups,” is equally important for Exchange clients to be able to
connect and use the Exchange infrastructure.
Page 9 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
THE EXCHANGE CAS SERVER THREE MAJOR RESPONSIBILITY’S TRIANGLE
The exchange CAS server is responsible for the three major tasks:
1. Providing Exchange clients with access to their mailboxes.
2. Providing Web services \ Access to Web services for Exchange clients.
3. Providing information (Autodiscover information) for Exchange clients.
The rest of the current article will be dedicated to the task described as:
Providing Exchange clients access to their mailbox.
The next article – Exchange CAS server as information + Web service provider | Part
07#36, will be dedicated to the Exchange CAS server tasks described as:
1. Providing Web services \ Access to Web services for Exchange clients.
2. Providing information (Autodiscover information) for Exchange clients.
Page 10 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Providing Exchange clients access to their mailbox
In this section, we focus on the Exchange CAS server job of serving as a “proxy” or a
“mediator” between Exchange client and their mailbox that is hosted on the
Exchange server who holds the mailbox role.
Page 11 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In a modern Exchange environment, the only way that Exchange client can use for
connecting his mailbox is, via the Exchange CAS server.
Page 12 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Exchange client such as the Outlook client, cannot access directly their mailbox,
which is hosted on Exchange server who has the role of Exchange mailbox server.
The way that Outlook client access the user mailbox is – through the Exchange
server who has the CAS role.
Page 13 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Exchange mail client’s classification
In the following section, we will describe the flow that is used for Autodiscover
clients. For this reason, it’s important that we will use some kind of general
classification that relates to the Exchange clients.
The most prominent example for Autodiscover client is the Outlook client.
ActiveSync client and OWA client can also consider as “Autodiscover client” but this
client is not so heavily depended on the Autodiscover services.
An additional classification that we should use is the different flow that is
implemented by Outlook client that are located on the internal private network
(access to Active Directory) versus the Autodiscover flow that is implemented by the
outlook client that located on a public network or in a network in which they cannot
access the Active Directory.
Page 14 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The exchange CAS server and the transparency concept
| Different proxy scenarios
One of the most basic concepts of the relationships between Exchange client and
the Exchange CAS server the “transparency concept”.
Exchange client doesn’t need to be aware of the complex Exchange infrastructure
that can include a large number of servers, tens or even hundreds of servers.
Instead, they only need to find an Exchange CAS server.
The Exchange CAS server is the element the “stand in the middle” and separate
between the Exchange client and the Exchange mailbox server who hosts the user
mailbox.
The Exchange clients don’t need to know:
1. The name of the Exchange mailbox server who hosts his mailbox
2. The physical location of the Exchange mailbox server who hosts his mailbox
Page 15 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The significant advantage of using the concept of “man in the middle” (aka the
Exchange CAS server) is that, the “task” of locating and connecting the Exchange
mailbox server who hosts the user mailbox, is hidden from the Exchange clients.
This concept of “transparency”, enables the Exchange infrastructure to provide
many types of services and solutions.
For example:
Scenario 1: external mail client
In a scenario in which external mail client needs access to his mailbox, there is no
need to “expose” the internal Exchange mailbox server who hosts the user’s
mailboxes.
Instead, all we need to do is configure at least one Exchange CAS server as a -Public
facing Exchange CAS server.
The external Exchange mail client request will be accepted by the Public facing
Exchange CAS server and the Exchange CAS server “know” how to locate and
connect the specific internal Exchange mailbox server, which hosts the user
mailbox.
Scenario 2: Exchange mailbox server redundancy
In case that the organization implements a clustering mechanism in which the
user’s mailbox database is replicated to the different Exchange site, in case that the
“original” (active) Exchange mailbox server is not available, the Exchange CAS server
“know” how to connect the Exchange clients to the “other” Exchange mailbox store.
Page 16 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following diagram, we can see an example to different kind of passable
scenarios, in which the Exchange CAS server needs to “serve” the request of
Exchange clients.
Page 17 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
External versus internal Outlook client | Using different
Autodiscover mechanism
When Outlook clients try to locate and connect his Exchange CAS server, the
Autodiscover process that is implemented by the internal Outlook client is different
from the Autodiscover process that is implemented by external Outlook clients.
In addition, the Autodiscover information that the Exchange CAS server provides to
the internal Outlook client is different from the information that the Exchange CAS
server provides to external Outlook mail clients and so on.
Page 18 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following section, we will review some of the Autodiscover common
scenarios and the different characters of the “relationships” that realized between
Exchange clients and their Exchange CAS server.
To be able to simplify the description, we will base on a scenario in which the mail
client is Outlook.
Scenario 1: Internal Outlook Exchange client | Exchange mailbox server on
the same Active Directory site
The charters of this scenario, are as follows:
A user in the internal network tries to create a new Outlook mail profile.
When the user activates the New Outlook mail profile wizard, the following flow will
be implemented:
1. Outlook will locate the name of available Exchange CAS server\s by query the
local Active Directory.
2. Active Directory replay with a list of available Exchange CAS server\s using the
private or the “internal name” of the existing Exchange CAS server\s.
Page 19 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
3. Using the Exchange CAS server names who appear in the list, Outlook will
randomly pick one of the names and try to submit a connection request to the
Exchange CAS server.
4. The Exchange CAS server will query the Active Directory, looking for the name of
the Exchange mailbox server who hosts the specific user mailbox.
5. The Exchange CAS server recognizes two charters of the “Exchange client” (the
Outlook mail client):
That the mail client is a – MAPI mail client + that the mail client is an “internal
mail client”.
6. The exchange CAS server will generate Autodiscover response, which includes
information that is relevant for Outlook mail clients and includes “sections of
information.”
The information that will be provided to include URL’s address of the available
Exchange web services. The URL address that includes din the Autodiscover
response will include:
Internal host names + external host names (internal and external URL address).
Internal URL addresses are not exposed to a host from the public network and
can be used only by the internal mail client.
7. The Exchange CAS server will connect the “destination Exchange mailbox server”
and start the process of “proxy” the information from the Exchange mailbox
server (the mailbox content) to the internal Outlook mail client and vice versa.
Scenario 2: External Exchange Outlook client
When the Exchange mail client is located in a public network, the only way that the
external mail client can use for reaching his: “internal mailbox” (the internal
Exchange infrastructure”) is via the Exchange CAS server who configured as -Public
facing Exchange CAS server.
In this scenario, the Exchange CAS server will be published by using a public name
and public IP address. To be able to get the required services, Exchange mail client
will need to identify and create an encrypted communication channel (secure
channel) with the “Public facing Exchange CAS server”.
The Exchange client requests, to access their “internal mailbox” is located on the
internal Exchange mailbox server, can be implemented only by the mediation of the
“public facing Exchange CAS server”.
Page 20 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The Exchange CAS server, will accept Exchange client requests and implemented a
“proxy mechanism” in which the Exchange CAS server “present” himself to the
internal Exchange servers as the mail client that he “represent”.
When the Exchange CAS server gets the required data from the user mailbox, the
Exchange CAS server will send back the data to the external mail client.
Note – in many scenarios, the Exchange CAS server doesn’t relay “exposed” to
external clients, but instead, a Firewall server, such as ISA\TMG serves as the “public
entity” that accepts external Exchange client communication requests and
“forward” these requests to the Exchange CAS server.
When the user activates the New Outlook mail profile wizard, the following flow will
be implemented:
1. Outlook will locate the name of available Exchange CAS server\s by “generating”
the Exchange CAS server name. Outlook will use the SMTP domain name form
the recipient E-mail address as a “passable name” of the Exchange CAS server
(the Public facing Exchange CAS server).
2. Outlook tries to submit a connection request to Autodiscover Endpoint meaning
the Public facing Exchange CAS server.
3. The Public facing Exchange CAS server will query the Active Directory, looking for
the name of the Exchange mailbox server who hosts the specific user mailbox.
Page 21 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
4. The Exchange CAS server recognizes two charters of the “Exchange client” (the
Outlook mail client):
That the mail client is a – MAPI mail client + that the mail client is an “external
mail client”
5. The Exchange CAS server will generate Autodiscover response, which includes
information that is relevant for Outlook mail clients and includes, “sections of
information.”
The information that will be provided includes – the public URL’s address of the
available Exchange web services. The URL address that included in the
Autodiscover response will include:
only external\public host names.
6. The Public facing Exchange CAS server will connect the “destination Exchange
mailbox server” and start the process of proxy the information from the
Exchange mailbox server (the mailbox content) to the external Outlook mail
client and vice versa.
Scenario 3: External Exchange client | two Exchange site
two Public facing Exchange CAS servers
Another interesting service, that the Exchange CAS server is capable of providing
described as –redirection.
In an Exchange enterprise environment such as a large company that has a couple
of sites worldwide, a common scenario is a scenario of multiple Exchange sites.
In this scenario of multiple Exchange sites, the organization can decide to
implement one of the following scenarios:
Option 1: “Expose” only a specific Exchange CAS server who will serve as a “focal
point” or gateway for all the Exchange clients worldwide (this is the scenario that
was described in the former section which described as – Proxy services)
Option 2: Publish more than one Public facing Exchange CAS server or a Public
facing Exchange CAS server for each of the company sites.
In a scenario of multiple Exchange sites + multiple Public facing Exchange CAS
server, there are two main scenarios for managing the way that external mail client
will find the required Exchange CAS server.
Page 22 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Configure a single Public facing Exchange CAS server is the focal point.
In this scenario, although the Exchange infrastructure includes more than one
“public facing Exchange CAS server”, only one “public facing Exchange CAS server”
will be mapped to the Autodiscover records for the public domain name.
In our example, we have two physical Active Directory and Exchange sites: New
York site and Los Angel’s site.
The public domain name is, o365info.com and the Autodiscover record –
autodiscover.o365info.com is mapped to the public IP address of the “New York
Public facing Exchange CAS server” using the Public IP address: 212.25.80.239
In our scenario, a user named Bob that uses the E-mail address
– [email protected] needs to connect his Exchange mailbox, which is hosted on the
Exchange mailbox server in the Los angel’s site.
When the Outlook client starts the Autodiscover process, he will find and connect
the “New York site Public facing Exchange CAS server”.
Page 23 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The “New York site Public facing Exchange CAS server” knows that
Bob’s mailbox is on another Exchange site (Los angel’s site)
That there is a Public facing Exchange CAS server on the Los angel’s site that
could serve an external mail client request.
Because of this information, the “New York site Public facing Exchange CAS server”
will not serve the Exchange client by himself and instead, send redirection
instructions” to the external Outlook Exchange client.
The redirection instructions include the name (FQDN) of the “Los Angeles site Public
faces Exchange CAS server”.
The external Exchange clients start the process all over again, but this time, the
Exchange Outlook client is trying to connect the “Los Angeles site Public facing
Exchange CAS server”.
Given that the user provides the correct credentials and the “Los Angeles site Public
facing Exchange CAS server” has the required public certificate, the “Los Angeles
site Public facing Exchange CAS server” will locate the Exchange mailbox server who
hosts Bob’s mailbox and proxy the connection request back and forward between
the internal Los Angeles Exchange mailbox server and the external Exchange client
(Bob).
Page 24 of 24 | Exchange CAS server | Providing Exchange clients access to their mailbox |
Part 06#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Additional reading
Understanding Proxying and Redirection
Microsoft Exchange 2010 – Using Proxying and Redirection (Part 1)
Microsoft Exchange 2010 – Using Proxying and Redirection (Part 2)
How Exchange Server 2010 CAS Proxy & Redirection works for Exchange
ActiveSync
Exchange 2013 interoperability with legacy Exchange versions
Client Connectivity in an Exchange 2013 Coexistence Environment
Understanding Client Access Protocol Connectivity Flow – Microsoft Exchange
Server 2013