ACE 20 CAS servers

Similar Messages

• Problem: Mixed Exchange 2007 / 2013 CAS Servers with wildcard certificates in Europe and non-wildcard Certficate in China

  Hi,
  we have following problem. We have a mixed multi-domain one-forest AD environment. We also have still a mixed exchange 2007 / 2013 environment. We also have different CAS Servers for 2007 SP3 (RU15) and 2013 (CU8) in europe and one 2007 SP3 (RU15) CAS Server
  in China, because of bad connection to Europe. For the Migration to 2013 in Europe we installed a wildcard-certificate *.xyz.com and used the Set-OutlookProvider EXPR -CertPrincipalName msstd:*.xyz.com, so the wildcard certificate is accepted. Everything in
  Europe works fine, inside and outside also between exchange 2007 and 2013 (both CAS Server 2013 and 2007 use the same wildcard certificate). But since the change of the Set-OutlookProvider EXPR we are facing problems with our CAS Server in China, because this
  server has a different non-wildcard certificate and a different domain name (cas-server.xyz-china.com instead xyz.com). Now we have the problem that this Chinese CAS server the Outlook Anywhere does not work anymore and prompts always for the username. As
  I see it is because of the EXPR change. Is it possible to set the the Outlook-Provider EXPR per Cas-Server ? (They also have their own Autodiscover on this front-end server). Because I see that the Outlook-Provider can only be stored forest-wide.
  If not the other solution would be to register the chinese cas server in our xyz.com domain and use the same wildcard certificate on this system right ?
  Any help would be appreciate….

  Yes setting the EXPR value is most likely the cause of your issue.  When you set this value you are telling Outlook to only accept connections from connections that have the cert with the subject name you specify here.
  Unfortunately, based on my experience I believe this is an organization wide setting and cannot be configured on a CAS by CAS basis (If I'm wrong someone please keep me honest :)).  
  So the only option would you have is to change all the URLs to be on *.xyz.com domain.  There's no need to change the domain the server actually resides on.  The other option would be to purchase a UCC Cert with all the names you need and apply
  to all your CAS servers and reset the EXPR value. 
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

• How to redirect CAS servers to a new manager

  Hi Guys,
  We have deployed some CAS servers into our network and was managed by a 3310 NAM. Due to its limitation we decided to replace this with a 3350 NAM but didn't realize to disconnect the CAS servers to the old 3310 NAM. Now we are having issues redirecting these CAS servers to the new 3350 NAM.
  Please let us know how we can deal with it. Thanks in advance

  The NAC Servers get their configuration from the NAC Manager at every reboot. If the old NAC Manager is offline and you reboot the NAC Server, can you add the NAC Server to the new NAC Manager?
  -Dan Laden

• Exchange 2010 MP - CAS servers not beeing discovered

  Hi!
  I have 2 CAS-servers that are not beeing discovered. Trigger on Demand discovery against  these servers fails. Is there a way I can manually force these servers to this role?
  Best regards
  Rune Haugen

  Hi,
  Have you checked the option "Allow this agent to act as a proxy and discover managed objects on other computers" for all your Exchange servers? 
  Please also try to flush health service state and caches for the CAS servers.
  More details about flush health service state and caches, please refer to the link below:
  http://technet.microsoft.com/en-us/library/hh212884.aspx
  Regards
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• OWA 2013 Redirect to CAS Servers 2010 Randomly

  Hello there!!
  I think my case is not a problem, I just need a workaround or some fine adjustment to serve my needs. Follow my scenario:
  One Exchange 2013 Server (CU3) with Mailbox and CAS role (coexisting with the 2010 Servers, ready for migration)
  Two Exchange 2010 CAS Servers SP3 no rollups
  Two Exchange 2010 Mailbox Servers SP3 no rollups (in a DAG)
  I have two organizations who share the same exchange infrastructure, just using different smtp address, for example, some users use @yyy.com addresses and others use @zzz.com. We have two CAS servers just to use two different and customized OWA layouts (with
  distinct OWA Internet addresses), one for @yyy.com users and other for the @zzz.com users
  Also, I have the following database organization:
  DB01 - @yyy.com mailboxes - 2010
  DB02 - @zzz.com mailboxes - 2010
  DB03 - @zzz.com mailboxes - will migrate to 2013
  I need to do a partial migration to Exchange 2013, which is to migrate all mailboxes from DB03 database to Exchange 2013,
  which will use the owa address for the @zzz.com addresses (We will point it to the new 2013 server).
  The problem is that when users from DB02 try to use the 2013 OWA (@zzz.com), Exchange will bring up one of the 2010 OWA interfaces, sometimes the yyy.com customized interface and sometimes the zzz.com customized interface, and I need them to use just
  the zzz.com interface.
  There is any way that I can force Exchange 2013 to redirect the 2010 OWA users from a specific database to a specific CAS server? I found the command "Set-MailboxDatabase "Database Name" -RpcClientAccessServer EX2010-1.domain.local"",
  but this work only for internal use (Outlook over RPC)
  Best Regards Folks

  Hi,
  Firstly, I’d like to explain, the property RpcClientAccessServer shows the CAS server which mailbox connects to. It applies to all users and has no influence on OWA redirection. Because this value determines the location of the RPC end point and OWA request
  use HTTPS protocol.
  As far as I know, when there are many CAS Servers with same version in the same site, we couldn’t determine the CAS server which OWA request will redirect to. 
  Maybe we can take advantage of Proxy: proxy request from Exchange 2013 to Exchange 2010 and "disable" redirection:
  http://social.technet.microsoft.com/Forums/exchange/en-US/999e3d3c-5919-4fa2-8e3e-a2c952214159/exchange-2010-cas-redirection
  If you have any question, please feel free to let me know.                       
  Thanks,
  Angela Shi
  TechNet Community Support

• Exchange 2013 SP 1 + Lync 2013 CAS servers 100% CPU Load.

  Hello. Can somebody explain about one issue?
  We have Exchange 2013 CU6 + Lync 2013 (5.0.8308.556) integration.  After install Exchange SP1 all Client Access Servers begun to consume all CPU time.  In process
  explorer there are w3wp.exe (MSExchangeServicesAppPool) and lsass.exe (netlogon context). In IIS logs a lot of events about
  GET /EWS/Exchange.asmx/s/GetUserPhoto email=[email protected]&size=HR648x648&CorrelationID=<empty>;&cafeReqId=07966a0b-99a4-4f0a-8a38-a8a83264e46c; 443 - 10.10.10.10 OC/15.0.4659.1001+(Microsoft+Lync) - 401 1 2148074254 46
  GET /EWS/Exchange.asmx/s/GetUserPhoto email=[email protected]&size=HR648x648&CorrelationID=<empty>;&cafeReqId=c7fb9499-1dc7-48d9-add6-64156a910de6; 443 Contoso\username 10.10.10.10 OC/15.0.4659.1001+(Microsoft+Lync) - 200 0 0 437
  IIS logs are grow up very quickly, about 1GB per day. Before to installing SP1 was not problems.  Thanks in advance.

  Hi,
  From your description, you said that you have Exchange 2013 CU6 + Lync 2013 (5.0.8308.556) integration, then you install Exchange 2013 SP1 on all CAS servers.
  Do you mean your Exchange 2013 Mailbox server is CU6, and all CAS servers are SP1?
  We had better have the same version on Exchange servers in our environment, if that is the case, please upgrate all to CU6, Exchange 2013 latest version, to check result.
  Best regards,
  Belinda Ma
  TechNet Community Support

• Performance counters for exchange 2013 mailbox & cas servers?

  what are the Performance counters for exchange 2013 mailbox & cas servers?
   similar to rpc request for troubleshooting exchange slowness, I haven't found any technet article for exchange 2013. 

  Hi,
  Please see this:
  Ask the Perf Guy: Sizing Exchange 2013 Deployments
  http://blogs.technet.com/b/exchange/archive/2013/05/06/ask-the-perf-guy-sizing-exchange-2013-deployments.aspx
  Hope it is what you need.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Exchange 2013 CAS servers cannot accept connections on Exchange ports

  Exchange 2013 Enterprise SP1 / Windows Server 2008 R2 SP1
  I have configured site resilience setup with the following at two sites:
  - two CAS servers
  - six MB servers
  Traffic to the CAS servers pass through HLB.
  I just discovered that the "01" CAS server at each site is not accepting Exchange traffic.
  If I telnet to one of the Exchange ports, it looks like there is a connection, however the moment any character is entered, the connection dies.
  For example
  - telnet Site01CAS01 25
  -   ( screen goes blank and DOES NOT display the expected "220 servername Microsoft ESMTP ...." message )
  - when I attempt to enter  "ehlo" the moment I enter "e" the session is disconnected.
  I can successfully perform a telnet connection to the CAS02 server and run through the complete send a test message through telnet process. The session disconnect occurs on the CAS01 server at each site for ANY port controlled by Exchange: 25, 143, 587,
  717, 993
  I can successfully telnet to ports NOT controlled by Exchange: 80, 81, 8080, 443
  There appears to be nothing essentially wrong with IIS
  The firewall is DISABLED.
  I discovered this issue yesterday.
  I upgraded to Excahgne 2013 SP1 10 days ago.
  I cannot say for sure if this condition existed before the SP! upgrade. I upgraded from CU1 to SP1
  Any thoughts?
  Thanks! Tom

  Well, port 25 doesnt have anything to do with IIS regardless.
  Since this is the CAS, port 25 is handled by the Microsoft Exchange Frontend Transport service .
  A couple of things I would check.
  Check the server component state. Get-ServerComponentState -Identity <server> to ensure everything is "active".
  I assume all the services are running and you have rebooted the server to ensure things start up clean.
  Also ensure the NIC on this server is set to register itself in DNS.
  Finally, If you have disabled the firewall service on the server, its not supported. You should enable the firewall service and then disable it logically netsh advfirewall set Allprofiles state off
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Renew certificate on two Exchange 2007 CAS servers

  Hi, there:
  Our environment: Exchange 2007 SP3 with two HUB/CAS servers, let's assum server name for these two CAS servers are: CAS1 and CAS2.
  Please note these two CAS servers are NOT running with NLB.
  Now the certificate(not self-signed) on these two servers are about to expired and I am planing to install new certificate on them.
  The old certificate is issued by internal CA server.
  My plan is as below:
  On CAS1:
  I am going to use "New-ExchangeCertificate" with -privatekeyexportable to generate the certificate request file then submit the request file to CA, after I get the
  .pfx file run "Import-ExchangeCertificate" to import the new certificate, after the old certificate is expired, run "enable service"
  to let exchange use the new certificate.
  On CAS2:
  repeat the above procedure.
  I did a serach on technet and found this:
  http://social.technet.microsoft.com/Forums/exchange/en-US/20adfb3d-2fa6-4ff9-b785-cb47a772ed58/3rd-part-certificate-renewal-for-exchange-2007-cas?forum=exchangesvrgenerallegacy
  the procedure mentioned in this thread is different. it export the newly created certificate from CAS1 and import it into CAS2.
  however the CAS server mentioned in that thread run with NLB.
  The two CAS servers in our environment is NOT NLB.
  Any suggestions?

  Both plans will work. You can generate a cert for each individual CAS with the correct subject names on each cert relative to the CAS that you will enable it on or create one cert with the correct subject names that cover both CAS and export and import
  the cert from one CAS to the other. Up to you.
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Ace with servers in VMware

  Hi;
  I have a customer who has a test site  with one ACE doing load balancing for a small farm ( 8 servers). Recently the customer moved his servers to
  to VMware. The customer claims that since that change, the ACE is causing for large delays. His claim is that when he points his clients http requests directly to the servers, bypassing the ACE, he  receives normal response time. His claim is that the ACE is causing up to 30 sec delays. This was definitely not the case before they made their change.
  I was wondering if anyone has any insight to this type of situation ? Are there any specific ACE issues and load balancing factors that may surface when working with VMware, which are not notticable with real servers?
  The ACE is blade in  6500
  Thanks for any help.
  Mickey

  Hi Mickey,
  Because this is a ACE module, you can just sniff the ten gig interface on the ACE. This way you will get everything coming in and out of the ACE. Now if you have lot of traffic then this will be bit overwhelming.  So may be you can find a lean period and do this exercise or possible pick a client PC from where you can repro the slowness and filter based on that.
  Also as you will be using wireshark, you can write to multiple files so that you dont loose the interesting traffic.
  I have attached the process of doing a ten gig capture to this post. Hope this helps
  Cheers
  V.K

• Two CAS Servers on the same domain but different AD Sites

  I have a customer that has 1 EXCH MB server & 1 EXCH server running the Hub Transport and Client Access roles. These two servers are in the same domain and reside in AD site A. Now he wants AD Site B (also in the same domain) to have 1 EXCH MB server
  & 1 EXCH server running the HUB/CAS role. The problem is the CAS role in site A is the only one that is public interfacing. The CAS server in site B has not certificates at all, and I want all the mail to re-route to the CAS server in Site A. Does anyone
  know how I can do that???

  The CAS in the internet facing site will proxy to the CAS in the non-internet facing site. And you do have a cert on that CAS in Site B. The default built-in one. However, if you have clients in Site B, you should replace that built-in cert with one that
  is trusted by clients such as Outlook and Lync etc...It doesnt have to be a 3rd party cert, it could be on that is trusted internally.
  http://technet.microsoft.com/en-us/library/bb310763(v=exchg.141).aspx
  Understanding Proxying and Redirection
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• [ACE] Real servers and VIP in the same VLAN

  Hello.
  I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
  My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
  Thanks a lot,
  Miquel

  Hi Miquel,
  Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
       ==========================================================================
       One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
       ==========================================================================
  login timeout 0
  access-list ANYONE line 10 extended permit ip any any
  rserver host SERVER_01
    ip address 192.168.1.11
    inservice
  rserver host SERVER_02
    ip address 192.168.1.12
    inservice
  rserver host SERVER_03
    ip address 192.168.1.13
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  class-map match-all VIP-30
    2 match virtual-address 192.168.1.30 tcp eq www
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 451
  interface vlan 451
    description Servers vlan
    ip address 192.168.1.2 255.255.255.0
    access-group input ANYONE
    service-policy input CLIENT_VIPS
    nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  Let me know if you have any question.
  Regards,
  Kanwal

• Autodiscover SCP multiple CAS servers

  I have a 2007 server and a 2010 exchange server,
  I recently started to decomission 2007 and moved all mailboxes to 2010,
  recently the 2007 server went offline,
  autodiscover failed as the autodiscoverserviceinternaluri SCP was set to point to the 2007 server
  on the 2010 server the SCP was pointing to the 2010 server correctly...
  I am wondering how with multiple SCP's / autodiscover URI's a client finds and connects to the correct one, or incorrect one in my case...
  ***Don't forget to mark helpful or answer***

  Hi,
  Based on my knowledge, Outlook client will firslty access the SCP object which is set by the first Exchange server. If it's the required one, Outlook will connect to the Autodiscover service. If not, Outlook will try the SCP objects one by one untill it
  find the proper one.
  For more information, you can refer to the following article:
  http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx#BKMK_HowAutodiscoverWorks
  "In deployments that include multiple Client Access servers, an Autodiscover SCP record is created for each Client Access server. By using the user credentials, the client authenticates to and searches for the Autodiscover SCP objects. After the client obtains
  and enumerates the instances of the Autodiscover service, the client connects to the first Client Access server in the enumerated and sorted list and obtains the profile information in the form of XML data that is needed to connect to the user's mailbox and
  available features."
  Thanks,
  Angela Shi
  TechNet Community Support

• One-armed ACE with servers gateway to ACE (no SNAT?)

  Hello ACE experts, I have two questions;
  Design;
  One-armed ACE appliance where the servers use the ACE as default gateway? (and ACE of course a default route to the router)
  Apparently it works in my lab… But since it’s not documented I wonder what the gotcha’s are?
  (This would eliminate the SNAT requirement for one-armed)
  I know I need;
  -no icmp-guard                 to allow ‘asymmetric icmp’
  -no normalisation            to allow asymmetric traffic when not using VIP (router to server is direct, but server response uses the ACE)
  And other question;
  Bandwidth license, apparently ALL traffic counts to this limit, even only routed traffic, is this true?
  So In routed mode, all traffic from server backend that needs to be routed over ACE - a backup!? - counts?
  Regards Kristof

  Hi
  the reason I use "process every packet" was it was one of the advantage being offerd by one arm mode to not to process every packet. The main reason for one arm deployment, as i mentioned previously also, is ease in placement of ACE. We can have servers in any vlan and can put ACE altogther iin different VLAN. i guess this advantage is of no use for you because servers are already in same segment as that of ACE.
  The main cause ,which i understand, customer don't like the concept of SNAT is because of its restriction on reporting and security. Client IP will be hide, so any reporting on servers for sessions source (or for monitoring attacks) will not be fruitfull. Although with feaures like XFF we can overcome this fault for HTTP traffic, but still customers don't like the consept of hiding details of IP accessing their servers.
  regarding B/w count in bridge mode i am not 100% sure but beleive here again every passing traffic will count as ACE still monitor every packet and decide whether its a passing traffic or part of loadbalancing or hitting any of its confiugred policy.

• Exchange 2013 migration, disable SSLOffloading on 2010 CAS servers

  We just going through the Exchange 2013 migration from Exchange 2010. I have one or two questions when following the Exchange deployment Assistant. We have HLB where the certificates and we enable SSLoffload on the CAS server. So we don't have public CA's
  on our CAS 2010 servers.
  So on the documentation it says to run this command, were it will disable SSLOffloading and change to Basic authentication. Will my running outlook 2010 clients start getting certificate errors and  will they work as normal ?
  Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod
  Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic

  We have OA enabled on all CAS 2010 servers with NTLM authentication and SSLoffloading box checked. We have also setup our CAS2013 and is running. My question above was that if I ran that command, Will I break anything since all my users
  are still on Exchange 2010 mailboxes.
  Then as I mentioned, that command will do nothing as OA is already enabled on CAS 10.  It would only make a change if CAS10 had OA disabled. 
  Where {$_.OutlookAnywhereEnabled -Eq $False}
  Where {$_.OutlookAnywhereEnabled -Eq $False}
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.