Best practice SSL End-to-End in Exchange 2010 CAS loadbalancing
Hi,
I was wondering if there is a best practice for deploying SSL End-to-End in Exchange 2010 CAS loadbalancing.
We have ACE modules A5(1.1) and ANM 5.1(0), although there seems to be a template available in ANM it doesn't work. It throws a error when deploying, i believe the template is corrupt.
As I am undersome pressure to deploy this asap I am looking for a sample config. I found one for SSL offloading, but I need one for End-to-End SSL.
Thanks in advance,
Dion
Hi Dion,
You can open up a case with TAC to have that template reviewed and confirm if the problem is at the ACE or ANM side.
In the meantime here is a nice example for End-To-End SSL that can help you to get that working:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
For CAS load balancing there's nothing special other than opening the right ports, I'd advise you to get SSL working first and take it from there, if any problem comes up you can post it here and we'll give you a hand.
HTH
Pablo
Similar Messages
-
Whats the best way to go about load balancing Exchange 2010 CAS
My server guys want to LB the Exchange 2010 client access servers, this will be the 7th Context on my Ace 4710.
see table for ports that are used
Port
Usage
25
smtp
80
http various
110
POP3 clients
135
RPC end point mapper
143
imap4 clients
443
SSL various
993
secure imap 4 clients
995
secure pop3 clients
6001
rpc related outlook anywhere
6002
rpc related outlook anywhere
6003
rpc related outlook anywhere
60200
rpc CAS
60201
exchange address book service
whats the best way of going about this?
do I just LB the IP addresses of the Servers and ignore the ports?
do i have to do anything special for ports 993 and 995 secure imap and pop?
I am sure there are more questions I shold be asking!OK
so If I have a single serverfarm with all services do I filter on the virtual
address something like below?
class-map match-any EXCH_vip
match virtual-address 172.16.93.2 tcp eq 25
match virtual-address 172.16.93.2 tcp eq 80
match virtual-address 172.16.93.2 tcp eq 110
match virtual-address 172.16.93.2 tcp eq 135
match virtual-address 172.16.93.2 tcp eq 143
match virtual-address 172.16.93.2 tcp eq 443
match virtual-address 172.16.93.2 tcp eq 993
match virtual-address 172.16.93.2 tcp eq 995
match virtual-address 172.16.93.2 tcp eq 6001
match virtual-address 172.16.93.2 tcp eq 6002
match virtual-address 172.16.93.2 tcp eq 6003
match virtual-address 172.16.93.2 tcp eq 60200
match virtual-address 172.16.93.2 tcp eq 60201 -
Exchange 2013 EAC will not run with Exchange 2010 CAS\HT servers shut down.
Hi Folks,
A little background - We have just migrated all our user mailboxes and public folders to Office 365 using a hybrid configuration. Now that the migration is essentially finished, I'd like to decommission our on-prem Exchange infrastructure and remove the
hybrid config. We are using dirsync with password sync to replicate our AD to the cloud.
I've read that even if you remove your hybrid configuration, it's a good idea to keep one on-prem Exchange server around so you can edit Exchange attribs (such as email addresses) in a supported manner, rather than using ASDI edit, etc.
To this end, I installed a single Exchange 2013 CA\MBX server. After installation, the EAC worked fine, and I was able to view our on-prem users, groups, etc. Last week, I shut down our two Exchange 2010 CAS\HT servers as a test to see if anything broke
prior to decommissioning them (these were the hybrid servers as well). After doing so, the Exchange 2013 EAC no longer works for some reason, and behaves in a very bizarre fashion. About once every 20 times or so, it will actually start and run. The other
times, it just has you enter your creds, then generates an HTTP 500 internal server error after entering them. It seems to make no difference if you attempt to access it by the fqdn, hostname, or localhost right on the box itself. Same behavior on Chrome or
IE.
Today as a test, I started up one of the 2010 CAS servers and lo and behold, the 2013 EAC ran without difficulty again. Any idea why this might be so? Thanks for any help,
IanHi,
From your description, I recommend you use the following URL to check if you can access EAC. I see it works for several people about this issue.
https://<Exchange 2013 CAS FQDN>/ecp?ExchClientVer=15
Hope it helps.
Best regards,
Amy Wang
TechNet Community Support -
Is it supported to connect Exchange 2013 Mailbox using Exchange 2010 CAS in Co-existence?
Hi Team,
I am in the phase of upgrading Exchange 2010 to 2013, and introduced 4 MBX and 2 CAS of 2013 servers in co-existence.
Only one production mailbox of 2010 moved to 2013. The owa of the mailbox moved to 2013, is working OK internally coz only internally configured, but when I configure outlook using 2010 settings, it got configured but when I open outlook it doesn't
open and throws an error of some "cannot open set of folders".
Is it supported to connect Exchange 2013 Mailbox using Exchange 2010 CAS in Co-existence? because I havnt configured 2013 CAS servers yet.
Kindly share some KB or tip. Any help is appreciated. Thank You.
Muhammad Nadeem Ahmed Sr System Support Engineer Premier Systems (Pvt) Ltd T. +9221-2429051 Ext-226 F. +9221-2428777 M. +92300-8262627 Web. www.premier.com.pkI'll change Adam's wording slightly - you *MUST* install a CAS 13 server into every site where there is a MBX 13 server.
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter: LinkedIn:
Facebook:
XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Catalyst SLB - Exchange 2010 CAS RPC
Hi.
We're currently testing out SLB for load balancing a pair of Exchange 2010 CAS servers. The config seems straightforward enough for single port services like 'Outlook Anywhere' or 'Outlook Web Access' (all on https).
Does anyone have real life experience with getting straight MAPI Outlook load balancing to work? According to Microsoft, there's only 3 ports to be concerned with - endpoint mapper, rpc.clientaccess, and address.book. I've got the latter two set for static across both of these servers, and have 3 appropriate vservers in place pointing to the serverfarm, but a capture shows the process getting hung up on tcp135. It's as if whatever server the endpoint request is landing on doesn't know what to do with the request.
Thanks in advance for any replies.Hello Jay!
Take a look at this doc:
http://www.cisco.com/en/US/docs/solutions/Verticals/mstdcmsftex.html#wp609677
RPC requires source ip sticky in order to operate correctly through a loadbalancer. In the doc, they also walk through doing RPC over http/https - however, I have seen configurations where ACE is not L5-L7 that use RPC on port 135 as a L4 rule with sticky and it appears to work ok.
Regards,
Chris Higgins -
Exchange 2013 CAS functionality in coexistence with Exchange 2010 CAS
Hi,
I am planning to migrate Exchange 2010 to Exchange 2013 for 15000 users. We have a pool of 6 CAS 2010 servers added in a single CAS array. So my question is if we introduce a new CAS 2013 server in same site then will it affect CAS traffic anyway ? If we
point our HLB to all CAS servers including CAS 2010 and CAS 2013 so will the CAS 2010 servers wil take traffic or is it only CAS 2013 servers who will take traffic. We will be putting same URLs in CAS 2013 same as CAS 2010. I have read lot of MS articles and
all say that CAS 2013 should be enabled for CAS traffic and it will proxy request to CAS 2010. But I am not sure if we will face any CAS traffic issue whenever we will introduce CAS 2013 servers in same site and traffic will be pointed to CAS 2010 and CAS
2013 both. Is it possible to add CAS 2013 in Exchange 2010 CAS array ? Please guide. Thanks in advance.For mailbox that exist on Exchange 2010, EXCH2013 CAS will proxy the request to an Exchange 2010 Client Access servers that exists within the mailbox’s local site.
For mailboxes that exist on Exchange 2013, EXCH2013 CAS will proxy the request to the Exchange 2013 Mailbox server that is hosting the active copy of the user’s mailbox which will generate the Autodiscover response.
-->Is it possible to add CAS 2013 in Exchange 2010 CAS array ?
No. CAS Array is no longer exits in Exchange 2013. But concept of a single namespace for Outlook connectivity remains. Please check this and this. In
your case you dont need to worry as you have a HLB in place it will do the job
When a new exchange2013 is deployed Outlook Anywhere has been enabled on all Client Access servers within the infrastructure and the mail.contoso.com and autodiscover.contoso.com namespaces have been moved to resolve to Exchange 2013 Client Access server
infrastructure. In your case it is pointed to both as you have a load balancer in place but the same URL should be configured in exch2013
Make sure you have exchange2010-SP3 minimum as it is the prerequisite requirement for upgarding EXCh2010 to 2013.
Please check the exchange server deployment assistant
tool for moving mailboxes
After moving a mailbox check the URLs. Configure autodiscover,EWS,OAB URLs on exchange2013. Please check this as
well for checking URLs.
I hope you know MAPI/RPC (RPC over TCP) traffic is now replaced with RPC over HTTP/s instead in exch2013.
Thanks
MAS
Please don't forget to mark an answer if it answers your question or mark as helpful if it helps -
Best practices for making the end result web help printable
Hi all, using TCS3 Win 7 64 bit. All patched and up to date.
I was wondering what the best practices are for the following scenario:
I am authoring in Frame, link by reference into RH.
I use Frame to generate PDFs and RH to generate webhelp.
I have tons of conditional text which ultimately produce four separate versions of PDFs as well as online help - I handle these codes in FM and pull them into RH.
I use a css on all pages of my RH to make it 'look' right.
We now need to add the ability for end users to print the webhelp - outside of just CTRL+P because a)that cuts off the larger images and b)it doesn't show header, footer, logo, date, etc. (stuff that is in the master pages in FM).
My thought is doing the following:
Adding four sentences (one for each condition) in the FM book on the first page. Each one would be coded for audience A, B, C, or D (each of which require separate PDFs) as well as coded with ONLINE so that they don't show up in my printed PDFs that I generate out of Frame. Once the PDFs are generated, I would add a hyperlink in RH (manually) to each sentence and link the associated PDF (this seems to add the PDF file to the baggage files in RH). Then when I generate my RH webhelp, it would show the link, with the PDF, correctly based on the condition of the user looking at the help.
My questions are as follows:
1- This seems more complicated than it needs to be. Is it?
2- I would have to manually update every single hyperlink each time I update my FM book, because I am single sourcing out of Frame and I am unable (as far as I can tell) to link a PDF within the frame doc. I update the entire book (over 1500 pages) once every 6 weeks so while this wouldn't be a common occurrence it will happen regularly, and it would be manual (as far as I can tell)?
3- Eventually, I would have countless PDFs inside RH. I assume this will eventually impact performance. So this also doesn't seem ideal?
If anyone has thoughts/suggestions on a simpler way or better way to do this, I'd certainly appreciate it. I have watched the Adobe TV tutorial on adding a master page but that seems to remove the ability to use a css across all my topics and it also requires the manual addition of a manual hyperlink to the PDF file, so that is what I am proposing above, anyway (not sure the benefit, therefore).
Thanks in advance,
AdrianaAnything other than CTRL + P is going to create a lot of work so perhaps I can comment on what you see as drawbacks to that.
a)that cuts off the larger images and b)it doesn't show header, footer,
logo, date, etc. (stuff that is in the master pages in FM).
Larger images.
I simply make a point of keeping my image sizes down to a size that works. It's not a problem for me but that doesn't mean it will work for you. Here all I am doing is suggesting you review how big a problem that would be.
Master Page Details
I have to preface this with the statement that I don't work with FM. The details you refer to print when they are in RoboHelp master pages. Perhaps one of the FM users here can comment on how to get FM master pages to come through.
See www.grainge.org for RoboHelp and Authoring tips
@petergrainge -
Best Practice for Droid Gmail Contacts with Exchange ActiveSync?
Hi, folks. After going through an Address Book nightmare this past summer, I am attempting to once again get my Contacts straight and clean. I have just started a new job and want to bring my now clean Gmail contacts over to Exchange. The challenge is creating duplicate contacts, then defining a go-forward strategy for creating NEW contacts so that they reside in both Gmail and Exchange without duplication. Right now, my Droid is master and everything is fine. However, once I port those contacts from Gmail onto my laptop, all hell breaks loose... Does Verizon have a Best Practice finally documented for this? This past summer I spoke with no less than 5 different Customer Support reps and got 3 different answers... This is not an uncommon problem...
In parallel to this post, I called Verizon for Technical Support assistance. Seems no progress has been made. My issue this past summer were likely a result of extremely poor quality products from Microsoft, which included Microsoft CRM, Microsoft Lync (new phone system they are touting which is horrible), and Exchange. As a go-forward strategy, I have exported all Gmail contacts to CSV for Outlook and have imported them to Exchange. All looks good. I am turning off phone visibility of Gmail contacts and will create all new contacts in Exchange.
-
Renew SSL Certificate for for two Exchange 2010 Server and the new rules.
I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.
Hi there ,
My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ?
This topic first appeared in the Spiceworks Community -
Hello,
I've installed Exchange 2013 into Exchange 2010 infrastructure
[ single Exchange 2010 server; single AD site; AD = 2003 ],
and moved one mailbox [ Test user ] to Exchange 2013.
When I login internally through 2013 OWA to access mailboxes on 2010, then proxy works fine.
When I login internally through 2010 OWA to access mailboxes on 2013, then a message appears:
Use the following link to open this mailbox with the best performance: with link to 2013 OWA...
What is wrong ?
I've checked and changed settings by:
Get-OwaVirtualDirectory, Set-OwaVirtualDirectory
[PS] C:\work>Get-OwaVirtualDirectory -Identity 'ex10\owa (Default Web Site)' | fl server,name, *auth*,*redir*,*url*
Server : EX10
Name : owa (Default Web Site)
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
RedirectToOptimalOWAServer : True
LegacyRedirectType : Silent
Url : {}
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl : https://ex10.contoso.com/owa
ExternalUrl : https://ex10.contoso.com/owa
[PS] C:\work>Get-OwaVirtualDirectory -Identity 'ex13\owa (Default Web Site)' | fl server,name, *auth*,*redir*,*url*
Server : EX13
Name : owa (Default Web Site)
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
RedirectToOptimalOWAServer : True
LegacyRedirectType : Silent
Url : {}
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl : https://ex13.contoso.com/owa
ExternalUrl :
best regards Janusz SuchHi Janusz Such,
Based on my knowledge, CAS proxy can only from later version to previous version.
Some like CAS2013 to CAS2010/2007, CAS2013 to CAS2013.
Thanks
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Mavis Huang
TechNet Community Support -
Exchange 2010 CAS Proxy not working
The internet facing CAS server has internal and external url as
https://mail.domain.com/owa
The non internet facing CAS server has internal url
https://servername.domain.com/owa, with windows integrated authenticaion set. No external url set.
When I try to use OWA to access a user's mailbox that is active on a mailbox server in the non internet AD site using
https://mail.domain.com/owa , I get the following error:
The mailbox you're trying to access isn't available
No Client Access server or front-end server with a matching version was found to handle the request.
Exception message: The CAS server is most likely not configured for SSL (it returned a 403)
However, All Exchange servers are running the same version.
If I try to access the user's mailbox using
https://servername.domain.com/owa it works fine
Anand_NHi,
Check the event viewer application logs.
I have seen the same issue and the resolution is given in the event logs.
I think you might have to change the SSL settings on the non-internet facing CAS or there is some regisrty settings.
AllowProxyingWithoutSSL
Also, check below link
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26671364.html
http://www.tech-archive.net/Archive/Exchange/microsoft.public.exchange.setup/2013-02/msg00000.html -
Coldfusion and Exchange 2010 CAS
I have a windows 2008 R2 server. I have the default web site with exchange 2010 client access server installed. When I install cold fusion 9 it breaks outlook web access. If I remove coldfusion it works fine again. If I put in the old applicationhost.config file owa will work again but not coldfusion. After coldfusion I get owa/&reason=0. I tried installing coldfusion first but get the same results. Any ideas?
Ended up splitting the two sites.
-
Hi all,
need urgent assistance on the following issue
this is my Exchange 2010 setup
2 x CAS/Hub servers with HP network teaming, and load balanced using Windows NLB multicast mode. There are 2 VIPs on the NLB, one for outlook anywhere, one for autodiscover
2 DNS records were created for the 2 VIPs
Clients use Outlook Anywhere (HTTPS) to connect to the CAS servers from external segment via a Palo Alto firewall, which also acts as a layer 3 router
static arp was set on the Palo Alto firewall, with both virtual MACs pointing to the primary virtual MAC used by the NLB.
Observations
1. within same segment - no issue accessing Exchange servers, even when one CAS node is offline
2. external segment (via firewall)
a. when both nodes are up
outlook client able to connect to Exchange CAS VIP on 443, but will disconnect after around 30 seconds. Client will retry and the pattern will repeat
Exchange CAS RPC logs shows client connections and disconnections to the outlook anywhere VIP address
Firewall logs shows allowed traffic from client to the VIPs
unable to complete profile creation
b. with only CAS2 (CAS1 stopped/deleted from NLB cluster)
no issues accessing Exchange servers, creating profiles etc
c. with only CAS1
same behaviour as (a)
reinstalled NLB, but doesn't resolve
deleted CAS1 from NLB cluster, and re-add. issue remain
Q1. is teaming supported? Teaming is currently set to automatic mode, instead of specified Fault Tolerant
Q2. are there additional settings we need to set or verify on the Palo Alto firewall, since the issue only happen to external segment? Thanks!Yes - I've been scarred with this for many years :(
If it is just CAS 1 that is causing issues, then focus in on that. The support statement for Win 2008 R2 is that NLB is still a 3rd party component and support may ask for it to be disabled.
http://support.microsoft.com/kb/278431
Does CAS1 and CAS2 have the same NICs (firmware as well), driver, teaming software, and teaming config?
I also want to ask what the network team did for configuring the switch ports on the servers? This will vary from vendor to vendor - did they do the same config on both?
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter: LinkedIn:
Facebook:
XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Thanks Rhoderick, issue still persists
can you also help clarify what you meant by "configuring the switch ports on the servers"?
thanks again -
Exchange 2010 CAS Mailbox Re-direction / Proxying Not Working Properly
Hello Team
In my Exchange 2010 Lab Setup, CAS proxy is not working properly
In Site A : One DC , One HUb Server , 2 CAS Server (CAS ARRAY WIndows NLB), Mailbox Server 2 (DAG)
In Site B : One ADC one hub and CAS( Both are in same box) One Mailbox
Internal and External for SITE A on Server CASARRAY1.labbites.co.in is https://casarray1.labbites.co.in/owa and https://casarray1.labbites.co.in/owa
Internal and External for SITE A on Server CASARRAY2.labbites.co.in is https://casarray2.labbites.co.in/owa and https://casarray2.labbites.co.in/owa
DNS recory casarray.labbites.co.in is present
Internal and External for SITE B on Server INDLBGUEX01.labbites.co.in is https://indlbguex01.labbites.co.in/owa and https://indlbguex01.labbites.co.in/owa
The problem is occurs , whenever the second CAS server casarray2.labbites.co.in is down (Shutdown)
Now , when the user ifrom site A s trying to log in to the OWA with SITE B OWA LINK https://indlbguex01.labbites.co.in/owa it redirects to always https://casarray2.labbites.co.in/owa , since casarray2 server is down the OWA page
is not opening
My Question is Why the proxy re-direction is always going to second casarray2 server instead of casarray.labbites.co.in
how to correct it . please help me to over come the issueHi Albert
Thanks for you update
Get-mailboxdatabase | FT name, RPC*
Name RpcClientAccessServer
DB1 casarray.labbites.co.in
DB2 casarray.labbites.co.in
DB3 casarray.labbites.co.in
Site B Mbx -DB1 INDLBGUEX01.labbites.co.in
The user is administartor who beloings to DB1 and accesing the OWA from the SITE B CAS server link https://indlbguex01.labbites.co.in/owa
and it is redirecting to https://casarray2.labbites.co.in/owa
so as per the above
output , should i make RPCclientaccess server for Site B Mbx -DB1 as casarray.labbites.co.in -
Exchange 2010 CAS array with Exchange 2013 Mailbox Servers
Here is our current scenario,
Exchange 2007
2 - Hub Transport Servers
2 - CAS servers (cluster NLB)
2 - Mailbox servers (clustered)
Exchange 2010
2 - Huib Transport Servers
3 - CAS servers (array NLB)
2 - Mailbox servers (1 DAG)
We have not migrated any users to the Exchange 2010 environment yet. We're thinking that at this point we would rather go from 2007 to 2013. Does the 2013 mailbox server work with a 2010 CAS array?Hi,
As far as I know, CAS array doesn' t exist in Exchange 2013. And OWA and other requests can be proxyed and redirected from Exchange 2013 to Exchange 2010.
For more information, you can refer to the following article:
http://blogs.technet.com/b/exchange/archive/2013/01/25/exchange-2013-client-access-server-role.aspx
Thanks,
Angela Shi
TechNet Community Support
Maybe you are looking for
-
My Apple ID has been locked for security reasons 7 times in the last two days.
Since this past Sunday, I have had to go to the iforgot.apple.com site and unlock my apple ID at least 8 times. I didn't initiate a password change, nor did I unsuccessfully log in to anything. I found out because my daughter would bring me the iPad
-
How do I eject a dvd that does not show on the desktop
How do I eject a dvd from the drive when it does not show on the desktop? I tried restarting and the drive makes noise but does not eject the dvd.
-
Enormous data overages / not sure how
Hi- I was billed nearly $1000 for data overages in one month - my normal bill is around $100. This has never happened before and I have no idea how it happened. In the past, I got several texts every single time we were about to go over. We only got
-
Why does my onboard sound constantly FAIL!!!!
So...My board had worked great for about 3 months and then one day bam....no sound. So i re-installed the audio drivers and it worked for about two days and then again...nothing. No this happened about 2 days after my first attempt (sucessful I mig
-
OS upgrade disc won't read.