Best practice SSL End-to-End in Exchange 2010 CAS loadbalancing

Similar Messages

• Whats the best way to go about load balancing Exchange 2010 CAS

  My server guys want to LB the Exchange 2010 client access servers, this will be the 7th Context on my Ace 4710.
  see table for ports that are used
  Port
  Usage
  25
  smtp
  80
  http various
  110
  POP3 clients
  135
  RPC end point mapper
  143
  imap4 clients
  443
  SSL various
  993
  secure imap 4 clients
  995
  secure pop3 clients
  6001
  rpc related outlook anywhere
  6002
  rpc related outlook anywhere
  6003
  rpc related outlook anywhere
  60200
  rpc CAS
  60201
  exchange address book service
  whats the best way of going about this?
  do I just LB the IP addresses of the Servers and ignore the ports?
  do i have to do anything special for ports 993 and 995 secure imap and pop?
  I am sure there are more questions I shold be asking!

  OK
  so If I have a single serverfarm with all services do I filter on  the virtual
  address something like below?
  class-map match-any EXCH_vip
  match virtual-address 172.16.93.2 tcp eq 25
  match virtual-address 172.16.93.2 tcp eq 80
  match virtual-address 172.16.93.2 tcp eq 110
  match virtual-address 172.16.93.2 tcp eq 135
  match virtual-address 172.16.93.2 tcp eq 143
  match virtual-address 172.16.93.2 tcp eq 443
  match virtual-address 172.16.93.2 tcp eq 993
  match virtual-address 172.16.93.2 tcp eq 995
  match virtual-address 172.16.93.2 tcp eq 6001
  match virtual-address 172.16.93.2 tcp eq 6002
  match virtual-address 172.16.93.2 tcp eq 6003
  match virtual-address 172.16.93.2 tcp eq 60200
  match virtual-address 172.16.93.2 tcp eq 60201

• Exchange 2013 EAC will not run with Exchange 2010 CAS\HT servers shut down.

  Hi Folks,
  A little background - We have just migrated all our user mailboxes and public folders to Office 365 using a hybrid configuration. Now that the migration is essentially finished, I'd like to decommission our on-prem Exchange infrastructure and remove the
  hybrid config. We are using dirsync with password sync to replicate our AD to the cloud.
  I've read that even if you remove your hybrid configuration, it's a good idea to keep one on-prem Exchange server around so you can edit Exchange attribs (such as email addresses) in a supported manner, rather than using ASDI edit, etc.
  To this end, I installed a single Exchange 2013 CA\MBX server. After installation, the EAC worked fine, and I was able to view our on-prem users, groups, etc. Last week, I shut down our two Exchange 2010 CAS\HT servers as a test to see if anything broke
  prior to decommissioning them (these were the hybrid servers as well). After doing so, the Exchange 2013 EAC no longer works for some reason, and behaves in a very bizarre fashion. About once every 20 times or so, it will actually start and run. The other
  times, it just has you enter your creds, then generates an HTTP 500 internal server error after entering them. It seems to make no difference if you attempt to access it by the fqdn, hostname, or localhost right on the box itself. Same behavior on Chrome or
  IE.
  Today as a test, I started up one of the 2010 CAS servers and lo and behold, the 2013 EAC ran without difficulty again. Any idea why this might be so? Thanks for any help,
  Ian

  Hi,
  From your description, I recommend you use the following URL to check if you can access EAC. I see it works for several people about this issue.
  https://<Exchange 2013 CAS FQDN>/ecp?ExchClientVer=15
  Hope it helps.
  Best regards,
  Amy Wang
  TechNet Community Support

• Is it supported to connect Exchange 2013 Mailbox using Exchange 2010 CAS in Co-existence?

  Hi Team,
  I am in the phase of upgrading Exchange 2010 to 2013, and introduced 4 MBX and 2 CAS of 2013 servers in co-existence.
  Only one production mailbox of 2010 moved to 2013. The owa of the mailbox moved to 2013, is working OK internally coz only internally configured, but when I configure outlook using 2010 settings, it got configured but when I open outlook it doesn't
  open and throws an error of some "cannot open set of folders".
  Is it supported to connect Exchange 2013 Mailbox using Exchange 2010 CAS in Co-existence? because I havnt configured 2013 CAS servers yet.
  Kindly share some KB or tip. Any help is appreciated. Thank You.
  Muhammad Nadeem Ahmed Sr System Support Engineer Premier Systems (Pvt) Ltd T. +9221-2429051 Ext-226 F. +9221-2428777 M. +92300-8262627 Web. www.premier.com.pk

  I'll change Adam's wording slightly - you *MUST* install a CAS 13 server into every site where there is a MBX 13 server.
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Catalyst SLB - Exchange 2010 CAS RPC

  Hi.
  We're currently testing out SLB for load balancing a pair of Exchange 2010 CAS servers.  The config seems straightforward enough for single port services like 'Outlook Anywhere' or 'Outlook Web Access' (all on https).
  Does anyone have real life experience with getting straight MAPI Outlook load balancing to work?  According to Microsoft, there's only 3 ports to be concerned with - endpoint mapper, rpc.clientaccess, and address.book.  I've got the latter two set for static across both of these servers, and have 3 appropriate vservers in place pointing to the serverfarm, but a capture shows the process getting hung up on tcp135.  It's as if whatever server the endpoint request is landing on doesn't know what to do with the request.
  Thanks in advance for any replies.

  Hello Jay!
  Take a look at this doc:
  http://www.cisco.com/en/US/docs/solutions/Verticals/mstdcmsftex.html#wp609677
  RPC requires source ip sticky in order to operate correctly through a loadbalancer.  In the doc, they also walk through doing RPC over http/https - however, I have seen configurations where ACE is not L5-L7 that use RPC on port 135 as a L4 rule with sticky and it appears to work ok.
  Regards,
  Chris Higgins

• Exchange 2013 CAS functionality in coexistence with Exchange 2010 CAS

  Hi,
  I am planning to migrate Exchange 2010 to Exchange 2013 for 15000 users. We have a pool of 6 CAS 2010 servers added in a single CAS array. So my question is if we introduce a new CAS 2013 server in same site then will it affect CAS traffic anyway ? If we
  point our HLB to all CAS servers including CAS 2010 and CAS 2013 so will the CAS 2010 servers wil take traffic or is it only CAS 2013 servers who will take traffic. We will be putting same URLs in CAS 2013 same as CAS 2010. I have read lot of MS articles and
  all say that CAS 2013 should be enabled for CAS traffic and it will proxy request to CAS 2010. But I am not sure if we will face any CAS traffic issue whenever we will introduce CAS 2013 servers in same site and traffic will be pointed to CAS 2010 and CAS
  2013 both. Is it possible to add CAS 2013 in Exchange 2010 CAS array ? Please guide. Thanks in advance.

  For mailbox that exist on Exchange 2010, EXCH2013 CAS will proxy the request to an Exchange 2010 Client Access servers that exists within the mailbox’s local site.
  For mailboxes that exist on Exchange 2013, EXCH2013 CAS will proxy the request to the Exchange 2013 Mailbox server that is hosting the active copy of the user’s mailbox which will generate the Autodiscover response.
  -->Is it possible to add CAS 2013 in Exchange 2010 CAS array ? 
  No. CAS Array is no longer exits in Exchange 2013. But concept of a single namespace for Outlook connectivity remains. Please check this and this. In
  your case you dont need to worry as you have a HLB in place it will do the job
  When a new exchange2013 is deployed Outlook Anywhere has been enabled on all Client Access servers within the infrastructure and the mail.contoso.com and autodiscover.contoso.com namespaces have been moved to resolve to Exchange 2013 Client Access server
  infrastructure. In your case it is pointed to both as you have a load balancer in place but the same URL should be configured in exch2013
  Make sure you have exchange2010-SP3  minimum as it is the prerequisite requirement for upgarding EXCh2010 to 2013. 
  Please check the exchange server deployment assistant
  tool for moving mailboxes
  After moving a mailbox check the URLs. Configure autodiscover,EWS,OAB URLs on exchange2013. Please check this as
  well for checking URLs.
  I hope you know MAPI/RPC (RPC over TCP) traffic is now replaced with RPC over HTTP/s instead in exch2013. 
  Thanks
  MAS
  Please don't forget to mark an answer if it answers your question or mark as helpful if it helps

• Best practices for making the end result web help printable

  Hi all, using TCS3 Win 7 64 bit.  All patched and up to date.
  I was wondering what the best practices are for the following scenario:
  I am authoring in Frame, link by reference into RH.
  I use Frame to generate PDFs and RH to generate webhelp.
  I have tons of conditional text which ultimately produce four separate versions of PDFs as well as online help - I handle these codes in FM and pull them into RH.
  I use a css on all pages of my RH to make it 'look' right.
  We now need to add the ability for end users to print the webhelp - outside of just CTRL+P because a)that cuts off the larger images and b)it doesn't show header, footer, logo, date, etc. (stuff that is in the master pages in FM).
  My thought is doing the following:
  Adding four sentences (one for each condition) in the FM book on the first page. Each one would be coded for audience A, B, C, or D (each of which require separate PDFs) as well as coded with ONLINE so that they don't show up in my printed PDFs that I generate out of Frame. Once the PDFs are generated, I would add a hyperlink in RH (manually) to each sentence and link the associated PDF (this seems to add the PDF file to the baggage files in RH). Then when I generate my RH webhelp, it would show the link, with the PDF, correctly based on the condition of the user looking at the help.
  My questions are as follows:
  1- This seems more complicated than it needs to be. Is it?
  2- I would have to manually update every single hyperlink each time I update my FM book, because I am single sourcing out of Frame and I am unable (as far as I can tell) to link a PDF within the frame doc. I update the entire book (over 1500 pages) once every 6 weeks so while this wouldn't be a common occurrence it will happen regularly, and it would be manual (as far as I can tell)?
  3- Eventually, I would have countless PDFs inside RH. I assume this will eventually impact performance. So this also doesn't seem ideal?
  If anyone has thoughts/suggestions on a simpler way or better way to do this, I'd certainly appreciate it. I have watched the Adobe TV tutorial on adding a master page but that seems to remove the ability to use a css across all my topics and it also requires the manual addition of a manual hyperlink to the PDF file, so that is what I am proposing above, anyway (not sure the benefit, therefore).
  Thanks in advance,
  Adriana

  Anything other than CTRL + P is going to create a lot of work so perhaps I can comment on what you see as drawbacks to that.
  a)that cuts off the larger images and b)it doesn't show header, footer,
  logo, date, etc. (stuff that is in the master pages in FM).
  Larger images.
  I simply make a point of keeping my image sizes down to a size that works. It's not a problem for me but that doesn't mean it will work for you. Here all I am doing is suggesting you review how big a problem that would be.
  Master Page Details
  I have to preface this with the statement that I don't work with FM. The details you refer to print when they are in RoboHelp master pages. Perhaps one of the FM users here can comment on how to get FM master pages to come through.
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• Best Practice for Droid Gmail Contacts with Exchange ActiveSync?

  Hi, folks.  After going through an Address Book nightmare this past summer, I am attempting to once again get my Contacts straight and clean.  I have just started a new job and want to bring my now clean Gmail contacts over to Exchange.  The challenge is creating duplicate contacts, then defining a go-forward strategy for creating NEW contacts so that they reside in both Gmail and Exchange without duplication.  Right now, my Droid is master and everything is fine.  However, once I port those contacts from Gmail onto my laptop, all hell breaks loose... Does Verizon have a Best Practice finally documented for this?  This past summer I spoke with no less than 5 different Customer Support reps and got 3 different answers... This is not an uncommon problem...

  In parallel to this post, I called Verizon for Technical Support assistance.  Seems no progress has been made.  My issue this past summer were likely a result of extremely poor quality products from Microsoft, which included Microsoft CRM, Microsoft Lync (new phone system they are touting which is horrible), and Exchange.  As a go-forward strategy, I have exported all Gmail contacts to CSV for Outlook and have imported them to Exchange.  All looks good.  I am turning off phone visibility of Gmail contacts and will create all new contacts in Exchange.

• Renew SSL Certificate for for two Exchange 2010 Server and the new rules.

  I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.

  Hi there , 
  My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
  if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ? 
  This topic first appeared in the Spiceworks Community

• Exchange 2010 CAS proxy to Exchange 2013 CAS: Use the following link to open this mailbox with the best performance:

  Hello,
  I've installed Exchange 2013 into Exchange 2010 infrastructure
  [ single Exchange 2010 server; single AD site; AD = 2003 ],
  and moved one mailbox [ Test user ] to Exchange 2013.
  When I login internally through 2013 OWA to access mailboxes on 2010, then proxy works fine.
  When I login internally through 2010 OWA to access mailboxes on 2013, then a message appears:
      Use the following link to open this mailbox with the best performance: with link to 2013 OWA...
  What is wrong ?
  I've checked and changed settings by:
  Get-OwaVirtualDirectory, Set-OwaVirtualDirectory
  [PS] C:\work>Get-OwaVirtualDirectory -Identity 'ex10\owa (Default Web Site)' | fl server,name, *auth*,*redir*,*url*
  Server                        : EX10
  Name                          : owa (Default Web Site)
  ClientAuthCleanupLevel        : High
  InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
  BasicAuthentication           : True
  WindowsAuthentication         : True
  DigestAuthentication          : False
  FormsAuthentication           : True
  LiveIdAuthentication          : False
  AdfsAuthentication            : False
  OAuthAuthentication           : False
  ExternalAuthenticationMethods : {Fba}
  RedirectToOptimalOWAServer    : True
  LegacyRedirectType            : Silent
  Url                           : {}
  SetPhotoURL                   :
  Exchange2003Url               :
  FailbackUrl                   :
  InternalUrl                   : https://ex10.contoso.com/owa
  ExternalUrl                   : https://ex10.contoso.com/owa
  [PS] C:\work>Get-OwaVirtualDirectory -Identity 'ex13\owa (Default Web Site)' | fl server,name, *auth*,*redir*,*url*
  Server                        : EX13
  Name                          : owa (Default Web Site)
  ClientAuthCleanupLevel        : High
  InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
  BasicAuthentication           : True
  WindowsAuthentication         : True
  DigestAuthentication          : False
  FormsAuthentication           : False
  LiveIdAuthentication          : False
  AdfsAuthentication            : False
  OAuthAuthentication           : False
  ExternalAuthenticationMethods : {Fba}
  RedirectToOptimalOWAServer    : True
  LegacyRedirectType            : Silent
  Url                           : {}
  SetPhotoURL                   :
  Exchange2003Url               :
  FailbackUrl                   :
  InternalUrl                   : https://ex13.contoso.com/owa
  ExternalUrl                   :
  best regards Janusz Such

  Hi Janusz Such,
  Based on my knowledge, CAS proxy can only from later version to previous version.
  Some like CAS2013 to CAS2010/2007, CAS2013 to CAS2013. 
  Thanks
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Mavis Huang
  TechNet Community Support

• Exchange 2010 CAS Proxy not working

  The internet facing CAS server has internal and external url as
  https://mail.domain.com/owa
  The non internet facing CAS server has internal url
  https://servername.domain.com/owa, with windows integrated authenticaion set. No external url set.
  When I try to use OWA to access a user's mailbox that is active on a mailbox server in the non internet AD site using
  https://mail.domain.com/owa , I get the following error:
  The mailbox you're trying to access isn't available
  No Client Access server or front-end server with a matching version was found to handle the request.
  Exception message: The CAS server is most likely not configured for SSL (it returned a 403)
  However, All Exchange servers are running the same version.
  If I try to access the user's mailbox using
  https://servername.domain.com/owa it works fine
  Anand_N

  Hi,
  Check the event viewer application logs.
  I have seen the same issue and the resolution is given in the event logs.
  I think you might have to change the SSL settings on the non-internet facing CAS or there is some regisrty settings.
  AllowProxyingWithoutSSL
  Also, check below link
  http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26671364.html
  http://www.tech-archive.net/Archive/Exchange/microsoft.public.exchange.setup/2013-02/msg00000.html

• Coldfusion and Exchange 2010 CAS

  I have a windows 2008 R2 server. I have the default web site with exchange 2010 client access server installed. When I install cold fusion 9 it breaks outlook web access. If I remove coldfusion it works fine again. If I put in the old applicationhost.config file owa will work again but not coldfusion. After coldfusion I get owa/&reason=0. I tried installing coldfusion first but get the same results. Any ideas?

  Ended up splitting the two sites.

• Outlook client in different subnet unable to connect to Exchange 2010 CAS using Windows 2008 R2 NLB multicast mode

  Hi all,
  need urgent assistance on the following issue
  this is my Exchange 2010 setup
  2 x CAS/Hub servers with HP network teaming, and load balanced using Windows NLB multicast mode. There are 2 VIPs on the NLB, one for outlook anywhere, one for autodiscover
  2 DNS records were created for the 2 VIPs
  Clients use Outlook Anywhere (HTTPS) to connect to the CAS servers from external segment via a Palo Alto firewall, which also acts as a layer 3 router
  static arp was set on the Palo Alto firewall, with both virtual MACs pointing to the primary virtual MAC used by the NLB. 
  Observations
  1. within same segment - no issue accessing Exchange servers, even when one CAS node is offline
  2. external segment (via firewall)
  a. when both nodes are up
  outlook client able to connect to Exchange CAS VIP on 443, but will disconnect after around 30 seconds. Client will retry and the pattern will repeat
  Exchange CAS RPC logs shows client connections and disconnections to the outlook anywhere VIP address
  Firewall logs shows allowed traffic from client to the VIPs
  unable to complete profile creation
  b. with only CAS2 (CAS1 stopped/deleted from NLB cluster)
  no issues accessing Exchange servers, creating profiles etc
  c. with only CAS1
  same behaviour as (a)
  reinstalled NLB, but doesn't resolve
  deleted CAS1 from NLB cluster, and re-add. issue remain
  Q1. is teaming supported? Teaming is currently set to automatic mode, instead of specified Fault Tolerant
  Q2. are there additional settings we need to set or verify on the Palo Alto firewall, since the issue only happen to external segment? Thanks!

  Yes - I've been scarred with this for many years :(
  If it is just CAS 1 that is causing issues, then focus in on that.  The support statement for Win 2008 R2 is that NLB is still a 3rd party component and support may ask for it to be disabled.
  http://support.microsoft.com/kb/278431 
  Does CAS1 and CAS2 have the same NICs (firmware as well), driver, teaming software, and teaming config? 
  I also want to ask what the network team did for configuring the switch ports on the servers?  This will vary from vendor to vendor  - did they do the same config on both?
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
  Thanks Rhoderick, issue still persists
  can you also help clarify what you meant by "configuring the switch ports on the servers"?
  thanks again

• Exchange 2010 CAS Mailbox Re-direction / Proxying Not Working Properly

  Hello Team
  In my Exchange 2010  Lab Setup, CAS proxy is not working properly
  In Site A :  One DC , One HUb Server , 2 CAS Server (CAS ARRAY WIndows NLB), Mailbox Server 2 (DAG)
  In Site B : One ADC one hub and CAS( Both are in same box) One Mailbox
  Internal and External for SITE A  on Server CASARRAY1.labbites.co.in  is https://casarray1.labbites.co.in/owa  and https://casarray1.labbites.co.in/owa
  Internal and External for SITE A  on Server CASARRAY2.labbites.co.in  is https://casarray2.labbites.co.in/owa  and https://casarray2.labbites.co.in/owa
  DNS recory casarray.labbites.co.in is present 
  Internal and External for SITE B on Server INDLBGUEX01.labbites.co.in is https://indlbguex01.labbites.co.in/owa  and https://indlbguex01.labbites.co.in/owa 
  The problem is occurs , whenever the second CAS server casarray2.labbites.co.in is down (Shutdown)
  Now , when the user ifrom site A s trying to log in to the OWA with SITE B OWA LINK https://indlbguex01.labbites.co.in/owa  it redirects to always https://casarray2.labbites.co.in/owa , since casarray2 server is down the OWA  page
  is not opening
  My Question is Why the proxy re-direction is always going to second casarray2 server instead of  casarray.labbites.co.in
  how to correct it . please help me to over come the issue 

  Hi Albert
  Thanks for you update 
  Get-mailboxdatabase | FT name, RPC*
  Name                             RpcClientAccessServer 
  DB1                                casarray.labbites.co.in
  DB2                                casarray.labbites.co.in
  DB3                                casarray.labbites.co.in
  Site B Mbx -DB1              INDLBGUEX01.labbites.co.in
  The user is administartor who beloings to DB1 and accesing the OWA from the SITE B  CAS server link https://indlbguex01.labbites.co.in/owa
  and it is redirecting to https://casarray2.labbites.co.in/owa 
  so as per the above
  output , should i make RPCclientaccess server for Site B Mbx -DB1   as casarray.labbites.co.in

• Exchange 2010 CAS array with Exchange 2013 Mailbox Servers

  Here is our current scenario,
  Exchange 2007
  2 - Hub Transport Servers
  2 - CAS servers (cluster NLB)
  2 - Mailbox servers (clustered)
  Exchange 2010
  2 - Huib Transport Servers
  3 - CAS servers (array NLB)
  2 - Mailbox servers (1 DAG)
  We have not migrated any users to the Exchange 2010 environment yet. We're thinking that at this point we would rather go from 2007 to 2013. Does the 2013 mailbox server work with a 2010 CAS array?

  Hi,
  As far as I know, CAS array doesn' t exist in Exchange 2013. And OWA and other requests can be proxyed and redirected from Exchange 2013 to Exchange 2010.
  For more information, you can refer to the following article:
  http://blogs.technet.com/b/exchange/archive/2013/01/25/exchange-2013-client-access-server-role.aspx
  Thanks,
  Angela Shi
  TechNet Community Support