TechEd 2013 11/17/2018 12:40 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Exchange Server 2013 Client Access Server role 11/17/2018 12:40 PM OUC-B313 Microsoft Exchange Server 2013 Client Access Server role Nathan Winters Exchange Technical Specialist © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session objectives Cover some key CAS 2013 concepts TechEd 2013 11/17/2018 12:40 PM Session objectives Cover some key CAS 2013 concepts CAS Fundamentals to set the stage Protocol Flows in mysterious ways More About OWA FBA to appease your inner nerd Load Balancing options with Exchange Server 2013 Publishing Exchange in a post TMG world © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The key to enlightenment… User For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place Layer 4LB CAS DAG MBX-A MBX-B

And some CAS fundamentals TechEd 2013 11/17/2018 12:40 PM And some CAS fundamentals CAS 2013 does three things – it authenticates, locates and proxies/redirects (ok, that’s four) It authenticates the connection to find out who the user is It locates the user’s mailbox – on which mailbox server is it currently active It proxies the connection to the mailbox server and maintains the connection (or redirects it somewhere else) CAS generates no content, it simply acts as a (smart) proxy © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Yes! You DO need a CAS in every AD site TechEd 2013 11/17/2018 12:40 PM Yes! You DO need a CAS in every AD site MBX CAS Load balancer HTTP proxy IIS DB Protocol head SITE BOUNDARY MBX CAS Load balancer IIS HTTP proxy DB Protocol head SITE BOUNDARY MBX DB Protocol head HTTP HTTP HTTP HTTP Local proxy request OWA cross-site redirect request Cross-site proxy request © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Should I Multi-Role CAS and Mailbox? TechEd 2013 11/17/2018 12:40 PM Should I Multi-Role CAS and Mailbox? A frequent question is: Should I co-locate/multi-role CAS and Mailbox? The answer is Yes. Always. Think about this: You deploy 10 MBX and 4 CAS. 14 Servers total. What if instead you used 12 multi-role servers? You now have increased your CAS availability by 300% and decreased the overall server count by 2! See Jeff Mealiffe’s session for other good reasons why you should © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

CAS 2013 client protocol connectivity flow TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

AutoDiscover TechEd 2013 11/17/2018 12:40 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – AutoDiscover (external clients) Clients autodiscover.contoso.com DNS CAS 2010 handles request CAS 2010 handles request PROXY PROXY E2010 CAS E2013 CAS E2010 CAS E2010 MBX E2013 MBX E2010 MBX Internet-facing site Intranet site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – AutoDiscover (external clients) Clients autodiscover.contoso.com DNS E2007 CAS E2013 CAS E2007 CAS PROXY PROXY MBX 2013 handles request MBX 2013 handles request E2007 MBX E2013 MBX E2007 MBX Internet-facing site Intranet site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Lookup SCP records in AD TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – AutoDiscover (internal clients) Lookup SCP records in AD Outlook clients Internal LB namespace The triangle (AD) CAS 2010 handles request CAS 2010 handles request PROXY PROXY E2010 CAS E2013 CAS E2010 CAS E2010 MBX E2013 MBX E2010 MBX Internet-facing site Intranet site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Lookup SCP records in AD TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – AutoDiscover (internal clients) Lookup SCP records in AD Outlook clients Internal LB namespace Still a triangle E2007 CAS E2013 CAS E2007 CAS PROXY MBX 2013 handles request E2007 MBX E2013 MBX E2007 MBX Internet-facing site Intranet site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechEd 2013 11/17/2018 12:40 PM Outlook © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Internal Outlook connectivity TechEd 2013 11/17/2018 12:40 PM Internal Outlook connectivity No changes to 2007/10 – still direct to mailbox (2007) and RPC Client Access Service on CAS (2010) 2013 users use Outlook Anywhere to connect both inside and out Moving to Outlook Anywhere before moving to 2013 may make life easier AutoDiscover 2013 hands back two EXHTTP nodes (settings) for 2013 users, one for Internal OA, one for external – client starts at the top of the list and works down By default HTTP internally, HTTPS for external connections (but that doesn’t solve certificate name or trust issues for internal clients for other services) © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2007 and 2010 coexistence – Outlook Anywhere Clients RPC/HTTP mail.contoso.com Enable Outlook Anywhere On intranet 2007/2010 servers Client settings Make 2007/2010 client settings the same as 2013 Server (in this case meaning OA hostname = mail.contoso.com and client auth = Basic) IIS authentication methods Must include NTLM E2010/E2007 CAS E2013 CAS E2010/E2007 CAS PROXY PROXY Enable OA Client Auth: Basic IIS Auth: Enable OA Client Auth: Basic IIS Auth: Basic Enable OA Client Auth: Basic IIS Auth: NTLM NTLM RPC RPC E2010/ E2007 MBX E2013 MBX E2010/ E2007 MBX Internet-facing site Intranet site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

One caveat for the 2013 > 2007 case TechEd 2013 11/17/2018 12:40 PM One caveat for the 2013 > 2007 case If your 2007 server is CAS + MBX is not a GC has IPv6 enabled Outlook Anywhere won’t work and and then Details KB https://support.microsoft.com/kb/2794253 Options Separate CAS + MBX roles Disable IPv6 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Outlook Web App

TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – OWA OWA mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 7 LB E2010 MBX E2010 CAS Same site proxy request Auth 2013 logon page Cross site proxy request Auth 2010 logon page single sign on (sso) redirect!! new in CU2! HTTP PROXY HTTP PROXY E2010 CAS E2013 CAS RPC RPC E2010 MBX E2013 MBX Internet site Intranet Site Internet-facing site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – OWA OWA Legacy.mail.contoso.com LAYER 7 LB mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 7 LB Intranet site E2007 MBX E2007 CAS Auth 2007 logon page Single sign on (SSO) redirect!! New in CU2! Auth 2013 logon page Auth 2007 logon page Single sign on (SSO) redirect!! New in CU2! HTTP PROXY E2007 CAS E2013 CAS RPC RPC E2007 MBX E2013 MBX Internet-facing site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Single sign on (SSO) redirect!! TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2013 OWA – different external URL OWA mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 4 LB Internet-facing site E2013 MBX E2013 CAS Auth 2013 logon page Single sign on (SSO) redirect!! New in CU2! E2013 CAS E2013 MBX Internet-facing site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2013 OWA – same external URL OWA mail.contoso.com LAYER 4 LB mail.contoso.com LAYER 4 LB Internet-facing site E2013 MBX E2013 CAS Auth 2013 logon page E2013 CAS HTTP PROXY E2013 MBX Internet-facing site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Exchange Active Sync

TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – EAS EAS mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 7 LB Intranet site E2010 MBX E2010 CAS Same site proxy request Cross site proxy request HTTP PROXY HTTP PROXY E2010 CAS E2013 CAS E2010 MBX E2013 MBX Internet-facing site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – EAS EAS legacy.mail.contoso.com LAYER 7 LB mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 7 LB Intranet site E2007 MBX E2007 CAS E2007 CAS E2013 CAS E2007 MBX E2013 MBX Internet-facing site But what happens if you move a 2007 mailbox now from the Europe to the US site? © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Exchange Web Services

TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – EWS EWS mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 7 LB Intranet site E2010 MBX E2010 CAS Same site proxy request Cross site proxy request HTTP PROXY HTTP PROXY E2010 CAS E2013 CAS E2010 MBX E2013 MBX Internet-facing site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Europe intranet-facing site TechEd 2013 11/17/2018 12:40 PM CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – EWS EWS legacy.mail.contoso.com LAYER 7 LB mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 7 LB Europe intranet-facing site E2007 MBX E2007 CAS E2007 CAS E2013 CAS E2007 MBX E2013 MBX Internet-facing site Intranet site © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protocol flow summary Basic principles to apply are: TechEd 2013 11/17/2018 12:40 PM Protocol flow summary Basic principles to apply are: Co-existence with 2010 – CAS 2013 proxies all traffic to CAS 2010 Co-existence with 2007 – CAS 2013 redirects OWA to CAS 2007, proxies AutoDiscover, POP, IMAP and Outlook Anywhere, and relies on AutoDiscover for EWS 2013 no longer does HTTP 451 redirects – But legacy versions still do You need a 2007 CAS in the Internet facing site for as long as you have 2007 in the non-internet facing sites – just like 2010 We hand out site specific URLs if they are set, but if a client comes to the wrong place, for 2010 we just proxy and “just make it work™” © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

CAS 2013 OWA FBA

TechEd 2013 11/17/2018 12:40 PM How does FBA in 2013 work? Some of you may be wondering why we no longer require affinity for OWA, using FBA Why doesn’t the cookie become invalid if the load balancer switches the client from one CAS to another in the same pool? © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechEd 2013 11/17/2018 12:40 PM How it really works… We assume the same cert exists on all CAS in the LB pool The user authenticates to any one CAS The auth token, session key, and some other pieces of information are encrypted using the public key of the common SSL cert The client hands that cookie back with every request Any CAS can decrypt it, as they all possess the private key of the SSL certificate And that’s how it works © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Load balancing

Load balancing changes TechEd 2013 11/17/2018 12:40 PM Load balancing changes Exchange Server 2013 no longer requires affinity for client connections This provides the ability to use layer 4, (at the tcp layer rather than http) based load balancing At layer 4, the load balancer has no idea what the actual target URL is (/owa, or /ews for example), it sees IP address and protocol/port (TCP 443) But no awareness of the target URL means load balancer health probes might not be so smart… © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The key to enlightenment…remember? User For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy. Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place. Layer 4LB CAS DAG MBX-A MBX-B

Just passing through…at layer four TechEd 2013 11/17/2018 12:40 PM Just passing through…at layer four LB sees: IP address/Port No SSL Termination User CAS Client makes request to FQDN: /ews/Exchange.asmx on TCP 443 LB forwards traffic to CAS with no idea of final URL Layer 4LB So how do we pick a CAS when there are several, or determine the health of a CAS? © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Health checking CAS at layer four TechEd 2013 11/17/2018 12:40 PM Health checking CAS at layer four If you can test the health of a Vdir on CAS to determine overall server health – which one(s) would you pick? User CAS OWA ECP EWS mail.contoso.com/rpc mail.contoso.com Layer 4LB EAS OAB autodiscover.contoso.com RPC AutoD Result: At layer four – with one namespace – health is per server, NOT per protocol © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Speaking of Health Checking….How? TechEd 2013 11/17/2018 12:40 PM Speaking of Health Checking….How? Exchange 2013 includes a built-in health check page which is controlled by Managed Availability The load balancer sends a request to; https://server.fqdn/ews/healthcheck.htm https://server.fqdn/oab/healthcheck.htm And so on If the service is up and healthy the response is 200 OK If not, it’s not – but Managed Availability is aware of this too Currently this only works for OWA if CAS is using FBA but that will ‘likely’ change in the future Back to the load balancing stuff….. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Health checking CAS at layer seven TechEd 2013 11/17/2018 12:40 PM Health checking CAS at layer seven SSL Termination at Load Balancer reveals full URL User CAS OWA ECP EWS mail.contoso.com/owa mail.contoso.com/rpc mail.contoso.com Layer 7LB EAS OAB autodiscover.contoso.com RPC AutoD Result: At layer seven – with one namespace – health is per protocol © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Layer four with multiple namespaces TechEd 2013 11/17/2018 12:40 PM Layer four with multiple namespaces The destination IP implies the full URL User CAS owa.contoso.com OWA ecp.contoso.com ECP ews.contoso.com EWS eas.contoso.com mail.contoso.com EAS Layer 4LB oab.contoso.com OAB rpc.contoso.com RPC autodiscover.contoso.com AutoD Result: At layer four – with multiple namespaces – health is per protocol © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Exchange load balancing options Target Audience Generalist IT admin Those with increased network flexibility Those who want to maximize server availability Functionality Simplicity + Simple, fast, no affinity LB + Single, unified namespace + Minimal networking skillset - Per server availability + Simple, fast, no affinity LB + Per protocol availability - One namespace per protocol + Per protocol availability + Single, unified namespace - SSL termination @ LB - Requires increase networking skillset Trade-offs

Load balancing summary TechEd 2013 11/17/2018 12:40 PM Load balancing summary At layer four, there is no load balancer awareness of the endpoint the client needs At layer four–with a single namespace – you can pick a canary, or a flock of canaries, but it’s hard to be right all the time At layer seven you know the target URL, but you need to terminate SSL at the load balancer At layer four with multiple namespaces you get the best of all worlds– cheaper hardware and per protocol awareness, but you need more IP’s, DNS records and certificate names Only OWA users really get to see the URL you choose © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Publishing Exchange 2013 to the internet (since TMG is no more )

What do we do now TMG has gone!? TechEd 2013 11/17/2018 12:40 PM What do we do now TMG has gone!? Panic. That’s the first thing to do. Once that is done, think about this: 10 years ago Exchange and Windows were leaky. Putting them directly on the Interweb was risky. 10 years on they are more secure out of the box. Are the same risks still present? Account lockouts are an invitation to DoS, inside or out Strong passwords/phrases, monitoring and good management back up secure software If we can agree that we are secure out of the box and a router/load balancer that allows only TCP 443 through is a packet filter… then why bother with TMG? © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Cast your mind back… a few minutes… TechEd 2013 11/17/2018 12:40 PM Cast your mind back… a few minutes… LB sees: IP address/port No SSL termination User CAS Client makes request LB forwards traffic to CAS Layer 4LB Is this not a packet filtering device? © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What if you have to have something TechEd 2013 11/17/2018 12:40 PM What if you have to have something UAG supports Exchange 2013 ARR support – coming More information - http://www.iis.net/downloads/microsoft/application-request-routing Load balancer solutions that offer pre-auth modules © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session takeaways Key concepts Tech Ready 15 11/17/2018 Session takeaways Key concepts CAS 2013 authenticates, locates and connects/redirects CAS 2013 proxies seamlessly to 2010–less so to 2007 CAS 2013 requires NO load balancer affinity Directly connecting Exchange 2013 CAS to the Internet IS ok. Really © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Track resources Exchange Team blog: Twitter: Check out: 11/17/2018 12:40 PM Track resources Exchange Team blog: http://blogs.technet.com/b/exchange/ Twitter: Follow @MSFTExchange Join the conversation, use #IamMEC Check out: Microsoft Exchange Conference 2014: www.iammec.com Office 365 FastTrack: http://fasttrack.office.com// Technical Training with Ignite: http://ignite.office.com/ © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download the Free TechEd OneNote Microsoft Exchange 11/17/2018 Download the Free TechEd OneNote http://aka.ms/t6lmn6 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd 11/17/2018 12:40 PM Resources Learning Sessions on Demand http://channel9.msdn.com/Events/TechEd Microsoft Certification & Training Resources www.microsoft.com/learning TechNet msdn Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Evaluate this session Scan this QR code to evaluate this session. 11/17/2018 12:40 PM Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Evaluate this session Scan this QR code to evaluate this session. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/17/2018 12:40 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.