1. TechEd 2013
11/17/ :40 PM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Microsoft Exchange Server 2013 Client Access Server role
11/17/ :40 PM
OUC-B313
Microsoft Exchange Server 2013 Client Access Server role
Nathan Winters
Exchange Technical Specialist
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Session objectives Cover some key CAS 2013 concepts
TechEd 2013
11/17/ :40 PM
Session objectives
Cover some key CAS 2013 concepts
CAS Fundamentals to set the stage
Protocol Flows in mysterious ways
More About OWA FBA to appease your inner nerd
Load Balancing options with Exchange Server 2013
Publishing Exchange in a post TMG world
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. The key to enlightenment…
User
For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy
Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place
Layer 4LB
CAS
DAG
MBX-A
MBX-B

5. And some CAS fundamentals
TechEd 2013
11/17/ :40 PM
And some CAS fundamentals
CAS 2013 does three things – it authenticates, locates and proxies/redirects (ok, that’s four)
It authenticates the connection to find out who the user is
It locates the user’s mailbox – on which mailbox server is it currently active
It proxies the connection to the mailbox server and maintains the connection (or redirects it somewhere else)
CAS generates no content, it simply acts as a (smart) proxy
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Yes! You DO need a CAS in every AD site
TechEd 2013
11/17/ :40 PM
Yes! You DO need a CAS in every AD site
MBX
CAS
Load balancer
HTTP proxy
IIS DB
Protocol head
SITE BOUNDARY
MBX
CAS
Load balancer
IIS
HTTP proxy DB
Protocol head
SITE BOUNDARY
MBX DB
Protocol head
HTTP
HTTP
HTTP
HTTP
Local proxy request
OWA cross-site redirect request
Cross-site proxy request
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Should I Multi-Role CAS and Mailbox?
TechEd 2013
11/17/ :40 PM
Should I Multi-Role CAS and Mailbox?
A frequent question is: Should I co-locate/multi-role CAS and Mailbox?
The answer is Yes.
Always.
Think about this: You deploy 10 MBX and 4 CAS. 14 Servers total. What if instead you used 12 multi-role servers? You now have increased your CAS availability by 300% and decreased the overall server count by 2!
See Jeff Mealiffe’s session for other good reasons why you should
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. CAS 2013 client protocol connectivity flow
TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. AutoDiscover TechEd 2013 11/17/2018 12:40 PM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – AutoDiscover (external clients)
Clients
autodiscover.contoso.com
DNS
CAS 2010 handles request
CAS 2010 handles request
PROXY
PROXY
E2010 CAS
E2013 CAS
E2010 CAS
E2010 MBX
E2013 MBX
E2010 MBX
Internet-facing site
Intranet site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – AutoDiscover (external clients)
Clients
autodiscover.contoso.com
DNS
E2007 CAS
E2013 CAS
E2007 CAS
PROXY
PROXY
MBX 2013 handles request
MBX 2013 handles request
E2007 MBX
E2013 MBX
E2007 MBX
Internet-facing site
Intranet site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Lookup SCP records in AD
TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – AutoDiscover (internal clients)
Lookup SCP records in AD
Outlook clients
Internal LB namespace
The triangle
(AD)
CAS 2010 handles request
CAS 2010 handles request
PROXY
PROXY
E2010 CAS
E2013 CAS
E2010 CAS
E2010 MBX
E2013 MBX
E2010 MBX
Internet-facing site
Intranet site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Lookup SCP records in AD
TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – AutoDiscover (internal clients)
Lookup SCP records in AD
Outlook clients
Internal LB namespace
Still a triangle
E2007 CAS
E2013 CAS
E2007 CAS
PROXY
MBX 2013 handles request
E2007 MBX
E2013 MBX
E2007 MBX
Internet-facing site
Intranet site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. TechEd 2013
11/17/ :40 PM
Outlook
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Internal Outlook connectivity
TechEd 2013
11/17/ :40 PM
Internal Outlook connectivity
No changes to 2007/10 – still direct to mailbox (2007) and RPC Client Access Service on CAS (2010)
2013 users use Outlook Anywhere to connect both inside and out
Moving to Outlook Anywhere before moving to 2013 may make life easier
AutoDiscover 2013 hands back two EXHTTP nodes (settings) for users, one for Internal OA, one for external – client starts at the top of the list and works down
By default HTTP internally, HTTPS for external connections (but that doesn’t solve certificate name or trust issues for internal clients for other services)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2007 and 2010 coexistence – Outlook Anywhere
Clients
RPC/HTTP
mail.contoso.com
Enable Outlook Anywhere On intranet 2007/2010 servers
Client settings Make 2007/2010 client settings the same as 2013 Server (in this case meaning OA hostname = mail.contoso.com and client auth = Basic)
IIS authentication methods Must include NTLM
E2010/E2007 CAS
E2013 CAS
E2010/E2007 CAS
PROXY
PROXY
Enable OA
Client Auth: Basic IIS Auth:
Enable OA
Client Auth: Basic IIS Auth: Basic
Enable OA
Client Auth: Basic IIS Auth:
NTLM
NTLM
RPC
RPC
E2010/ E2007 MBX
E2013 MBX
E2010/ E2007 MBX
Internet-facing site
Intranet site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. One caveat for the 2013 > 2007 case
TechEd 2013
11/17/ :40 PM
One caveat for the 2013 > 2007 case
If your 2007 server is CAS + MBX
is not a GC
has IPv6 enabled
Outlook Anywhere won’t work
and
and
then
Details KB
Options
Separate CAS + MBX roles
Disable IPv6
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Outlook Web App

19. TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – OWA
OWA
mail.contoso.com
LAYER 4 LB
europe.mail.contoso.com
LAYER 7 LB
E2010 MBX
E2010 CAS
Same site proxy request
Auth 2013 logon page
Cross site proxy request
Auth
2010 logon page
single sign on (sso) redirect!!
new in CU2!
HTTP PROXY
HTTP PROXY
E2010 CAS
E2013 CAS
RPC
RPC
E2010 MBX
E2013 MBX
Internet site
Intranet Site
Internet-facing site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – OWA
OWA
Legacy.mail.contoso.com
LAYER 7 LB
mail.contoso.com
LAYER 4 LB
europe.mail.contoso.com
LAYER 7 LB
Intranet site
E2007 MBX
E2007 CAS
Auth
2007 logon page
Single sign on (SSO) redirect!!
New in CU2!
Auth 2013 logon page
Auth
2007 logon page
Single sign on (SSO) redirect!!
New in CU2!
HTTP PROXY
E2007 CAS
E2013 CAS
RPC
RPC
E2007 MBX
E2013 MBX
Internet-facing site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Single sign on (SSO) redirect!!
TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2013 OWA – different external URL
OWA
mail.contoso.com
LAYER 4 LB
europe.mail.contoso.com
LAYER 4 LB
Internet-facing site
E2013 MBX
E2013 CAS
Auth 2013 logon page
Single sign on (SSO) redirect!!
New in CU2!
E2013 CAS
E2013 MBX
Internet-facing site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2013 OWA – same external URL
OWA
mail.contoso.com
LAYER 4 LB
mail.contoso.com
LAYER 4 LB
Internet-facing site
E2013 MBX
E2013 CAS
Auth 2013 logon page
E2013 CAS
HTTP PROXY
E2013 MBX
Internet-facing site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Exchange Active Sync

24. TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – EAS
EAS
mail.contoso.com
LAYER 4 LB
europe.mail.contoso.com
LAYER 7 LB
Intranet site
E2010 MBX
E2010 CAS
Same site proxy request
Cross site proxy request
HTTP PROXY
HTTP PROXY
E2010 CAS
E2013 CAS
E2010 MBX
E2013 MBX
Internet-facing site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – EAS
EAS
legacy.mail.contoso.com
LAYER 7 LB
mail.contoso.com
LAYER 4 LB
europe.mail.contoso.com
LAYER 7 LB
Intranet site
E2007 MBX
E2007 CAS
E2007 CAS
E2013 CAS
E2007 MBX
E2013 MBX
Internet-facing site
But what happens if you move a 2007 mailbox now from the Europe to the US site?
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. Exchange Web Services

27. TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence – EWS
EWS
mail.contoso.com
LAYER 4 LB
europe.mail.contoso.com
LAYER 7 LB
Intranet site
E2010 MBX
E2010 CAS
Same site proxy request
Cross site proxy request
HTTP PROXY
HTTP PROXY
E2010 CAS
E2013 CAS
E2010 MBX
E2013 MBX
Internet-facing site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. Europe intranet-facing site
TechEd 2013
11/17/ :40 PM
CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence – EWS
EWS
legacy.mail.contoso.com
LAYER 7 LB
mail.contoso.com
LAYER 4 LB
europe.mail.contoso.com
LAYER 7 LB
Europe intranet-facing site
E2007 MBX
E2007 CAS
E2007 CAS
E2013 CAS
E2007 MBX
E2013 MBX
Internet-facing site
Intranet site
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. Protocol flow summary Basic principles to apply are:
TechEd 2013
11/17/ :40 PM
Protocol flow summary
Basic principles to apply are:
Co-existence with 2010 – CAS 2013 proxies all traffic to CAS 2010
Co-existence with 2007 – CAS 2013 redirects OWA to CAS 2007, proxies AutoDiscover, POP, IMAP and Outlook Anywhere, and relies on AutoDiscover for EWS
2013 no longer does HTTP 451 redirects – But legacy versions still do
You need a 2007 CAS in the Internet facing site for as long as you have 2007 in the non-internet facing sites – just like 2010
We hand out site specific URLs if they are set, but if a client comes to the wrong place, for 2010 we just proxy and “just make it work™”
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. CAS 2013 OWA FBA

31. TechEd 2013
11/17/ :40 PM
How does FBA in 2013 work?
Some of you may be wondering why we no longer require affinity for OWA, using FBA
Why doesn’t the cookie become invalid if the load balancer switches the client from one CAS to another in the same pool?
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32. TechEd 2013
11/17/ :40 PM
How it really works…
We assume the same cert exists on all CAS in the LB pool
The user authenticates to any one CAS
The auth token, session key, and some other pieces of information are encrypted using the public key of the common SSL cert
The client hands that cookie back with every request
Any CAS can decrypt it, as they all possess the private key of the SSL certificate
And that’s how it works
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33. Load balancing

34. Load balancing changes
TechEd 2013
11/17/ :40 PM
Load balancing changes
Exchange Server 2013 no longer requires affinity for client connections
This provides the ability to use layer 4, (at the tcp layer rather than http) based load balancing
At layer 4, the load balancer has no idea what the actual target URL is (/owa, or /ews for example), it sees IP address and protocol/port (TCP 443)
But no awareness of the target URL means load balancer health probes might not be so smart…
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35. The key to enlightenment…remember?
User
For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy.
Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place.
Layer 4LB
CAS
DAG
MBX-A
MBX-B

36. Just passing through…at layer four
TechEd 2013
11/17/ :40 PM
Just passing through…at layer four
LB sees: IP address/Port
No SSL Termination
User
CAS
Client makes request to FQDN:
/ews/Exchange.asmx on TCP 443
LB forwards traffic to CAS with no idea of final URL
Layer 4LB
So how do we pick a CAS when there are several, or determine the health of a CAS?
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37. Health checking CAS at layer four
TechEd 2013
11/17/ :40 PM
Health checking CAS at layer four
If you can test the health of a Vdir on CAS to determine overall server health – which one(s) would you pick?
User
CAS
OWA
ECP
EWS
mail.contoso.com/rpc
mail.contoso.com
Layer 4LB
EAS
OAB
autodiscover.contoso.com
RPC
AutoD
Result: At layer four – with one namespace – health is per server, NOT per protocol
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. Speaking of Health Checking….How?
TechEd 2013
11/17/ :40 PM
Speaking of Health Checking….How?
Exchange 2013 includes a built-in health check page which is controlled by Managed Availability The load balancer sends a request to;
And so on
If the service is up and healthy the response is 200 OK
If not, it’s not – but Managed Availability is aware of this too
Currently this only works for OWA if CAS is using FBA but that will ‘likely’ change in the future
Back to the load balancing stuff…..
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. Health checking CAS at layer seven
TechEd 2013
11/17/ :40 PM
Health checking CAS at layer seven
SSL Termination at Load Balancer reveals full URL
User
CAS
OWA
ECP
EWS
mail.contoso.com/owa
mail.contoso.com/rpc
mail.contoso.com
Layer 7LB
EAS
OAB
autodiscover.contoso.com
RPC
AutoD
Result: At layer seven – with one namespace – health is per protocol
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40. Layer four with multiple namespaces
TechEd 2013
11/17/ :40 PM
Layer four with multiple namespaces
The destination IP implies the full URL
User
CAS
owa.contoso.com
OWA
ecp.contoso.com
ECP
ews.contoso.com
EWS
eas.contoso.com
mail.contoso.com
EAS
Layer 4LB
oab.contoso.com
OAB
rpc.contoso.com
RPC
autodiscover.contoso.com
AutoD
Result: At layer four – with multiple namespaces – health is per protocol
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41. Exchange load balancing options
Target
Audience
Generalist IT admin
Those with increased network flexibility
Those who want to maximize server availability
Functionality
Simplicity
+ Simple, fast, no affinity LB
+ Single, unified namespace
+ Minimal networking skillset
- Per server availability
+ Simple, fast, no affinity LB
+ Per protocol availability
- One namespace per protocol
+ Per protocol availability
+ Single, unified namespace
- SSL LB
- Requires increase networking skillset
Trade-offs

42. Load balancing summary
TechEd 2013
11/17/ :40 PM
Load balancing summary
At layer four, there is no load balancer awareness of the endpoint the client needs
At layer four–with a single namespace – you can pick a canary, or a flock of canaries, but it’s hard to be right all the time
At layer seven you know the target URL, but you need to terminate SSL at the load balancer
At layer four with multiple namespaces you get the best of all worlds– cheaper hardware and per protocol awareness, but you need more IP’s, DNS records and certificate names
Only OWA users really get to see the URL you choose
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43. Publishing Exchange 2013 to the internet (since TMG is no more )

44. What do we do now TMG has gone!?
TechEd 2013
11/17/ :40 PM
What do we do now TMG has gone!?
Panic. That’s the first thing to do.
Once that is done, think about this:
10 years ago Exchange and Windows were leaky. Putting them directly on the Interweb was risky.
10 years on they are more secure out of the box.
Are the same risks still present?
Account lockouts are an invitation to DoS, inside or out
Strong passwords/phrases, monitoring and good management back up secure software
If we can agree that we are secure out of the box and a router/load balancer that allows only TCP 443 through is a packet filter… then why bother with TMG?
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45. Cast your mind back… a few minutes…
TechEd 2013
11/17/ :40 PM
Cast your mind back… a few minutes…
LB sees: IP address/port
No SSL termination
User
CAS
Client makes request
LB forwards traffic to CAS
Layer 4LB
Is this not a packet filtering device?
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

46. What if you have to have something
TechEd 2013
11/17/ :40 PM
What if you have to have something
UAG supports Exchange 2013
ARR support – coming
More information -
Load balancer solutions that offer pre-auth modules
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47. Session takeaways Key concepts
Tech Ready 15
11/17/2018
Session takeaways
Key concepts
CAS 2013 authenticates, locates and connects/redirects
CAS 2013 proxies seamlessly to 2010–less so to 2007
CAS 2013 requires NO load balancer affinity Directly connecting Exchange 2013 CAS to the Internet IS ok. Really
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

48. Track resources Exchange Team blog: Twitter: Check out:
11/17/ :40 PM
Track resources
Exchange Team blog:
Twitter:
Join the conversation, use #IamMEC
Check out:
Microsoft Exchange Conference 2014:
Office 365 FastTrack:
Technical Training with Ignite:
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49. Download the Free TechEd OneNote
Microsoft Exchange
11/17/2018
Download the Free TechEd OneNote
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50. Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd
11/17/ :40 PM
Resources
Learning
Sessions on Demand
Microsoft Certification & Training Resources
TechNet
msdn
Resources for IT Professionals
Resources for Developers
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51. Evaluate this session Scan this QR code to evaluate this session.
11/17/ :40 PM
Required Slide
*delete this box when your slide is finalized
Your MS Tag will be inserted here during the final scrub.
Evaluate this session
Scan this QR code to
evaluate this session.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

52. 11/17/ :40 PM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.