CAS Proxying and Redirection

CAS Proxying and Redirection

Proxying

Proxying occurs when one Client Access server sends traffic to another Client Access server. Proxying requests between two Exchange 2010 Client Access servers enables organizations that have multiple Active Directory sites to designate one Client Access server as an Internet-facing server and have that server proxy requests to Client Access servers in sites that have no Internet. The Internet-facing Client Access server then proxies the request to the Client Access server closest to the user's mailbox. 

In the previous figure, the mailbox of User 1 is located on Mailbox server 1. The mailbox of User 2 is located on Mailbox server 2, and the mailbox of User 3 is located on Mailbox server 3. Each Mailbox server is in a different Active Directory site. User 1 can access their mailbox through Client Access server 1 without using proxying, and User 2 can access their mailbox through Client Access server 2. If User 3 tries to access their mailbox through Client Access server 1 or 2, either server will proxy their request to Client Access server 3. Client Access server 3 isn't Internet facing but can receive requests from other servers inside the firewall. Proxying isn't visible to the user.

Redirection

Outlook Web App users who access an Internet-facing Client Access server in a different Active Directory site than the site that contains their mailbox can be redirected to the Client Access server in the same site as their Mailbox server if that Client Access server is Internet facing. When an Outlook Web App user tries to connect to a Client Access server outside the Active Directory site that contains their Mailbox server, they'll see a Web page that contains a link to the correct Client Access server for their mailbox. This is known as manual redirection. In Exchange 2010 SP2, administrators can configure cross-site silent redirection to enable this redirection process to happen without the user’s knowledge.

In the previous figure, User 1 usually accesses their mailbox in Active Directory site 1 using their mobile phone. The administrator then moves their mailbox to Mailbox server 2 in Active Directory site 2. The next time the device tries to synchronize, the server responds with an HTTP 451 status error. This contains the URL the device should now use for that user. In step 3 of the sequence, the device reconfigures itself and connects to the specified URL. User 2, whose mailbox is in Active Directory site 2, tries to open their mailbox using Outlook Web App by connecting to Client Access server 1 over the Internet. With manual redirection, as soon as the user authenticates, Client Access server 1 presents a page to the user, with a link to the Outlook Web App URL for the Client Access server in Active Directory site 2. The user clicks the link, is taken to Active Directory site 2, and signs in again to access their mailbox.With silent redirection, when the user authenticates, they’re silently redirected to the Outlook Web App URL for the Client Access server in Active Directory site 2. 

Example

we have exchange 2003,2007 and 2010 in our organization and our 2010 CAS server (E2K10-CAS01) is internet facing

1. E2K10-CAS01 queries AD to determine the location of the user’s mailbox and the version of exchange installed on the mailbox server.
2. If the user’s mailbox is on 2003 server and the user is tries to access OWA using https://domain/owa, they'll receive an error because an Exchange 2010 Client Access server can't directly provide Outlook Web App access to an Exchange 2003 mailbox. 

Note:

However, if the administrator configured redirection from Exchange 2010 to Exchange 2003, which would be usual during a migration from Exchange 2003 to Exchange 2010, the Exchange2003URL property of the Outlook Web App virtual directory was set to the value of an Exchange 2003 server facing the Internet. 

3. If the user’s mailbox is on 2007 server and both E2K10-CAS01 and user’s mailbox server are on the same AD site, one of the below four possible actions will occur

a. E2K10-CAS01 will look for an Exchange 2007 ExternalURL property that has an ExternalAuthenticationMethods setting that's identical to the InternalAuthenticationMethods setting on the Exchange 2010 Client Access server. If the settings match, E2K10-CAS01 will redirect to this external URL. If source and target CAS have Forms Based Authentication (FBA) enabled, the source CAS issues a hidden form back to the browser that contains the user’s credentials and FBA settings, along with the redirect URL. This is transparent to the user.

b. If a matching ExternalURL setting isn't found, E2K10-CAS01 will look for an Exchange 2007 Client Access server that has the ExternalURL property configured, regardless of matching. If one is found, E2K10-CAS01 will redirect to this external URL. This will result in the user being prompted for authentication.

c. If no matching ExternalURL setting is found, E2K10-CAS01 will look for an Exchange 2007 Client Access server with an InternalURL property that has an InternalAuthenticationMethods setting identical to the InternalAuthenticationMethods setting on the Exchange 2010 Client Access server. If one is found, E2K10-CAS01 will redirect to this InternalURL. If forms-based authentication is enabled, this will result in a single sign-on redirection.

d. If no matching InternalURL is found, E2K10-CAS01 will look for an Exchange 2007 Client Access server with an InternalURL configured, regardless of matching. If one is found, E2K10-CAS01 will redirect to this InternalURL. This will result in the user being prompted for authentication.

4. If 2007 mailbox server is in different AD site, E2K10-CAS01 determines whether the ExternalURL property is set in that Active Directory site. If it is, and cross-site silent redirection is not enabled, the CrossSiteRedirectType value is set to Manual, and a manual redirect is issued. In this scenario, the user is provided with a clickable link that redirects them to the specified URL.

5. If the user's mailbox is on an Exchange 2010 Mailbox server in the same Active Directory site as E2K10-CAS01, E2K10-CAS01 provides access to the mailbox. If the user's mailbox is on an Exchange 2010 Mailbox server in a different Active Directory site, E2K10-CAS01 locates a Client Access server in the same Active Directory site as the user's Mailbox server. When one is found, Exchange 2010 determines whether the Client Access server has the ExternalURL property set in that Active Directory site. If it is, and cross-site silent redirection hasn’t been enabled, the user is provided with a clickable link that redirects them to the specified URL. If cross-site silent redirection has been enabled, the user will be automatically redirected to the specified URL. If the ExternalURL isn't set and the authentication method on the virtual directory is set to Integrated Windows authentication, E2K10-CAS01 will proxy the user's request to the Client Access server that's specified by the InternalURL property.