User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that...

Microsoft Exchange Server 2013 Client Access Server roleGreg TaylorPrincipal Program Manager

OUC-B313

Session objectivesCover some key CAS 2013 concepts• CAS Fundamentals to set the stage• Protocol Flows in mysterious ways• More About OWA FBA to appease your inner nerd• Load Balancing options with Exchange Server 2013• Publishing Exchange in a post TMG world

User

CAS

DAG

For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy

Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place

MBX-BMBX-A

Layer 4LB

The key to enlightenment…

And some CAS fundamentalsCAS 2013 does three things – it authenticates, locates and proxies/redirects (ok, that’s four)• It authenticates the connection to find out who the user is• It locates the user’s mailbox – on which mailbox server is it

currently active• It proxies the connection to the mailbox server and

maintains the connection (or redirects it somewhere else)

CAS generates no content, it simply acts as a (smart) proxy

Yes! You DO need a CAS in every AD site

MBX

CAS

Load balancer

HTTP proxy

IIS

DB

Protocol head

Local proxy request

SIT

E B

OU

ND

AR

Y

MBX

CAS

Load balancer

IIS

HTTP proxy

DB

Protocol head

OWA cross-site redirect request Cross-site proxy request

SIT

E B

OU

ND

AR

Y

MBX

DB

Protocol head

HTTP

HTTP

HTTP

HTTP

HTTP

CAS 2013 client protocol connectivity flow

AutoDiscover

CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – AutoDiscover (external clients)

Clients

autodiscover.contoso.com

E2010 CAS

E2010 MBX

E2013 CAS

E2013 MBX

E2010 CAS

E2010 MBX

DNS

Internet-facing site Intranet site

CAS 2010handles request


PROXY PROXY

CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – AutoDiscover (external clients)

Clients


E2007 CAS

E2007 MBX

E2013 CAS

E2013 MBX

E2007 CAS

E2007 MBX

DNS


MBX 2013 handles request

PROXY


PROXY

CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – AutoDiscover (internal clients)

Outlook clients

Internal LB namespace

E2010 CAS

E2010 MBX

E2013 CAS

E2013 MBX

E2010 CAS

E2010 MBX




PROXY PROXY

The triangle(AD)

Lookup SCP records in AD

CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – AutoDiscover (internal clients)

Outlook clients

Internal LB namespace

E2007 CAS

E2007 MBX

E2013 CAS

E2013 MBX

E2007 CAS

E2007 MBX


Still a triangle

Lookup SCP records in AD


PROXY

Outlook

Internal Outlook connectivity• No changes to 2007/10 – still direct to mailbox (2007) and

RPC Client Access Service on CAS (2010)• 2013 users use Outlook Anywhere to connect both inside and

out• Moving to Outlook Anywhere before moving to 2013 may

make life easier

• AutoDiscover 2013 hands back two EXHTTP nodes (settings) for 2013 users, one for Internal OA, one for external – client starts at the top of the list and works down

• By default HTTP internally, HTTPS for external connections (but that doesn’t solve certificate name or trust issues for internal clients for other services)

CAS 2013 client protocol connectivity flowExchange Server 2007 and 2010 coexistence – Outlook Anywhere

mail.contoso.com

E2010/E2007 MBX


E2010/E2007 CAS

Enable OAClient Auth: BasicIIS Auth:

Clients

E2013 MBX

E2013 CAS

Enable OAClient Auth: BasicIIS Auth: Basic

E2010/E2007 MBX

E2010/E2007 CAS

Enable OAClient Auth: BasicIIS Auth: NTLM

1.Enable Outlook AnywhereOn intranet 2007/2010 servers

2.Client settingsMake 2007/2010 client settings the same as 2013 Server (in this case meaning OA hostname = mail.contoso.com and client auth = Basic)

3.IIS authentication methodsMust include NTLM

RPC/HTTP

RPC/HTTP

PROXY

RPC

PROXY

NTLM

RPC

Outlook Web App

CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – OWA

mail.contoso.comLAYER 4 LB

OWA

E2010 MBX

Internet-facing site

E2010 CAS

HTTPPROXY

RPC

E2013 MBX

E2013 CAS

Intranet site

E2010 MBX

E2010 CAS

europe.mail.contoso.com

LAYER 7 LB

Auth 2013 logon page

Same site proxy

request

HTTPPROXY

Cross site proxy

request

RPC

Auth2010 logon

page

single sign on (sso)

redirect!!new in CU2!

CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – OWA


OWA

E2007 MBX


E2007 CAS

RPC

E2013 MBX

E2013 CAS

Intranet site

E2007 MBX

E2007 CAS


LAYER 7 LB


Auth2007 logon

page

HTTPPROXY

RPC

Auth2010 logon

page

Legacy.mail.contoso.com

LAYER 7 LB

Single sign on (SSO) redirect!!

New in CU2!


New in CU2!

CAS 2013 client protocol connectivity flowExchange Server 2013 OWA – different external URL


OWA

E2010 MBX


E2010 CAS

E2013 MBX

E2013 CAS

Intranet-facing site

E2013 MBX

E2013 CAS


LAYER 4 LB



New in CU2!

CAS 2013 client protocol connectivity flowExchange Server 2013 OWA – same external URL


OWA

E2010 MBX


E2010 CAS

E2013 MBX

E2013 CAS

Intranet-facing site

E2013 MBX

E2013 CAS



HTTPPROXY

Exchange Active Sync

CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – EAS


EAS

E2010 MBX


E2010 CAS

HTTPPROXY

E2013 MBX

E2013 CAS

Intranet site

E2010 MBX

E2010 CAS


LAYER 7 LB

Same site proxy

request

HTTPPROXY

Cross site proxy

request

CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – EAS


EAS


E2007 MBX

E2007 CAS


LAYER 7 LB

legacy.mail.contoso.com

LAYER 7 LB

E2007 MBX

E2007 CAS

E2013 MBX

E2013 CAS

But what happens if you move a 2007 mailbox now from the Europe to the US site?

Exchange Web Services

CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – EWS


EWS

E2010 MBX


E2010 CAS

HTTPPROXY

E2013 MBX

E2013 CAS

Intranet site

E2010 MBX

E2010 CAS


LAYER 7 LB

Same site proxy

request

HTTPPROXY

Cross site proxy

request

E2007 MBX

E2007 CAS

E2013 MBX

E2013 CAS

CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – EWS


EWS

Europe intranet-facing siteE2007 MBX

E2007 CAS


LAYER 7 LB

legacy.mail.contoso.com

LAYER 7 LB


Protocol flow summaryBasic principles to apply are:• Co-existence with 2010 – CAS 2013 proxies all traffic to

CAS 2010• Co-existence with 2007 – CAS 2013 redirects OWA to CAS

2007, proxies AutoDiscover, POP, IMAP and Outlook Anywhere, and relies on AutoDiscover for EWS

• 2013 no longer does HTTP 451 redirects – But legacy versions still do

• You need a 2007 CAS in the Internet facing site for as long as you have 2007 in the non-internet facing sites – just like 2010

We hand out site specific URLs if they are set, but if a client comes to the wrong place, for 2010 we just proxy and “just make it work™”

CAS 2013 OWA FBA

How does FBA in 2013 work?• Some of you may be wondering why we no longer require affinity for OWA, using FBA• Why doesn’t the cookie become invalid if the load balancer switches the client from one CAS to another in the same pool?

How it really works…• We assume the same cert exists on all CAS in the LB pool• The user authenticates to any one CAS• The auth token, session key, and some other pieces of information are encrypted using the public key of the common SSL cert• The client hands that cookie back with every request • Any CAS can decrypt it, as they all possess the private key of the SSL certificate• And that’s how it works

Load balancing

Load balancing changes• Exchange Server 2013 no longer requires affinity for client connections• This provides the ability to use layer 4, (at the tcp layer rather than http) based load balancing• At layer 4, the load balancer has no idea what the actual target URL is (/owa, or /ews for example), it sees IP address and protocol/port (TCP 443)• But no awareness of the target URL means load balancer health probes might not be so smart…

User

CAS

DAG

MBX-BMBX-A

Layer 4LB

The key to enlightenment…remember?For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy.

Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place.

Just passing through…at layer four

Layer

4LB

User

Client makes request to FQDN:

/ews/Exchange.asmx on

TCP 443

LB sees: IP address/PortNo SSL Termination

CAS

LB forwards traffic to

CAS with no idea of final

URL

So how do we pick a CAS when there are several, or determine the health

of a CAS?

Health checking CAS at layer four

Layer

4LB

User CAS

OWA

ECP

EWS

EAS

OAB

AutoD

mail.contoso.com


If you can test the health of a Vdir on CAS to determine overall server health – which one(s) would you

pick?

RPC

mail.contoso.com/rpc

Result: At layer four – with one namespace – health is per server, NOT

per protocol

Speaking of Health Checking….How?• Exchange 2013 includes a built-in health check page which is controlled by Managed AvailabilityThe load balancer sends a request to;• https://server.fqdn/ews/healthcheck.htm• https://server.fqdn/oab/healthcheck.htm• And so on

• If the service is up and healthy the response is 200 OK• If not, it’s not – but Managed Availability is aware of this too• Currently this only works for OWA if CAS is using FBA but that will ‘likely’ change in the future• Back to the load balancing stuff…..

Health checking CAS at layer seven

Layer

7LB

User CAS

OWA

ECP

EWS

EAS

OAB

AutoD

mail.contoso.com


SSL Termination at Load Balancer reveals full URL

RPC

mail.contoso.com/rpc

mail.contoso.com/owa

Result: At layer seven – with one namespace – health is per protocol

Layer four with multiple namespaces

Layer

4LB

User CAS

OWA

ECP

EWS

EAS

OAB

AutoD

mail.contoso.com


The destination IP implies the full URL

RPCrpc.contoso.com

owa.contoso.com

Result: At layer four – with multiple namespaces – health is per protocol

ews.contoso.com

oab.contoso.com

eas.contoso.com

ecp.contoso.com

Exchange load balancing options

Generalist IT admin Those with increased network flexibility

Those who want to maximize server

availability

Functionality

Simplicity

TargetAudience

Trade-offs

+ Simple, fast, no affinity LB

+ Single, unified namespace

+ Minimal networking skillset- Per server availability

+ Simple, fast, no affinity LB

+ Per protocol availability

- One namespace per protocol

+ Per protocol availability

+ Single, unified namespace

- SSL termination @ LB

- Requires increase networking skillset

Load balancing summary• At layer four, there is no load balancer awareness of the endpoint the client needs• At layer four–with a single namespace – you can pick a canary, or a flock of canaries, but it’s hard to be right all the time• At layer seven you know the target URL, but you need to terminate SSL at the load balancer• At layer four with multiple namespaces you get the best of all worlds– cheaper hardware and per protocol awareness, but you need more IP’s, DNS records and certificate names• Only OWA users really get to see the URL you choose

Publishing Exchange 2013 to the internet(since TMG is no more )

What do we do now TMG has gone!?Panic. That’s the first thing to do. Once that is done, think about this:• 10 years ago Exchange and Windows were leaky. Putting them directly

on the Interweb was risky.• 10 years on they are more secure out of the box. • Are the same risks still present?• Account lockouts are an invitation to DoS, inside or out• Strong passwords/phrases, monitoring and good management

back up secure software

If we can agree that we are secure out of the box and a router/load balancer that allows only TCP 443 through is a packet filter… then why bother with TMG?

Cast your mind back… a few minutes…

Layer

4LB

User

Client makes request

LB sees: IP address/port

No SSL termination CAS

LB forwards traffic to

CAS

Is this not a packet filtering device?

What if you have to have something• UAG supports Exchange 2013• ARR support – coming• Load balancer solutions that offer pre-auth modules

Session takeawaysKey concepts• CAS 2013 authenticates, locates and connects/redirects • CAS 2013 proxies seamlessly to 2010–less so to 2007• CAS 2013 requires NO load balancer affinity

Directly connecting Exchange 2013 CAS to the Internet IS ok. Really

Track resources

Exchange Team blog: http://blogs.technet.com/b/exchange/

Twitter:Follow @MSFTExchange Join the conversation, use #IamMEC

Check out: Microsoft Exchange Conference 2014: www.iammec.com Office 365 FastTrack: http://fasttrack.office.com//Technical Training with Ignite: http://ignite.office.com/

http://fasttrack.office.com/

Complete an evaluation on CommNet and enter to win!

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that...

Documents

Transcript of User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that...