User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that...
-
Upload
dora-barrett -
Category
Documents
-
view
218 -
download
4
Transcript of User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that...
![Page 1: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/1.jpg)
![Page 2: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/2.jpg)
Microsoft Exchange Server 2013 Client Access Server roleGreg TaylorPrincipal Program Manager
OUC-B313
![Page 3: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/3.jpg)
Session objectivesCover some key CAS 2013 concepts• CAS Fundamentals to set the stage• Protocol Flows in mysterious ways• More About OWA FBA to appease your inner nerd• Load Balancing options with Exchange Server 2013• Publishing Exchange in a post TMG world
![Page 4: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/4.jpg)
User
CAS
DAG
For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy
Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place
MBX-BMBX-A
Layer 4LB
The key to enlightenment…
![Page 5: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/5.jpg)
And some CAS fundamentalsCAS 2013 does three things – it authenticates, locates and proxies/redirects (ok, that’s four)• It authenticates the connection to find out who the user is• It locates the user’s mailbox – on which mailbox server is it
currently active• It proxies the connection to the mailbox server and
maintains the connection (or redirects it somewhere else)
CAS generates no content, it simply acts as a (smart) proxy
![Page 6: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/6.jpg)
Yes! You DO need a CAS in every AD site
MBX
CAS
Load balancer
HTTP proxy
IIS
DB
Protocol head
Local proxy request
SIT
E B
OU
ND
AR
Y
MBX
CAS
Load balancer
IIS
HTTP proxy
DB
Protocol head
OWA cross-site redirect request Cross-site proxy request
SIT
E B
OU
ND
AR
Y
MBX
DB
Protocol head
HTTP
HTTP
HTTP
HTTP
HTTP
![Page 7: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/7.jpg)
CAS 2013 client protocol connectivity flow
![Page 8: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/8.jpg)
AutoDiscover
![Page 9: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/9.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – AutoDiscover (external clients)
Clients
autodiscover.contoso.com
E2010 CAS
E2010 MBX
E2013 CAS
E2013 MBX
E2010 CAS
E2010 MBX
DNS
Internet-facing site Intranet site
CAS 2010handles request
CAS 2010handles request
PROXY PROXY
![Page 10: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/10.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – AutoDiscover (external clients)
Clients
autodiscover.contoso.com
E2007 CAS
E2007 MBX
E2013 CAS
E2013 MBX
E2007 CAS
E2007 MBX
DNS
Internet-facing site Intranet site
MBX 2013 handles request
PROXY
MBX 2013 handles request
PROXY
![Page 11: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/11.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – AutoDiscover (internal clients)
Outlook clients
Internal LB namespace
E2010 CAS
E2010 MBX
E2013 CAS
E2013 MBX
E2010 CAS
E2010 MBX
Internet-facing site Intranet site
CAS 2010handles request
CAS 2010handles request
PROXY PROXY
The triangle(AD)
Lookup SCP records in AD
![Page 12: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/12.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – AutoDiscover (internal clients)
Outlook clients
Internal LB namespace
E2007 CAS
E2007 MBX
E2013 CAS
E2013 MBX
E2007 CAS
E2007 MBX
Internet-facing site Intranet site
Still a triangle
Lookup SCP records in AD
MBX 2013 handles request
PROXY
![Page 13: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/13.jpg)
Outlook
![Page 14: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/14.jpg)
Internal Outlook connectivity• No changes to 2007/10 – still direct to mailbox (2007) and
RPC Client Access Service on CAS (2010)• 2013 users use Outlook Anywhere to connect both inside and
out• Moving to Outlook Anywhere before moving to 2013 may
make life easier
• AutoDiscover 2013 hands back two EXHTTP nodes (settings) for 2013 users, one for Internal OA, one for external – client starts at the top of the list and works down
• By default HTTP internally, HTTPS for external connections (but that doesn’t solve certificate name or trust issues for internal clients for other services)
![Page 15: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/15.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2007 and 2010 coexistence – Outlook Anywhere
mail.contoso.com
E2010/E2007 MBX
Internet-facing site Intranet site
E2010/E2007 CAS
Enable OAClient Auth: BasicIIS Auth:
Clients
E2013 MBX
E2013 CAS
Enable OAClient Auth: BasicIIS Auth: Basic
E2010/E2007 MBX
E2010/E2007 CAS
Enable OAClient Auth: BasicIIS Auth: NTLM
1.Enable Outlook AnywhereOn intranet 2007/2010 servers
2.Client settingsMake 2007/2010 client settings the same as 2013 Server (in this case meaning OA hostname = mail.contoso.com and client auth = Basic)
3.IIS authentication methodsMust include NTLM
RPC/HTTP
RPC/HTTP
PROXY
RPC
PROXY
NTLM
RPC
![Page 16: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/16.jpg)
Outlook Web App
![Page 17: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/17.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – OWA
mail.contoso.comLAYER 4 LB
OWA
E2010 MBX
Internet-facing site
E2010 CAS
HTTPPROXY
RPC
E2013 MBX
E2013 CAS
Intranet site
E2010 MBX
E2010 CAS
europe.mail.contoso.com
LAYER 7 LB
Auth 2013 logon page
Same site proxy
request
HTTPPROXY
Cross site proxy
request
RPC
Auth2010 logon
page
single sign on (sso)
redirect!!new in CU2!
![Page 18: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/18.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – OWA
mail.contoso.comLAYER 4 LB
OWA
E2007 MBX
Internet-facing site
E2007 CAS
RPC
E2013 MBX
E2013 CAS
Intranet site
E2007 MBX
E2007 CAS
europe.mail.contoso.com
LAYER 7 LB
Auth 2013 logon page
Auth2007 logon
page
HTTPPROXY
RPC
Auth2010 logon
page
Legacy.mail.contoso.com
LAYER 7 LB
Single sign on (SSO) redirect!!
New in CU2!
Single sign on (SSO) redirect!!
New in CU2!
![Page 19: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/19.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2013 OWA – different external URL
mail.contoso.comLAYER 4 LB
OWA
E2010 MBX
Internet-facing site
E2010 CAS
E2013 MBX
E2013 CAS
Intranet-facing site
E2013 MBX
E2013 CAS
europe.mail.contoso.com
LAYER 4 LB
Auth 2013 logon page
Single sign on (SSO) redirect!!
New in CU2!
![Page 20: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/20.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2013 OWA – same external URL
mail.contoso.comLAYER 4 LB
OWA
E2010 MBX
Internet-facing site
E2010 CAS
E2013 MBX
E2013 CAS
Intranet-facing site
E2013 MBX
E2013 CAS
mail.contoso.comLAYER 4 LB
Auth 2013 logon page
HTTPPROXY
![Page 21: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/21.jpg)
Exchange Active Sync
![Page 22: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/22.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – EAS
mail.contoso.comLAYER 4 LB
EAS
E2010 MBX
Internet-facing site
E2010 CAS
HTTPPROXY
E2013 MBX
E2013 CAS
Intranet site
E2010 MBX
E2010 CAS
europe.mail.contoso.com
LAYER 7 LB
Same site proxy
request
HTTPPROXY
Cross site proxy
request
![Page 23: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/23.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – EAS
mail.contoso.comLAYER 4 LB
EAS
Internet-facing site Intranet site
E2007 MBX
E2007 CAS
europe.mail.contoso.com
LAYER 7 LB
legacy.mail.contoso.com
LAYER 7 LB
E2007 MBX
E2007 CAS
E2013 MBX
E2013 CAS
But what happens if you move a 2007 mailbox now from the Europe to the US site?
![Page 24: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/24.jpg)
Exchange Web Services
![Page 25: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/25.jpg)
CAS 2013 client protocol connectivity flowExchange Server 2010 coexistence – EWS
mail.contoso.comLAYER 4 LB
EWS
E2010 MBX
Internet-facing site
E2010 CAS
HTTPPROXY
E2013 MBX
E2013 CAS
Intranet site
E2010 MBX
E2010 CAS
europe.mail.contoso.com
LAYER 7 LB
Same site proxy
request
HTTPPROXY
Cross site proxy
request
![Page 26: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/26.jpg)
E2007 MBX
E2007 CAS
E2013 MBX
E2013 CAS
CAS 2013 client protocol connectivity flowExchange Server 2007 coexistence – EWS
mail.contoso.comLAYER 4 LB
EWS
Europe intranet-facing siteE2007 MBX
E2007 CAS
europe.mail.contoso.com
LAYER 7 LB
legacy.mail.contoso.com
LAYER 7 LB
Internet-facing site Intranet site
![Page 27: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/27.jpg)
Protocol flow summaryBasic principles to apply are:• Co-existence with 2010 – CAS 2013 proxies all traffic to
CAS 2010• Co-existence with 2007 – CAS 2013 redirects OWA to CAS
2007, proxies AutoDiscover, POP, IMAP and Outlook Anywhere, and relies on AutoDiscover for EWS
• 2013 no longer does HTTP 451 redirects – But legacy versions still do
• You need a 2007 CAS in the Internet facing site for as long as you have 2007 in the non-internet facing sites – just like 2010
We hand out site specific URLs if they are set, but if a client comes to the wrong place, for 2010 we just proxy and “just make it work™”
![Page 28: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/28.jpg)
CAS 2013 OWA FBA
![Page 29: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/29.jpg)
How does FBA in 2013 work?• Some of you may be wondering why we no longer require affinity for OWA, using FBA• Why doesn’t the cookie become invalid if the load balancer switches the client from one CAS to another in the same pool?
![Page 30: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/30.jpg)
How it really works…• We assume the same cert exists on all CAS in the LB pool• The user authenticates to any one CAS• The auth token, session key, and some other pieces of information are encrypted using the public key of the common SSL cert• The client hands that cookie back with every request • Any CAS can decrypt it, as they all possess the private key of the SSL certificate• And that’s how it works
![Page 31: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/31.jpg)
Load balancing
![Page 32: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/32.jpg)
Load balancing changes• Exchange Server 2013 no longer requires affinity for client connections• This provides the ability to use layer 4, (at the tcp layer rather than http) based load balancing• At layer 4, the load balancer has no idea what the actual target URL is (/owa, or /ews for example), it sees IP address and protocol/port (TCP 443)• But no awareness of the target URL means load balancer health probes might not be so smart…
![Page 33: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/33.jpg)
User
CAS
DAG
MBX-BMBX-A
Layer 4LB
The key to enlightenment…remember?For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy.
Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place.
![Page 34: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/34.jpg)
Just passing through…at layer four
Layer
4LB
User
Client makes request to FQDN:
/ews/Exchange.asmx on
TCP 443
LB sees: IP address/PortNo SSL Termination
CAS
LB forwards traffic to
CAS with no idea of final
URL
So how do we pick a CAS when there are several, or determine the health
of a CAS?
![Page 35: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/35.jpg)
Health checking CAS at layer four
Layer
4LB
User CAS
OWA
ECP
EWS
EAS
OAB
AutoD
mail.contoso.com
autodiscover.contoso.com
If you can test the health of a Vdir on CAS to determine overall server health – which one(s) would you
pick?
RPC
mail.contoso.com/rpc
Result: At layer four – with one namespace – health is per server, NOT
per protocol
![Page 36: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/36.jpg)
Speaking of Health Checking….How?• Exchange 2013 includes a built-in health check page which is controlled by Managed AvailabilityThe load balancer sends a request to;• https://server.fqdn/ews/healthcheck.htm• https://server.fqdn/oab/healthcheck.htm• And so on
• If the service is up and healthy the response is 200 OK• If not, it’s not – but Managed Availability is aware of this too• Currently this only works for OWA if CAS is using FBA but that will ‘likely’ change in the future• Back to the load balancing stuff…..
![Page 37: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/37.jpg)
Health checking CAS at layer seven
Layer
7LB
User CAS
OWA
ECP
EWS
EAS
OAB
AutoD
mail.contoso.com
autodiscover.contoso.com
SSL Termination at Load Balancer reveals full URL
RPC
mail.contoso.com/rpc
mail.contoso.com/owa
Result: At layer seven – with one namespace – health is per protocol
![Page 38: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/38.jpg)
Layer four with multiple namespaces
Layer
4LB
User CAS
OWA
ECP
EWS
EAS
OAB
AutoD
mail.contoso.com
autodiscover.contoso.com
The destination IP implies the full URL
RPCrpc.contoso.com
owa.contoso.com
Result: At layer four – with multiple namespaces – health is per protocol
ews.contoso.com
oab.contoso.com
eas.contoso.com
ecp.contoso.com
![Page 39: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/39.jpg)
Exchange load balancing options
Generalist IT admin Those with increased network flexibility
Those who want to maximize server
availability
Functionality
Simplicity
TargetAudience
Trade-offs
+ Simple, fast, no affinity LB
+ Single, unified namespace
+ Minimal networking skillset- Per server availability
+ Simple, fast, no affinity LB
+ Per protocol availability
- One namespace per protocol
+ Per protocol availability
+ Single, unified namespace
- SSL termination @ LB
- Requires increase networking skillset
![Page 40: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/40.jpg)
Load balancing summary• At layer four, there is no load balancer awareness of the endpoint the client needs• At layer four–with a single namespace – you can pick a canary, or a flock of canaries, but it’s hard to be right all the time• At layer seven you know the target URL, but you need to terminate SSL at the load balancer• At layer four with multiple namespaces you get the best of all worlds– cheaper hardware and per protocol awareness, but you need more IP’s, DNS records and certificate names• Only OWA users really get to see the URL you choose
![Page 41: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/41.jpg)
Publishing Exchange 2013 to the internet(since TMG is no more )
![Page 42: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/42.jpg)
What do we do now TMG has gone!?Panic. That’s the first thing to do. Once that is done, think about this:• 10 years ago Exchange and Windows were leaky. Putting them directly
on the Interweb was risky.• 10 years on they are more secure out of the box. • Are the same risks still present?• Account lockouts are an invitation to DoS, inside or out• Strong passwords/phrases, monitoring and good management
back up secure software
If we can agree that we are secure out of the box and a router/load balancer that allows only TCP 443 through is a packet filter… then why bother with TMG?
![Page 43: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/43.jpg)
Cast your mind back… a few minutes…
Layer
4LB
User
Client makes request
LB sees: IP address/port
No SSL termination CAS
LB forwards traffic to
CAS
Is this not a packet filtering device?
![Page 44: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/44.jpg)
What if you have to have something• UAG supports Exchange 2013• ARR support – coming• Load balancer solutions that offer pre-auth modules
![Page 45: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/45.jpg)
Session takeawaysKey concepts• CAS 2013 authenticates, locates and connects/redirects • CAS 2013 proxies seamlessly to 2010–less so to 2007• CAS 2013 requires NO load balancer affinity
Directly connecting Exchange 2013 CAS to the Internet IS ok. Really
![Page 46: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/46.jpg)
Track resources
Exchange Team blog: http://blogs.technet.com/b/exchange/
Twitter:Follow @MSFTExchange Join the conversation, use #IamMEC
Check out: Microsoft Exchange Conference 2014: www.iammec.com Office 365 FastTrack: http://fasttrack.office.com//Technical Training with Ignite: http://ignite.office.com/
![Page 47: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/47.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 48: User CAS DAG For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy Each CAS determines.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649e3b5503460f94b2d048/html5/thumbnails/48.jpg)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.