I have an Internet-facing Exchange 2010 SP2 CAS server in site A and a non-internet facing Exchange 2010 SP2 CAS server in site B. Each server has all the roles (CAS+MB+HT) installed. The Site B CAS does not have the ExternalURL setting configured. Both OWA application web sites on the Site A server and the site B server are using Integrated Windows Authentication alone. When User B (who has a mailbox in Site B) tries to access his mailbox via https://SiteA-CAS/Owa, he receives a re-direction message telling him to "Use the following link to open this mailbox with the best performance: https://mail.domainname.com/Owa". I was expecting that the Site A CAS would have proxied the OWA request to the Site B CAS and that no re-direction would be done. Do I have something misconfigured?

Hi, Can you access mailbox B via https://mail.domainname.com/owa? What is your externalurl for SiteA? What is the internalurl for SiteA? What is the internalurl for SiteB? How about UserB browse https://mail.domainname.com/owa, it will proxy to site B? Understanding Proxying and Redirection http://technet.microsoft.com/en-us/library/bb310763.aspx Xiu Zhang TechNet Community Support

Can you access mailbox B via https://mail.domainname.com/owa? You cannot access mailbox B via https://mail.domainname.com/owa. This is actually the problem I am working towards resolving, but I'm looking to fix what is happening internally first before looking at the configuration on the reverse proxy server which comes into play when you use https://mail.domainname.com/owa. What is your externalurl for SiteA? ExternalUrl : https://mail.domainname.com/Owa What is the internalurl for SiteA? InternalUrl : https://SiteA-CAS.domainname.com/Owa What is the internalurl for SiteB? InternalUrl : https://SiteB-CAS.domainname.com/owa How about UserB browse https://mail.domainname.com/owa, will it proxy to site B? No, it will not.

Hi, Please run the command below and then post the result here: Get-OwaVirtualDirectory | fl Server,Name,InternalUrl,InternalAuthenticationMethods,ExternalUrl,ExternalAuthenticationMethods Get-RpcClientAccess | fl Server,Responsibility,EncryptionRequired Please try to set https://siteA-cas.domain.com/owa as external url and then check the issue again. By the way, what is the reverse proxy? What is the detail error information? Xiu Zhang TechNet Community Support

Get-OwaVirtualDirectory | fl Server,Name,InternalUrl,InternalAuthenticationMethods,ExternalUrl,ExternalAuthenticationMethods Server : SiteA-CAS Name : owa (Default Web Site) InternalUrl : https://SiteA-CAS/Owa InternalAuthenticationMethods : {Ntlm, WindowsIntegrated} ExternalUrl : https://mail.domainname.com/Owa ExternalAuthenticationMethods : {Fba} Server : SiteB-CAS Name : owa (Default Web Site) InternalUrl : https://SiteB-CAS/Owa InternalAuthenticationMethods : {Ntlm, WindowsIntegrated} ExternalUrl : ExternalAuthenticationMethods : {Fba} Get-RpcClientAccess | fl Server,Responsibility,EncryptionRequired Server : SiteA-CAS Responsibility : Mailboxes, PublicFolders EncryptionRequired : False Server : SiteB-CAS Responsibility : Mailboxes, PublicFolders EncryptionRequired : False Please try to set https://siteA-cas.domain.com/owa as external url and then check the issue again. When this is done, the behaviour remains the same for UserB: If UserB uses https://siteA-CAS/owa, he gets a re-direction link to https://mail.domainname.com/owa If UserB uses the re-direction link, he will get the FBA screen presented by the reverse proxy and after entering credentials, he gets the error: "A server configuration change is temporarily preventing access to your account. Please close all Web browser windows and try again in a few minutes. If the problem continues, contact your helpdesk." The reverse proxy is a TMG 2010 server with FBA as the authentication on it.

Hi, Please try to create a second DNS entry for the Client Access server and use the Set-OwaVirtualDirectory cmdlet to configure the FailbackUrl parameter to match. The FailbackUrl parameter specifies the host name Outlook Web App uses to connect to the Client Access server after failback in a site resilience process and requires a separate DNS entry pointing to the original Client Access server's IP address. The FailbackUrl parameter must be different from the ExternalUrl parameter. Troubleshooting Reference for Client Access Servers http://technet.microsoft.com/en-us/library/dd298096.aspx Besides, please make sure that you have put FQDN for internal url https://FQDN/owa Xiu Zhang TechNet Community Support

Site B has a non-internet facing Exchange 2010 SP2 CAS server and All the roles (CAS+MB+HT) installed on Single Server. Site B, Mailboxes are tightly integrated with that CAS server as MB and CAS Role on Single Server. So just install CAS Role in Different Server. Then site A, CAS would have proxy the OWA request to the Site B CAS.Regards, Mani Bhushan

You can use split brain DNS for this to make things easy. 1. In site B DNS make a record for mail.domain.com and set the ip to the server in site b. then on site b server change the internal url to match that record (https://mail.domain.com). So now when a users types in https://mail.domain.com/owa In site B it is going to your site b exchange server and the internal url is the same match and everything will work fine. Site A will be un affected because for it THe same link will pint to its Exchange server in Site A. We use split brain DNS like this for many sites in our system and it works great. Also the site A will not proxy for site B

I want to re-focus on the original issue, so let me rephrase the question: User B tries to access his mailbox using OWA via https://SiteA-CAS/Owa Why is the CAS server SiteA-CAS not proxying the OWA requests to SiteB-CAS? This is the behaviour I want, but instead of proxying the request, it is giving me a re-direction link. So, either my understanding of proxying is incorrect, or there is something misconfigured in the environment which is preventing proxying from occurring. To reiterate the relevant parts of the environment: SiteA-CAS has all roles (CAS+MB+HT) installed. This site is Internet-facing. SiteB-CAS has all roles (CAS+MB+HT) installed. This site is NOT Internet-facing. SiteB-CAS does NOT have the ExternalURL setting configured. ExternalURL is set to $null. Both OWA application web sites on the SiteA-CAS and SiteB-CAS are using Integrated Windows Authentication alone. Something has to be misconfigured to prevent proxying from taking place. I'm trying to figure out what is misconfigured or what additional configuration has to be done.

Hi, This isn't a normal behaviour. you must be proxied to the second non internet facing CAS. There's something wrong in your configuration. Try to verify if there's an external Url configured in the non internet facing CAS. Best regardsBest Regards Don't forget to mark it as answer if it helps

What was not previously mentioned was that there are 2 other CAS servers in the non-Internet facing site (for a total of 3). I checked the CAS configuration of the other 2 CAS servers in the non-Internet facing site. One of the CAS servers (which hosts mailboxes in a separate DAG which did not contain the test mailboxes) had an ExternalURL setting for OWA which was then set to $null. The other 2 CAS servers did have an ExternalURL setting for ECP. This was set to $null. After these changes were made, proxying started working. Users on the non-Internet facing site are also able to access their mailboxes via https://mail.domainname.com/owa. Everything works now. So I guess all CAS servers in the non-Internet facing site need to have ExternalURL set to $null for OWA and ECP for proxying to work as it is supposed to.