Cannot get Exchange 2010 CAS to proxy OWA request to another Exchange 2010 CAS in another site
I have an Internet-facing Exchange 2010 SP2 CAS server in site A and a non-internet facing Exchange 2010 SP2 CAS server in site B. Each server has all the roles (CAS+MB+HT) installed.
The Site B CAS does not have the ExternalURL setting configured. Both OWA application web sites on the Site A server and the site B server are using Integrated Windows Authentication alone.
When User B (who has a mailbox in Site B) tries to access his mailbox via
https://SiteA-CAS/Owa, he receives a re-direction message telling him to "Use the following link to open this mailbox with the best performance: https://mail.domainname.com/Owa".
I was expecting that the Site A CAS would have proxied the OWA request to the Site B CAS and that no re-direction would be done. Do I have something misconfigured?
January 27th, 2012 1:06pm
Hi,
Can you access mailbox B via
https://mail.domainname.com/owa?
What is your externalurl for SiteA?
What is the internalurl for SiteA?
What is the internalurl for SiteB?
How about UserB browse
https://mail.domainname.com/owa, it will proxy to site B?
Understanding Proxying and Redirection
http://technet.microsoft.com/en-us/library/bb310763.aspx
Xiu Zhang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2012 4:35am
Can you access mailbox B via
https://mail.domainname.com/owa?
You cannot access mailbox B via
https://mail.domainname.com/owa. This is actually the problem I am working towards resolving, but I'm looking to fix what is happening internally first before looking at the configuration on the reverse proxy server which
comes into play when you use
https://mail.domainname.com/owa.
What is your externalurl for SiteA?
ExternalUrl :
https://mail.domainname.com/Owa
What is the internalurl for SiteA?
InternalUrl :
https://SiteA-CAS.domainname.com/Owa
What is the internalurl for SiteB?
InternalUrl :
https://SiteB-CAS.domainname.com/owa
How about UserB browse
https://mail.domainname.com/owa, will it proxy to site B?
No, it will not.
January 30th, 2012 7:36am
Hi,
Please run the command below and then post the result here:
Get-OwaVirtualDirectory | fl Server,Name,InternalUrl,InternalAuthenticationMethods,ExternalUrl,ExternalAuthenticationMethods
Get-RpcClientAccess | fl Server,Responsibility,EncryptionRequired
Please try to set
https://siteA-cas.domain.com/owa as external url and then check the issue again.
By the way, what is the reverse proxy?
What is the detail error information?
Xiu Zhang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 12:31am
Get-OwaVirtualDirectory | fl Server,Name,InternalUrl,InternalAuthenticationMethods,ExternalUrl,ExternalAuthenticationMethods
Server : SiteA-CAS
Name : owa (Default Web Site)
InternalUrl :
https://SiteA-CAS/Owa
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
ExternalUrl :
https://mail.domainname.com/Owa
ExternalAuthenticationMethods : {Fba}
Server : SiteB-CAS
Name : owa (Default Web Site)
InternalUrl :
https://SiteB-CAS/Owa
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
ExternalUrl :
ExternalAuthenticationMethods : {Fba}
Get-RpcClientAccess | fl Server,Responsibility,EncryptionRequired
Server : SiteA-CAS
Responsibility : Mailboxes, PublicFolders
EncryptionRequired : False
Server : SiteB-CAS
Responsibility : Mailboxes, PublicFolders
EncryptionRequired : False
Please try to set
https://siteA-cas.domain.com/owa as external url and then check the issue again.
When this is done, the behaviour remains the same for UserB:
If UserB uses https://siteA-CAS/owa, he gets a re-direction link to
https://mail.domainname.com/owa
If UserB uses the re-direction link, he will get the FBA screen presented by the reverse proxy and after entering credentials, he gets the error: "A server configuration change is temporarily preventing access to your account. Please close all Web browser
windows and try again in a few minutes. If the problem continues, contact your helpdesk."
The reverse proxy is a TMG 2010 server with FBA as the authentication on it.
February 1st, 2012 8:25am
Hi,
Please try to create a second DNS entry for the Client Access server and use the
Set-OwaVirtualDirectory cmdlet to configure the FailbackUrl parameter to match. The
FailbackUrl parameter specifies the host name Outlook Web App uses to connect to the Client Access server after failback in a site resilience process and requires a separate DNS entry pointing to the original Client Access server's IP address. The
FailbackUrl parameter must be different from the ExternalUrl parameter.
Troubleshooting Reference for Client Access Servers
http://technet.microsoft.com/en-us/library/dd298096.aspx
Besides, please make sure that you have put FQDN for internal url
https://FQDN/owa Xiu Zhang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 10:40pm
Site B has a non-internet facing Exchange 2010 SP2 CAS server and All the roles (CAS+MB+HT) installed on Single Server.
Site B, Mailboxes are tightly integrated with that CAS server as MB and CAS Role on Single Server. So just install CAS Role in Different Server.
Then site A, CAS would have proxy the OWA request to the Site B CAS.Regards, Mani Bhushan
February 4th, 2012 12:28am
You can use split brain DNS for this to make things easy.
1. In site B DNS make a record for mail.domain.com and set the ip to the server in site b. then on site b server change the internal url to match that record (https://mail.domain.com). So now when a users types in https://mail.domain.com/owa
In site B it is going to your site b exchange server and the internal url is the same match and everything will work fine. Site A will be un affected because for it THe same link will pint to its Exchange server in Site A.
We use split brain DNS like this for many sites in our system and it works great.
Also the site A will not proxy for site B
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 4:33am
I want to re-focus on the original issue, so let me rephrase the question:
User B tries to access his mailbox using OWA via
https://SiteA-CAS/Owa
Why is the CAS server SiteA-CAS not proxying
the OWA requests to SiteB-CAS?
This is the behaviour I want, but instead of
proxying the request, it is giving me a
re-direction link.
So, either my understanding of proxying is incorrect, or there is something misconfigured in the environment which is preventing proxying from occurring. To reiterate the relevant parts of the environment:
SiteA-CAS has all roles (CAS+MB+HT) installed. This site is Internet-facing.
SiteB-CAS has all roles (CAS+MB+HT) installed. This site is NOT Internet-facing.
SiteB-CAS does NOT have the ExternalURL setting configured. ExternalURL is set to $null.
Both OWA application web sites on the SiteA-CAS and SiteB-CAS are using Integrated Windows Authentication alone.
Something has to be misconfigured to prevent proxying from taking place. I'm trying to figure out what is misconfigured or what additional configuration has to be done.
February 6th, 2012 7:34am
Hi,
This isn't a normal behaviour. you must be proxied to the second non internet facing CAS. There's something wrong in your configuration.
Try to verify if there's an external Url configured in the non internet facing CAS.
Best regardsBest Regards Don't forget to mark it as answer if it helps
Free Windows Admin Tool Kit Click here and download it now
February 6th, 2012 9:38am
What was not previously mentioned was that there are 2 other CAS servers in the non-Internet facing site (for a total of 3).
I checked the CAS configuration of the other 2 CAS servers in the non-Internet facing site. One of the CAS servers (which hosts mailboxes in a separate DAG which did not contain the test mailboxes) had an ExternalURL setting for OWA which
was then set to $null.
The other 2 CAS servers did have an ExternalURL setting for ECP. This was set to $null.
After these changes were made, proxying started working. Users on the non-Internet facing site are also able to access their mailboxes via https://mail.domainname.com/owa.
Everything works now.
So I guess all CAS servers in the non-Internet facing site need to have ExternalURL set to $null for OWA and ECP for proxying to work as it is supposed to.
February 6th, 2012 11:08am