Hi,

In our deployment we have the requirement of having some users use and authenticate differently from other users.

Out of a total of 200 users, 50 must use RSA authentication and should not be able to use email services, unless they are in a VPN/Local Network.

If I would make out of them 2 categories (call them category Alice and category Bob), how can I have user Alice use some CAS services (OWA/ECP/IMAP/etc) and not be able to login to Bob category of CAS services, like below?

Alice:
- autodiscover: autodiscover-rsa.contoso.com
- owa/pop/imap/ecp/etc: rsaowa.contoso.com
- different policies for authentication and access
- cannot login to Bob CAS services

Bob:
- autodiscover: autodiscover.contoso.com
- owa/pop/imap/ecp/etc: owa.contoso.com
- different policies for authentication and access
- cannot login to Alice CAS services

Thank you

I don't believe that there's any way to do what you want out of the box without creating separate Exchange organizations.  To do what you want, I think you're going to need a reverse proxy, and I'm sorry but I don't have any suggestions for what you might use.

Thank you for your reply Ed.

So there is no way to have a common backend (mailbox database/dag), sepparate CAS servers and bind a database to a certain CAS server/array...

Thanks again,
C

There is no CAS array in Exchange 2013.

There is no binding of the sort between CAS and mailbox servers.  The CAS acts as a protocol router.