E14 - Proxying for Outlook Web App

-

 

image

The following scenario shows how incoming requests are handled for a user who connects to an Exchange 2010 Client Access server named CAS-01 using Outlook Web App.

  1. The Client Access server queries Active Directory to determine the location of the user's mailbox and the version of Microsoft Exchange installed on the Mailbox server. If the user's mailbox is on an Exchange 2010 Mailbox server, go to step 3.
  2. E2K3 user 無法使用 https://exchangeFQDN/OWA 存取E2010 CAS
    image 

    3. Outlook Web Access could not find a mailbox for MSFT\bqt.msv12. If the problem continues, contact technical support for your organization and tell them the following: The mailbox may be stored on a Microsoft Exchange 2000 or Microsoft Exchange 2003 server, or the Active Directory user account was created recently and has not yet replicated to the Active Directory site where this Client Access server is hosted.

    Request
    Url: https://oaw.MSFT.com:443/owa/auth/error.aspx
    User host address: 10.82.162.143

     

  3. 需透過 https://exchangeFQDN/Exchange 來存取

    透過E2010 CAS 經proxy 直接到同site 或不同site 的E2K3 B-E

    If the user's mailbox is on an Exchange 2003 server and the user tried to access Outlook Web App using https://domain name/owa, they'll receive an error.

    If the user tries to access https://domain name/exchange or https://domain name/public, the incoming request is proxied to the Exchange 2003 server that hosts the user's mailbox and the Outlook Web App virtual directory.

    If the incoming request is to an Exchange 2010 Client Access server in a different Active Directory site than the destination back-end server, the request will be proxied to the destination back-end server directly, even if there's an Exchange 2010 Client Access server within the destination Active Directory site.

    If the incoming request is to an Exchange 2010 Client Access server within the same Active Directory site as the destination back-end server, the request will be proxied directly to the destination back-end server.
  4. E2010 users 存取OWA時, 若AD 所決定用戶所屬的CAS server, 此台CAS 有External URL, 會使用Redirect Mode, 若沒有External URL, 則會改用Internal URL 來進行proxy.

    且Windows 整合驗證需啟用.

    If the user's mailbox is on an Exchange 2010 mailbox server, CAS-01 locates a Client Access server in the same Active Directory site as the user's mailbox server. When one is found, Exchange 2010 determines whether the Client Access server has the InternalURLproperty configured and whether the authentication method on the virtual directory is set to Integrated Windows authentication. CAS-01 then determines whether an external URL is specified.

    If so, the user is redirected to the server specified by the ExternalURLproperty. If an external URL isn't specified, CAS-01 will proxy the user's request to the Client Access server that's specified by theInternalURL property.
  5. An internal URL is configured automatically during Exchange 2010 Setup. For Client Access servers that don't have an Internet presence, the ExternalURL property should be set to $null.


  6. Proxying Configuration
    If your Client Access server is Internet-facing, set the ExternalURL property on the Exchange ActiveSync and Outlook Web App virtual directories using the Exchange Management Console or the Exchange Management Shell. The InternalURL property is configured automatically during the initial setup of Exchange 2010 and should rarely have to be changed.

    The ExternalURL property should contain the domain name that's registered for your Exchange organization in DNS. The following table contains the appropriate values for theExternalURL and InternalURL properties for an Internet-facing Client Access server for the Exchange organization named www.contoso.com. The second table contains the appropriate ExternalURL and InternalURL property values for a non-Internet-facing Client Access server in a second Active Directory site for www.contoso.com. You must configure the authentication method on all these virtual directories to be Integrated Windows authentication. Proxying isn't supported for virtual directories that use other authentication methods.

  7. If new Outlook Web App virtual directories are created using the Exchange Management Shell, you must manually configure theInternalURL property on those virtual directories.


image

 

image 


Blog Extended Reading


More Information & Reference

Understanding Proxying and Redirection

   

image

Comments

Post a Comment

Popular posts from this blog

E15 CU3–Update Failed–AD replicated Exceeded the tombstone lifetime.

-
Image
  Exchange 2013 CU3 The naming context is in the process of being removed or is not replicated http://technet.microsoft.com/en-us/library/replication-error-8452-the-naming-context-is-in-the-process-of-being-removed-or-is-not-replicated-from-the-specified-server(v=ws.10).aspx   C:\> REPADMIN /SHOWREPS Root\RDC01 DSA Options: IS_GC Site Options: (none) DSA object GUID: f1694974-47c4-4555-a214-db3c86854aeb DSA invocationID: f1694974-47c4-4555-a214-db3c86854aeb ==== INBOUND NEIGHBORS ====================================== CN=Schema,CN=Configuration,DC=lab7,DC=root     TW\AD02 via RPC         DSA object GUID: bfcc1053-e1da-46fd-8b9d-179c79921331         Last attempt @ 2013-12-19 17:
Read more

202301 - Exchange onpreme - PowerShell Serialization Payload Signing

-
Image
Released: January 2023 Exchange Server Security Updates https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2023-exchange-server-security-updates/ba-p/3711808 https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SerializedDataSigningCheck/ 1.  Update KB5022143 (Exchange SU) 2. Run latest HealthCherker 3.  PowerShell Serialization Payload Signing https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SerializedDataSigningCheck/ Certificate signing of PowerShell serialization payload in Exchange Server https://support.microsoft.com/en-us/topic/certificate-signing-of-powershell-serialization-payload-in-exchange-server-90fbf219-b0dd-4b2c-8a68-9d73b3309eb1 4.  MonitorExchangeAuthCertificate    https://microsoft.github.io/CSS-Exchange/Admin/MonitorExchangeAuthCertificate/ 5.                 New-SettingOverride -Name "EnableSigningVerification" -Component Data -Section EnableSerializationDataSigning -Parameters @("Enabled=true&qu
Read more

E14–Bulk Create Mail Contact & Set-Contact

-
Image
  http://community.office365.com/en-us/w/exchange/579.aspx     Get-Contact | Export-Csv c:\temp\contact.csv Get-MailContact | Export-Csv c:\temp\Mailcontact.csv   [PS] Import-Csv .\Contact_Source.csv | % {New-MailContact -Name $_.Name -DisplayName $_.DisplayName -ExternalEmailAddress $_.ExternalEmailAddress -Alias $_.Alias -PrimarySmtpAddress $_.PrimarySMTPAddress -OrganizationalUnit "Contacts" -WhatIf }   [PS] >$Contacts = Import-Csv .\Contact_final.csv [PS] >$Contacts | foreach {Set-Contact $_.Name -Company $_.Company -Department $_.Department -Office $_.Office -Phone $_.Phone }
Read more