For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy User Layer 4LB CAS Each CAS determines the.
Download ReportTranscript For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy User Layer 4LB CAS Each CAS determines the.
For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy User Layer 4LB CAS Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place DAG MBX-A MBX-B HTTP HTTP Load balancer HTTP proxy CAS IIS HTTP proxy HTTP SITE BOUNDARY IIS SITE BOUNDARY CAS Load balancer HTTP MBX MBX MBX Protocol head Protocol head Protocol head DB DB DB Local proxy request OWA cross-site redirect request Cross-site proxy request Clients DNS autodiscover.contoso.com E2010 CAS CAS 2010 handles request PROXY E2010 MBX Internet-facing site PROXY E2013 CAS E2010 CAS E2013 MBX E2010 MBX CAS 2010 handles request Intranet site Clients DNS autodiscover.contoso.com E2007 CAS E2013 CAS E2007 CAS PROXY E2007 MBX E2013 MBX Internet-facing site MBX 2013 handles request E2007 MBX Intranet site Outlook clients Lookup SCP records in AD The triangle (AD) Internal LB namespace E2010 CAS CAS 2010 handles request PROXY E2010 MBX Internet-facing site PROXY E2013 CAS E2010 CAS E2013 MBX E2010 MBX CAS 2010 handles request Intranet site Lookup SCP records in AD Outlook clients Still a triangle Internal LB namespace E2007 CAS E2013 CAS E2007 CAS PROXY E2007 MBX E2013 MBX Internet-facing site MBX 2013 handles request E2007 MBX Intranet site Clients RPC/HTTP mail.contoso.com RPC/HTTP 1. Enable Outlook Anywhere E2010/E2007 CAS Enable OA Client Auth: Basic IIS Auth: E2013 CAS PROXY NTLM Enable OA Client Auth: Basic IIS Auth: Basic RPC E2010/E2007 CAS PROXY Enable OA Client Auth: Basic IIS Auth: NTLM RPC E2010/ E2007 MBX Internet-facing site E2013 MBX E2010/ E2007 MBX Intranet site On intranet 2007/2010 servers 2. Client settings Make 2007/2010 client settings the same as 2013 Server (in this case meaning OA hostname = mail.contoso.com and client auth = Basic) 3. IIS authentication methods Must include NTLM If your 2007 server is CAS + MBX and is not a GC and has IPv6 enabled then Outlook Anywhere won’t work OWA Same site proxy request E2010 CAS mail.contoso.com europe.mail.contoso.com LAYER 4 LB LAYER 7 LB HTTP PROXY Auth 2013 logon page E2013 CAS RPC E2010 MBX HTTP PROXY E2010 CAS single Auth sign on Cross site (sso) 2010redirect!! logon proxy request newpage in CU2! RPC E2013 MBX Internet-facing site E2010 MBX Internet site OWA Legacy.mail.contoso.com mail.contoso.com europe.mail.contoso.com LAYER 7 LB LAYER 4 LB LAYER 7 LB E2007 CAS Single sign Auth on (SSO) 2007 logon redirect!! page New in CU2! Auth 2013 logon page E2013 CAS RPC E2007 MBX HTTP PROXY E2007 CAS Single sign Auth on (SSO) 2007 logon redirect!! page New in CU2! RPC E2013 MBX Internet-facing site E2007 MBX Intranet site OWA mail.contoso.com europe.mail.contoso.com LAYER 4 LB LAYER 4 LB Auth 2013 logon page E2013 CAS E2013 CAS E2013 MBX E2013 MBX Internet-facing site Single sign on (SSO) redirect!! New in CU2! Internet-facing site OWA mail.contoso.com mail.contoso.com LAYER 4 LB LAYER 4 LB Auth 2013 logon page E2013 CAS E2013 MBX Internet-facing site E2013 CAS HTTP PROXY E2013 MBX Internet-facing site EAS Same site proxy request mail.contoso.com europe.mail.contoso.com LAYER 4 LB LAYER 7 LB HTTP PROXY HTTP PROXY Cross site proxy request E2010 CAS E2013 CAS E2010 CAS E2010 MBX E2013 MBX E2010 MBX Internet-facing site Intranet site EAS legacy.mail.contoso.com mail.contoso.com europe.mail.contoso.com LAYER 7 LB LAYER 4 LB LAYER 7 LB E2007 CAS E2013 CAS E2007 CAS E2007 MBX E2013 MBX E2007 MBX Internet-facing site Intranet site EWS Same site proxy request mail.contoso.com europe.mail.contoso.com LAYER 4 LB LAYER 7 LB HTTP PROXY HTTP PROXY Cross site proxy request E2010 CAS E2013 CAS E2010 CAS E2010 MBX E2013 MBX E2010 MBX Internet-facing site Intranet site EWS legacy.mail.contoso.com mail.contoso.com europe.mail.contoso.com LAYER 7 LB LAYER 4 LB LAYER 7 LB E2007 CAS E2013 CAS E2007 CAS E2007 MBX E2013 MBX E2007 EuropeMBX intranet-facing site Internet-facing site Intranet site For any given mailbox’s connectivity, the user is always served by the server that hosts the active database copy. User Layer 4LB CAS Each CAS determines the right end point for the traffic, and so all sessions – regardless of where they started – end up in the same place. DAG MBX-A MBX-B Client makes request to FQDN: /ews/Exchange.asmx on TCP 443 Layer 4LB User LB sees: IP address/Port No SSL Termination LB forwards traffic to CAS with no idea of final URL So how do we pick a CAS when there are several, or determine the health of a CAS? CAS CAS OWA ECP mail.contoso.com/rpc mail.contoso.com Layer 4LB User If you can test the health of a Vdir on CAS to determine overall server health – which one(s) would you pick? autodiscover.contoso.com EWS EAS OAB RPC AutoD Result: At layer four – with one namespace – health is per server, NOT per protocol healthcheck.htm healthcheck.htm CAS OWA ECP mail.contoso.com/rpc mail.contoso.com/owa mail.contoso.com Layer 7LB User SSL Termination at Load Balancer reveals full URL autodiscover.contoso.com EWS EAS OAB RPC AutoD Result: At layer seven – with one namespace – health is per protocol The destination IP implies the full URL CAS owa.contoso.com OWA ecp.contoso.com ECP ews.contoso.com EWS eas.contoso.com mail.contoso.com oab.contoso.com Layer 4LB User rpc.contoso.com EAS OAB RPC autodiscover.contoso.com AutoD Result: At layer four – with multiple namespaces – health is per protocol Target Audience Functionality Simplicity Trade-offs + Simple, fast, no affinity LB + Single, unified namespace + Minimal networking skillset + Simple, fast, no affinity LB + Per protocol availability + Per protocol availability + Single, unified namespace - Per server availability - One namespace per protocol - SSL termination @ LB - Requires increase networking skillset Client makes request Is this not a packet filtering device? Layer 4LB User LB sees: IP address/port No SSL termination LB forwards traffic to CAS CAS http://www.iis.net/downloads/microsoft/application-request-routing / Download the Free TechEd OneNote http://aka.ms/t6lmn6 http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn