Continuing on my previous post, I wanted to go into explaining how Exchange Server 2007 CAS Proxying works for Outlook Web Access (OWA).

Proxying for Outlook Web Access is used when there is only one Internet-facing CAS Server. In this scenario the will be proxied to the CAS server where his mailbox server is located. This requires more intensive resource on the CAS server than doing redirection. The main benefit to this is your users can have a single point of access from external and proxying is transparent to the end user.

CAS-CAS Proxying is quite similar with the process described in the future topic "How CAS proxying works for ActiveSync". There are a few differences regarding the errors and logs.

Please see the following flowchart that will help you understand this process. To view the full version, please click on the thumbnail. We wanted to publish the flowchart in high resolution:

1. The First CAS queries the Active Directory to determine the location of the user's mailbox and the version of Microsoft Exchange that is installed on the Mailbox server. If the mailbox is on Exchange 2007, the First CAS will determine the best CAS, a Client Access Server in the same AD site as the user's mailbox server.

If the user's mailbox is on an Exchange 2003 server, the request will be proxied directly to the destination Exchange 2003 back-end server, even if there is an Exchange 2007 Client Access server within the destination Active Directory site. Windows Integrated authentication is required on Exchange 2003 /Exchange virtual directory.

Once is determined where the user mailbox is located, in this case on a Mailbox Exchange 2007 Server named Chicago.fourthcoffee.com. The First CAS has already made the decision to talk directly to a mailbox server in the same site, proxy the request to the Second CAS or return a web page link with the ExternalURL from the Second CAS where the user mailbox is located.

As the mailbox is on an AD remote site, the request is proxied to the Second CAS named Dallas.fourthcoffee.com.

2. If the First CAS itself is the best CAS for the request it will handle the request and initialize a mailbox session via RPC with the Exchange 2007 mailbox server. If it is an Exchange 2003 Server the communication will be via http(s) and Windows Integrated authentication is required on Exchange 2003 /Exchange virtual directory.

If there is a Client Access server that is closer to the user's Mailbox server, Exchange 2007 determines whether the Client Access server has the InternalURL property configured on /owa virtual directory Exchange and if the authentication method is Integrated Windows authentication. If so, the user is proxied to the Client Access server specified by the InternalURL property. Otherwise will return an error message to the client if could not find the best CAS.

Error: Outlook Web Access is not currently available for the user mailbox that you are trying to access. Please try again in a few minutes. If the problem continues, contact technical support for your organization and tell them the following: The available Microsoft Exchange Client Access servers in the target Active Directory site are not responding.

If the Integrated Windows authentication is not set on the Second CAS, it will return an error message to the client.

Error: Outlook Web Access is not available. If the problem continues, contact technical support for your organization and tell them the following: There is no Microsoft Exchange Client Access server that has the necessary configuration in the Active Directory site where the mailbox is stored.

3. The server hosting https://dallas.fourthcoffee.com/owa may be configured not to allow Kerberos authentication. It might be set to use Windows Integrated authentication for the Outlook Web Access virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Windows Integrated authentication. See the IIS documentation for additional troubleshooting steps if you suspect this may be the cause of the failure.

4. If the best CAS has an "ExternalURL" set on the /owa virtual directory, than then First CAS will return a web page link to the client with the ExternalURL from the Second CAS.

5. When attempting to connect to a proxy request, if the Second CAS returns a HTTP_441 response, it indicates that the second CAS did not have the CSC for the SID that was passed. The First CAS will obtain the CSC, serialized into XML and issues a proxy login request.

Note: InternalURL is configured automatically during Exchange 2007 Setup. For Client Access servers that do not have an Internet presence, the ExternalURL property should be set to $null

6. The Second CAS initializes a new mailbox session to sync the user mailbox.

In next post: How Exchange Server 2007 CAS Proxying works for ActiveSync.

- Vandy Rodrigues