Programming4us
         
 
 
Applications Server

Planning Client Access to Exchange 2010 (part 2) - Outlook Web App and Exchange Control Panel

10/18/2010 10:01:08 AM
2. Outlook Web App and Exchange Control Panel

Exchange Control Panel follows the same architecture as OWA. The guiding principle with OWA is to use a Client Access server closest to the user's mailbox, not the Client Access server closest to where the user is. This is because the communication between the Client Access server and the Mailbox server uses RPC communication, which needs low latency and high bandwidth. Exchange achieves this via two mechanisms: redirection and proxying. Understanding these concepts will help you later in the chapter when we look at the access scenarios.

Proxying is used to access Client Access servers that are not externally available. Figure 6 shows two of Fabrikam's datacenters. Because only the Denver datacenter has Internet connectivity, users with mailboxes in the Miami datacenter do not have a direct way to access their Client Access server. In this scenario, the user points the Web browser to his OWA URL, and the Denver Client Access server proxies the request using HTTPS to the Client Access server in the Miami datacenter. The Denver Client Access server uses the Miami Client Access server's certificate to encrypt the conversation. It does not use the certificate for authentication, so the Miami host can continue to use the default self-signed certificate without problems. It is also worth noting that for one Client Access server to proxy to another, the authentication used on the /OWA or /ECP Virtual Directory must be changed from the default of Forms Based Authentication to Windows Integrated Authentication.

Figure 6. OWA proxying

If both datacenters have an Internet connection, as shown in Figure 7, the client can make a more optimal connection. For redirection to work, the external URL must be configured with an externally resolvable address.

Figure 7. OWA redirection

For example, if a user whose mailbox is in the Miami datacenter opens her browser to connect to OWA for a mailbox in Denver, Exchange will redirect the client to the appropriate Client Access server with a message similar to that shown in Figure 8.

Figure 8. OWA redirect message

Notes From The Field: Redirecting OWA URLs in Exchange 2010

Brian Desmond

Microsoft MVP, Directory Services, Brian Desmond Consulting, North America

One of the things I've been doing for as long as I can remember is redirecting requests that don't go to https://mail.contoso.com/owa (or /exchange) to the correct URL. So, if someone goes to http://mail.contoso.com or https://mail.contoso.com, he gets redirected to the correct (secure) URL. Historically I've always done this with two components:

  • A custom Web site listening on Port 80 on each Client Access server

  • A default.aspx file in the root of the Default Web Site redirecting to /owa

This approach no longer works with Exchange 2010 Client Access server because the PowerShell virtual directory actually operates over Port 80 (authentication is Kerberized). If you try to tinker with this, you'll start getting errors like the following from Remote Windows PowerShell:

… The WinRM service cannot process the request because the request needs to be sent to a different machine. Use the redirect information to send the request to a new machine. Redirect location reported: https://owa.customer.com/owa/PowerShell….

To work around this, you need to use the HTTP Redirection feature in IIS (the default.aspx trick mentioned in the second bullet in the preceding list should work, too), and also remove the requirement for SSL at the top-level Default Web Site object. You have to be careful when you do this because when you configure settings on the Web site, IIS will push them down to any virtual directory below which does not explicitly set that setting itself. To set up the redirect, select Default Web Site in IIS Manager, and open the HTTP Redirect option under IIS. Complete it as shown in Figure 9.

Figure 9. HTTP Redirect
Warning: It's very important that you select the check boxes as shown in the figure!

After this step is complete, you need to remove the enforced redirect from each of the virtual directories under the Default Web Site. To do this, select each virtual directory individually, and then open the HTTP Redirect property and clear the Redirect Requests To This Destination check box. You'll need to do this on the following virtual directories:

aspnet_clientAutoDiscoverECP
EWSMicrosoft-Server-ActiveSyncOAB
Windows PowerShellRpc

If at this point if you simply browse to http://cas01.customer.com, you'll get an HTTP 403.4 error. This is because SSL is required at the top-level Web site. To get the redirect working, you need to disable SSL for the top-level Web site while leaving it enabled for the relevant child virtual directories.

Select Default Web Site, open the SSL Settings properties, and clear the Require SSL check boxes. Like the redirection settings, this change will be inherited down the tree for any virtual directory that does not explicitly configure the setting independently. Ensure that SSL is required for the following virtual directories:

aspnet_clientAutoDiscoverECP
EWSMicrosoft-Server-ActiveSyncOAB
Windows PowerShellRpc
Warning: If you require SSL for the Windows PowerShell virtual directory, you will render Remote PowerShell inoperable!

After you've configured the redirection and SSL settings, open a command prompt and run iisreset. At this point you should be able to browse to http://localhost on the Client Access server and get redirected t https://owa.customer.com/owa. These steps were tested on Windows Server 2008 R2. They should be similar under Windows Server 2008, but they may not be identical.
Other -----------------
- Planning Client Access to Exchange 2010 (part 1)
- Client Access Server Architecture in Exchange 2010 (part 4)
- Client Access Server Architecture in Exchange 2010 (part 3)
- Client Access Server Architecture in Exchange 2010 (part 2)
- Client Access Server Architecture in Exchange 2010 (part 1) - Client Access Server Architecture
- Exchange Server 2010 Mailbox Services Configuration (part 5) - Configuring Public Folders
- Exchange Server 2010 Mailbox Services Configuration (part 4) - Client Configuration
- Exchange Server 2010 Mailbox Services Configuration (part 3)
- Exchange Server 2010 Mailbox Services Configuration (part 2) - Database Maintenance
- Exchange Server 2010 Mailbox Services Configuration (part 1)
 
 
Most View
- SQL Server Integration Services : The SSIS Designer
- Active Directory Domain Services 2008: Enable the Detailed Directory Service Replication Auditing Subcategory
- Windows 7: Troubleshooting Networking - Checking the Connection Status
- Microsoft Office 2010 : Using and Customizing the Ribbon
- Windows Server 2008 Server Core : Setting Security
- Windows Server 2008 : Configuring FTP (part 12) - Managing FTP Site Settings
- Microsoft Exchange Server 2003: Configuring Recipient Objects (part 2) - Managing Mailboxes
- Exchange Server 2010 : Useful Tools for an Upgrade (part 1)
- SOA with .NET and Windows Azure : WCF Services - Overview
- Windows Azure: Building a Secure Backup System (part 3)
Top 10
- Windows Server 2008: Understanding Read-Only Domain Controllers (part 1)
- SOA with .NET and Windows Azure : Windows Workflow Foundation (part 6)
- Windows Server 2008 Server Core : Working with the Remote Desktop Connection Application (part 2)
- Adding iPad to the Mix
- Windows Phone 7: Responding to a Message
- Adding, Dropping, and Configuring Linked Servers
- iPad Development : Document Management (part 1)
- Building Android Apps : Animation - Adding the Settings Panel
- Windows 7 : Manage Your Network - Connecting to a Network
- Windows Server 2003 : Centralizing Authentication and Authorization with Internet Authentication Server - Installing and Configuring IAS