3. Exchange ActiveSync (EAS)
ActiveSync enables mailbox access for compatible mobile devices. Its
access methods are very similar to OWA. EAS proxying is shown in Figure 10.
Figure 10. EAS proxying
If the client accesses the Client
Access server in Denver, it will look up where the user's mailbox
resides, which in this example is in Miami. It checks that the remote
Client Access server has no externalURL property set and the /Microsoft-Server-ActiveSync
Virtual Directory is configured for Windows Integrated authentication.
If it passes these checks, the connection is proxied to the remote
server's internalURL specified on the ActiveSync Virtual Directory. If the Authentication is incorrectly set or the internalURL is not reachable, the request fails.
EAS redirection logic is similar to that of OWA. Only Windows
Mobile phones 6.1 and later have the functionality we are about to
examine. Older Windows Mobile phones or phones that license ActiveSync
technology may not behave the same way. As shown in Figure 11,
when a client goes to the Client Access server in Denver, it will look
up where the user's mailbox resides and determine whether the remote
server's externalURL property is set. If it is, the Client Access server returns an HTTP error code 451, which is a client redirect containing the URL for the optimal Client Access server.
It is recommended that Exchange
Active Sync be load-balanced for internal- and external-facing sites.
The synchronization state is stored in the user's mailbox. If the
Client Access servers are not load-balanced, the sync will be tied to a
specific Client Access server. If that host becomes unavailable,
synchronization will fail until the service is restored.
Figure 11. EAS redirection
Senior PM – Exchange Product Group, Microsoft Corporation
Quite often I am asked by customers if setting the externalURL
property is required, and like all good ex-consultants, I answer, "It
depends." That's because all clients work in different ways, so the
question I respond with is "What client are we talking about?"
This is the ActiveSync section of the book, but let's talk about OWA first: if you don't set an externalURL
on a VDir, does that mean you cannot connect? No, it doesn't—you can
connect just fine as long as the client can resolve the name to an IP,
the certificate is valid, and the right authentication is enabled. What
if you have two Active Directory connected sites? If you don't set an externalURL, how can you redirect a client to the other site? You can't—so having externalURL
configured for OWA is not strictly necessary unless you need
redirection. Still, I would always recommending setting them, and
setting them all to the same value within an Active Directory site.
Now, back to ActiveSync. This
is where things get more interesting in a nerdy kind of way. When an
ActiveSync client performs an AutoDiscover request, the Client Access
server returns to the client the server configuration it should use.
And that setting is (drum roll please) the value ofexternalURL
on the Internet-facing Client Access server. What if, like OWA, you
didn't set it during install, or since? No AutoDiscover. So if you want
AutoDiscover to work, you need to set it on all the Client Access
servers in the Internet-facing Active Directory site(s).
4. Exchange Web Services
Exchange Web Services (EWS) is different than the other services discussed so far because it only supports proxying. It relies on AutoDiscover to provide clients, whether Outlook or an application, with the correct URLs. Figure 12 depicts the proxy scenario for EWS.
Figure 12. EWS proxy
EWS calls are
generally stateless, but a number of operations require EWS to maintain
state. For example, subscriptions require affinity (reconnecting to the
same host) to work. However, the Availability Service is an example of
an Exchange Web Services that is stateless. Even with the Exchange Web Services that are stateless, maintaining state has performance benefits.
A problem arises when Denver has to proxy to Miami. As you can see in Figure 12, when Denver has to proxy to Miami, Miami's Client Access servers are behind a load balancer (and the internalURL would appropriately be set to the array). For affinity to be maintained, the proxy process uses the internalNLBBypassURL. The internalNLBBypassURL is set by default to the FQDN of the host. This value should never be changed.
Also note that in Service Pack 1, EWS now supports
certificate authentication. This addition can enforce extra security
from clients and provide more control over who and what applications
can access EWS.