Thursday, June 21, 2012

WHY ClientAccessArray name is internal ONLY

 

When deploying E210 it is recommended to set CAS ARRAY. ( Client Access Server Array) CAS Array is recommended even you have  one CAS or a single multi-role Exchange serves you have in your deployment plans.

I wanted to reiterate why the FQDN of CAS Array should be internally resolvable via internal DNS and should not be exposed to outside.

The short answer is to prevent delay on outlook clients when they are outside and trying to connect. now let’s look into this a bit deeper and try to understand what does this mean to us?

when client opens outlook internally, outlook will try to resolve the home server property configured within the outlook. So the outlook gets FQDN something like outlook.internal.local which then , Outlook checks its configured TCP/IP and finds out what DNS server to talk to and request IP address for the name outlook.internal.local ,

Outlook opens up internally by Client………

  • It resolves the “home server property” outlook.internal.local
  • It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
  • It will ask the IP Address of “outlook.internal.local “  ( We assume this was configured within outlook)
  • The IP Address comes backup from DNS Server as 192.168.1.100 outlook.internal.local=192.168.1.100 ( Internal DNS Server provided the IP Address)
  • Now outlook will attempt to open TCP 135 to this destination 192.168.1.100

 

image

Outlook opens up Externally (CAS ARRAY NAME IS Resolvable from Outside)

 

  • It resolves the “home server property” outlook.internal.local
  • It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
  • It will ask the IP Address of “outlook.internal.local “ ( We assume this was configured within outlook)
  • It gets the IP  165.164.163.100 ( Assuming CAS ARRAY NAME IS PUBLISHED OUTSIDE)
  • Now outlook will attempt to open TCP 135 to this destination 165.164.163.100
  • The FireWALL on the destination network most likely wont allow TCP 135 connection back inside to VIP IP for the CAS ARRAY
  • The FireWALL will hold the connection before it releases the TCP connections
  • Outlook client now fall back and try to establish connection on port 80—HTTP
  • Outlook client cannot connect most likely port 80 is not allowed from outside
  • Outlook client FINALLY attempts to connect on port 443 HTTPS and gets through the firewall of destination network and established connection and this is where you see the “DELAY”

Outlook opens up Externally (CAS ARRAY NAME IS  NOT Resolvable from Outside)

  • It resolves the “home server property” outlook.internal.local
  • It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
  • outlook.internal.local wont resolve an IP address
  • Outlook established HTTPS connection directly.

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

2 comments:

Scott Schnoll said...

The real answer as to why the CAS Array is internal is because it's actual name is the RPC Client Access Server Array. It is designed only for MAPI/RPC clients, which will always be internal clients. Thus, the RPC CAS Array name need only be resolvable internally.

Ascodepatriarcado said...

Thaanks for this