MsExchange Blog Spot Telnet25

June 21, 2012

WHY ClientAccessArray name is internal ONLY

Filed under: General — telnet25 @ 6:05 pm

 

When deploying E210 it is recommended to set CAS ARRAY. ( Client Access Server Array) CAS Array is recommended even you have  one CAS or a single multi-role Exchange serves you have in your deployment plans.

I wanted to reiterate why the FQDN of CAS Array should be internally resolvable via internal DNS and should not be exposed to outside.

The short answer is to prevent delay on outlook clients when they are outside and trying to connect. now let’s look into this a bit deeper and try to understand what does this mean to us?

when client opens outlook internally, outlook will try to resolve the home server property configured within the outlook. So the outlook gets FQDN something like outlook.internal.local which then , Outlook checks its configured TCP/IP and finds out what DNS server to talk to and request IP address for the name outlook.internal.local ,

Outlook opens up internally by Client………

  • It resolves the “home server property” outlook.internal.local
  • It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
  • It will ask the IP Address of “outlook.internal.local “  ( We assume this was configured within outlook)
  • The IP Address comes backup from DNS Server as 192.168.1.100 outlook.internal.local=192.168.1.100 ( Internal DNS Server provided the IP Address)
  • Now outlook will attempt to open TCP 135 to this destination 192.168.1.100

 

image

Outlook opens up Externally (CAS ARRAY NAME IS Resolvable from Outside)

 

  • It resolves the “home server property” outlook.internal.local
  • It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
  • It will ask the IP Address of “outlook.internal.local “ ( We assume this was configured within outlook)
  • It gets the IP  165.164.163.100 ( Assuming CAS ARRAY NAME IS PUBLISHED OUTSIDE)
  • Now outlook will attempt to open TCP 135 to this destination 165.164.163.100
  • The FireWALL on the destination network most likely wont allow TCP 135 connection back inside to VIP IP for the CAS ARRAY
  • The FireWALL will hold the connection before it releases the TCP connections
  • Outlook client now fall back and try to establish connection on port 80—HTTP
  • Outlook client cannot connect most likely port 80 is not allowed from outside
  • Outlook client FINALLY attempts to connect on port 443 HTTPS and gets through the firewall of destination network and established connection and this is where you see the “DELAY”

Outlook opens up Externally (CAS ARRAY NAME IS  NOT Resolvable from Outside)

  • It resolves the “home server property” outlook.internal.local
  • It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
  • outlook.internal.local wont resolve an IP address
  • Outlook established HTTPS connection directly.

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
https://telnet25.wordpress.com/ (Blog)

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: