• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Split DNS - multiple Back-end Exchange servers

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Split DNS - multiple Back-end Exchange servers Page: [1]
Login
Message << Older Topic   Newer Topic >>
Split DNS - multiple Back-end Exchange servers - 23.Jul.2008 12:36:41 PM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
Hi there,

Am looking to implement RPC/HTTPS for remote access to our Exchange 2003 organisation.

I currently have OWA and OMA\Activesync published via ISA2006 and all is working a treat.

I've been reading Tom's articles on publishing RPC\HTTPS and using a split DNS infrastructure.  All makes sense to me, but I'm either failing to grasp a key concept, or I'm just no good a googling!

I have 1 ISA 2006 STD server as a back-end firewall.  I have a DMZ network directly attached to a NIC in the ISA server, and this DMZ hosts 1 front-end Exchange 2003 server running on Server 2003 SP1, with OWA and OMA on this FE server published via ISA.

I have 25 back-end exchange servers spread across our WAN.  One front-end server (our OWA\OMA usage is pretty light).

The owner of our company is a bit of a technophobe, and wants a domain member in his house connected via site-to-site VPN so that he can just 'open outlook' without having to manually connect a VPN.  I'm under the cosh here, as he's the owner!  But I am desperate to try and avoid this always-on connection between his house (and asssoicated kids\wlan\NSFW traffic etc.) and our corpnet, hence my motivation to look at RPC/HTTPS.  Plus RPC\HTTPS sounds slick!

I realise the success\failure of this could easily rest on the split-DNS implementation.  Which brings me to my question.

Say I take my laptop home and configure my Outlook to use RPC\HTTPS and connect to mail.pubdomain.com.  It connects straight away and I can use my Outlook.  Brilliant.

Then I bring my laptop back onto the corpnet the next day, and fire up Outlook.  My split DNS resolves the name to an internal IP (on the ISA interface say, for the web listener).  My outlook will connect via RPC\HTTPS.  Great, I can still work.

But say I want Outlook to connect directly to the users back-end server over MAPI while they're in the office.  How does Outlook know which back-end exchange server to connect to once my profile has been changed from normal mapi mode to RPC\HTTPS mode?

From Outlook's perspective (or outlook's outlook even!!), for any given user profile, does it hold MAPI information AND RPC\HTTPS information?  If so, which does it try first?

I am tring to understand how Outlook will realise it is on the corpnet and use plain MAPI - and how it will find the user's mailbox server.

Hope someone can help me understand this.

Cheers guys.

Dave
Post #: 1
RE: Split DNS - multiple Back-end Exchange servers - 23.Jul.2008 2:00:09 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Dave,

from my point of view, this sounds more like exchange and outlook doubt than ISA 2006.
Interesting and funny what you said about the owner of your company (donīt want to make jokes here, sorry if Iīm inconvenient, not what I want).

OK, letīs start the answer.
quote:

But say I want Outlook to connect directly to the users back-end server over MAPI while they're in the office.  How does Outlook know which back-end exchange server to connect to once my profile has been changed from normal mapi mode to RPC\HTTPS mode?

If you want to connect directly, I mean without using the RPC, you have to uncheck this option on Outlook. At least, I donīt know other way.

quote:

From Outlook's perspective (or outlook's outlook even!!), for any given user profile, does it hold MAPI information AND RPC\HTTPS information?  If so, which does it try first?

It will try first RPC, because thatīs what is selected on Outlook.

quote:

I am tring to understand how Outlook will realise it is on the corpnet and use plain MAPI - and how it will find the user's mailbox server.

Outlook checks if the RPC checkmark is selected or not and connects using the user attibutes in AD. Every user, has an attribute informing where is itīs mailbox.
In a Frontend/Backend scenario, when users connect OWA, exchange frontend server query the backend servers and check where is the users mailbox and redirects.

My advice for you is configure the company owner with RoH (https), this way will be more secure.

Regards,
Paulo Oliveira.

(in reply to davei0594)
Post #: 2
RE: Split DNS - multiple Back-end Exchange servers - 25.Jul.2008 4:33:05 AM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
Hi Paulo,

No problem, I think it's funny too!  Unfortunately his brother is the head of IT....  IT policies apply stringently to everyone in the group... except the owner!

Funny old world!  Still when it's his money I guess he earns the right to do what he wants.....

That age-old slider of Convenience vs Security....  I thought this Outlook rpc\http would be the answer to my prayers but having discussed it with my boss (owner's brother), it emerges that he can't even be arsed to type his password in for the basic authentication box when he opens outlook.  He wants to literally log on to the computer and then open outlook and it 'just works'.  "Just like when he's in the office."

Not sure how good an idea it is to use Integrated auth?  Even though it is over https?  Any thoughts\comments?

So as it stands I think i'll have to slap a PIX or something in his house, put a VPN in and just tie the tunnel down to the one IP address of his machine.  Shame.

But I am halfway through setting up RPC\HTTPS anyway as I am on a personal mission to cut down the number of staff who VPN to our corpnet.  And the biggest reason they VPN is because they 'don't like Outlook Web Access' or whatever and want to use full-fat Outlook.  Each to their own.

I think I may have found the answer to my question, in the users' Outlook Profile, under 'More settings' and then 'Conection' there is the Exchange HTTP settings.  In there there are 2 tick boxes 'On Slow Network, connect using HTTP first'.  I think this is what i was after.  I want know that when the clients come back into the corpnet they will connect with full-fat MAPI rather than all connecting to our FE server in our ISA DMZ (therefore looping back through the ISA).

Thanks for sharing your thoughts though.

PS V impressed with ISA 2006 and publishing OWA, ActiveSync and RPC\HTTPS using 1 listener, 1 IP and 1 Certificate.  Couldnt' believe my luck!!

(in reply to paulo.oliveira)
Post #: 3
RE: Split DNS - multiple Back-end Exchange servers - 25.Jul.2008 10:25:28 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Dave,

quote:

I think I may have found the answer to my question, in the users' Outlook Profile, under 'More settings' and then 'Conection' there is the Exchange HTTP settings.  In there there are 2 tick boxes 'On Slow Network, connect using HTTP first'.  I think this is what i was after.  I want know that when the clients come back into the corpnet they will connect with full-fat MAPI rather than all connecting to our FE server in our ISA DMZ (therefore looping back through the ISA).

Not sure if this will work. I think the only way you have is testing yourself. Maybe someone here at isaserver.org have an answer for this "issue".

quote:

PS V impressed with ISA 2006 and publishing OWA, ActiveSync and RPC\HTTPS using 1 listener, 1 IP and 1 Certificate.  Couldnt' believe my luck!!

Hey, ISA rules!!

Good luck with that and let us know if it worked or not!!

Regards,
Paulo Oliveira.

(in reply to davei0594)
Post #: 4
RE: Split DNS - multiple Back-end Exchange servers - 31.Jul.2008 5:06:26 PM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
Hi,

The answer to my own question is:  Yes - Outlook does hold info both on standard full-fat MAPI profile, AND the RPC\HTTPS settings.

The only variable left I don't quite understand is how Outlook decides what connection is a 'Fast network connection' versus a slow one.  Thereby choosing whether to use MAPI or RPC\HTTPS.

Not that I care at the moment because I have just got RPC\HTTPS working and everything seems to be working a treat! :-)


(in reply to paulo.oliveira)
Post #: 5
RE: Split DNS - multiple Back-end Exchange servers - 1.Aug.2008 7:34:57 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

so it worked for you! Thanks for follow up!

Regards,
Paulo Oliveira.

(in reply to davei0594)
Post #: 6
RE: Split DNS - multiple Back-end Exchange servers - 1.Aug.2008 3:23:09 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

if it was an Exchange 2007 you could do it as Jasonīs article is saying...

Publishing Exchange 2007 Services with ISA Server 2006 – Creating the Publishing Rule for Outlook Anywhere with Transparent Windows Authentication
Regards,
Paulo Oliveira.

(in reply to davei0594)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Split DNS - multiple Back-end Exchange servers Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts