none
Dedicated CAS array for ActiveSync and Blackberry and certificate configuration RRS feed

  • Question

  • Hello -

    Currenly have a HLB CAS array (each also running hub) with 4 members - it services Outlook anywhere, active sync, OWA and auto discover.   Has a SAN certificate installed on each node and using DNS to point to the common name of the cert.  Things work fine.

    BES has a also points to the CAS nodes and has been causing it much grief.   So the idea is to point BES and activesync servers to dedicated CAS's - as not to disturb the array servicing clients and routing mail.   I pulled up two CAS only boxes (no hub role) and they automatically added themselves to the array, which is ok because on the HLB I havent included them yet.   Noticed already though some clients are trying to connect them because upon starting outlook getting certificate warnings.   I am sure this would go away if I exported the certificate from the one of the current CAS's and imported - but do I really want to do this ?    Is there a way to stop them from listenting to client requests while I plan on how to configure them for activesync only ?

    If I do that - I could just make a new pool on the HLB that points to just these boxes with a name like mobile.company.com.   But since mobile is not on the current SAN of the cert would this be problem ?

    Is there a way I can disabled all services on the new CAS but activesync?   I dont see it.   Would the idea of the current cert still work or should I request a new one with mobile.company.com as common name?   I dont think BES cares it just needs access to mailboxes but activesync with SSL would.

    Any input much appreciated.

    TIA

    Tuesday, July 24, 2012 1:50 AM

All replies

  • Shouldnt hit it if it wasn't added to the LB pool. Possibly autodiscover, can you check if your autodiscover was pointing to each CAS member?

    get-clientaccessserver CAS1 |fl

    autodiscoverserviceinternaluri -is this pointing to your CAS1 server or the friendly name mail.company.com/autodiscover/autodiscover.xml


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Tuesday, July 24, 2012 3:24 AM
  • autodiscover does point to the CAS array.    The new boxes are not in the HLB - but internal clients are hitting it - not external.

    Is there a way to pull them out of this CAS array and put into another to only do activesync?   Or will they always service internal outlook clients ?

    Tuesday, July 24, 2012 12:54 PM
  • Actually it is the autodiscover thats hitting it, you can't stop it because because internal clients query the GC to for the SCP record and can go to any CAS so the LB has nothing to do with it.

    No you can't exclude a CAS from the array its just a backlink, once a CAS is installed and added to the site it's automatically added to the array.

    You can see similar attempts here.

    Adding a CAS only for OWA and not autodiscover
    http://social.technet.microsoft.com/Forums/en/exchange2010/thread/f189fe43-e781-4410-99c6-2e9137e388fb


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com


    Tuesday, July 24, 2012 3:46 PM
  • "No you can't exclude a CAS from the array its just a backlink, once a CAS is installed and added to the site it's automatically added to the array."

    Do you mean you cannot exclude Activesync (and other CAS services) ?      I would think you could limit or dedicate a CAS and/or CAS array to things such as Activesync and block OWA and Outlook Anywhere ?!?!

    Wednesday, July 25, 2012 8:03 PM
  • Yes you can segment your CAS for AS, OWA, OA as long as you don't put it in the LB pool, however you can't stop the clients hitting them for autodiscover which is what you're seeing.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Wednesday, July 25, 2012 8:24 PM
  • Thanks James

    "Yes you can segment your CAS for AS, OWA, OA as long as you don't put it in the LB pool"

    Where is this documented - cannot seem to find it.   What I would like to do is put two dedicated CASs doing only AS in their own pool on LB ?   Possible right - where is this available ?

    Wednesday, July 25, 2012 9:06 PM
  • You won't find any documentation stating that because it's implicit, if its not in the pool no traffic will go to it (except for autodiscover). You can verify by looking at all your IIS logs. Yes you can put dedicated CAS in it's own pool provide a different namespace. You will need to get a new SAN cert that has the old namespace as well as the new namespace so that your clients don't get the cert warning due to autodiscover hitting the new CAS boxes.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Wednesday, July 25, 2012 10:08 PM
  • Before you even try this just add the 2 new cas to the existing pool to see if it alleviates your performance. Segmenting CAS servers like this is not a conventional setup. You mention BES and activesync users are causing you grief how did you verify if it's a load issue?


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Wednesday, July 25, 2012 10:24 PM
  • The BES on occassion locks up the CAS it is connected to.   And considering we are going to a new mobile MDM solution - the idea was to keep the clients up and running on existing CASs and provide dedicated CASs for the BES and mobile devices.

    Thursday, July 26, 2012 3:23 PM
  • I have not heard of BES locking up a CAS box, I would suggest to open another thread for BES locks up CAS. Maybe it's not a load issue but something else going on unless you've already confirmed its a load issue by capturing perfmon stats. You don't want to do all this work segmenting and still discover the BES is locking up the CAS boxes.  

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, July 26, 2012 3:41 PM