locked
what is difference between mailflow and client access RRS feed

  • Question

  • Hello.

     i have exchange with edge transport server.

    I have just only one public ip in my external network adapter of edge server. so  how can my users open owa from web?

    what is difference between mailflow and client access?

    what is the structure routing in mailflow and client access?

    ِDoes Client Access need to connect to exchange directly or can through edge server?

    Thanks

    Monday, August 28, 2017 1:15 PM

Answers

  • Hi,

    Mail flow is managed by MX record. This should point to your Edge server.

    Client access needs to be pointed to your reverse proxy and be configured on your virtual directory in Exchange ECP. Normally only mail.domain.com/owa and Autodiscover.domain.com is needed in internal and external DNS. Those two records should point to your reverse proxy. Look at my guide here: https://gallery.technet.microsoft.com/Installing-Exchange-2016-57d3f407?redir=0

    If no reverse proxy is in place(TMG,KEMP or other), then you can deploy IIS ARR but not sure if that is supported to be installed on your Edge server.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Monday, August 28, 2017 1:20 PM
  • Hi,

    Thanks for contacting our forum. 

    For your questions:

    1.What is difference between mail flow and client access?

    As off2work mentioned.

    2.What is the structure routing in mail flow and client access?

    • Internet(DNS lookup for MX records)->edge(Edge subscription send connector)->Exchange internal server(HUB transport)->Mailbox server(DB)
    • Client access: the client use RPC/HTTP protocol looking for the published VD->CAS server role(RPC proxy)->Mailbox server

    3.Does Client Access need to connect to exchange directly or can through edge server?

    Internally, the clients connect the Exchange directly; externally it can through Edge or connect Exchange server directly.

    Hope it helps you for understanding more directly.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Jason.Chao Wednesday, August 30, 2017 2:54 AM
    • Proposed as answer by Jason.Chao Wednesday, August 30, 2017 2:55 AM
    • Marked as answer by white_snow_888888 Wednesday, September 6, 2017 2:28 PM
    Wednesday, August 30, 2017 2:54 AM
  • If no reverse proxy is in place(TMG,KEMP or other), then you can deploy IIS ARR but not sure if that is supported to be installed on your Edge server.

    IIS ARR: https://blogs.technet.microsoft.com/exchange/2013/07/19/part-1-reverse-proxy-for-exchange-server-2013-using-iis-arr/

    I'm not sure if it is supported to install this on edge server.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Thursday, August 31, 2017 6:38 PM
  • You are right, OWA should go to the CAS and the MX record then it should point to the edge server so it can do the filtering/scan. if you are talking about the owa record then it should be pointing to the CAS server in the LAN, autodiscover.domain.com public IP should also point to CAS server role.

    Per my experience, it’s hard to find other ways.

    Thanks.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 6, 2017 4:39 AM

All replies

  • Hi,

    Mail flow is managed by MX record. This should point to your Edge server.

    Client access needs to be pointed to your reverse proxy and be configured on your virtual directory in Exchange ECP. Normally only mail.domain.com/owa and Autodiscover.domain.com is needed in internal and external DNS. Those two records should point to your reverse proxy. Look at my guide here: https://gallery.technet.microsoft.com/Installing-Exchange-2016-57d3f407?redir=0

    If no reverse proxy is in place(TMG,KEMP or other), then you can deploy IIS ARR but not sure if that is supported to be installed on your Edge server.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Monday, August 28, 2017 1:20 PM
  • Hi,

    Thanks for contacting our forum. 

    For your questions:

    1.What is difference between mail flow and client access?

    As off2work mentioned.

    2.What is the structure routing in mail flow and client access?

    • Internet(DNS lookup for MX records)->edge(Edge subscription send connector)->Exchange internal server(HUB transport)->Mailbox server(DB)
    • Client access: the client use RPC/HTTP protocol looking for the published VD->CAS server role(RPC proxy)->Mailbox server

    3.Does Client Access need to connect to exchange directly or can through edge server?

    Internally, the clients connect the Exchange directly; externally it can through Edge or connect Exchange server directly.

    Hope it helps you for understanding more directly.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Jason.Chao Wednesday, August 30, 2017 2:54 AM
    • Proposed as answer by Jason.Chao Wednesday, August 30, 2017 2:55 AM
    • Marked as answer by white_snow_888888 Wednesday, September 6, 2017 2:28 PM
    Wednesday, August 30, 2017 2:54 AM
  • Hello.

    1.What is difference between mail flow and client access?

    As off2work mentioned.

    2.What is the structure routing in mail flow and client access?

    • Internet(DNS lookup for MX records)->edge(Edge subscription send connector)->Exchange internal server(HUB transport)->Mailbox server(DB)
    • Client access: the client use RPC/HTTP protocol looking for the published VD->CAS server role(RPC proxy)->Mailbox server

    3.Does Client Access need to connect to exchange directly or can through edge server?

    Internally, the clients connect the Exchange directly; externally it can through Edge or connect Exchange server directly.(how can I connect through edge server?)

    Thanks.

    Thursday, August 31, 2017 6:29 PM
  • Hello.

    Client access needs to be pointed to your reverse proxy and be configured on your virtual directory in Exchange ECP. Normally only mail.domain.com/owa and Autodiscover.domain.com is needed in internal and external DNS. Those two records should point to your reverse proxy. (Is there another solution without using the Reverse Proxy? If yes, need point to edge.domain.com or point to exchange.domain.com for external dns ?)

    Thursday, August 31, 2017 6:30 PM
  • If no reverse proxy is in place(TMG,KEMP or other), then you can deploy IIS ARR but not sure if that is supported to be installed on your Edge server.

    IIS ARR: https://blogs.technet.microsoft.com/exchange/2013/07/19/part-1-reverse-proxy-for-exchange-server-2013-using-iis-arr/

    I'm not sure if it is supported to install this on edge server.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Thursday, August 31, 2017 6:38 PM
  • Hello.

    yes, you are right.

    But I'm telling how to configure without Reverse proxy and iis arr?

    is there any way to point autodiscover to edge server and then the edge server  send to CAS?

    With my knowledge, I think mx point to the edge.domain.com and autodiscover point to exchange.domain.com(it  has CAS).

    But I don't have any public ip on external network adapter of exchange server. so I need to use edge server for autodiscover. for example autodiscover.domain.com point to public ip of edge server instead of public ip of exchange server.(but there is no CAS on edge server.). is there any solution?

    thanks

    Friday, September 1, 2017 4:46 AM
  • You are right, OWA should go to the CAS and the MX record then it should point to the edge server so it can do the filtering/scan. if you are talking about the owa record then it should be pointing to the CAS server in the LAN, autodiscover.domain.com public IP should also point to CAS server role.

    Per my experience, it’s hard to find other ways.

    Thanks.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 6, 2017 4:39 AM
  • Hello.

    Thanks for your answer.

    I got my answer.

    but I have 3 questions about it.

    first:

    https://social.technet.microsoft.com/Forums/en-US/3bdeced1-fc75-45d5-a239-8f65a2162e24/configure-iis-arr-with-firewall-together-in-windows-server-2012r2-for-exchange-2016?forum=Exch2016MFSM

    second:

    https://social.technet.microsoft.com/Forums/en-US/b3d0f9c7-ea97-4e98-8775-839808a61d1f/change-smtp-port-for-send-connector-from-25-to-2525-after-subscribed-edge?forum=Exch2016MFSM

    third:

    https://social.technet.microsoft.com/Forums/en-US/c9c92501-66ff-48f1-8036-45d88e405f26/telnet-port-25-close-while-firewall-any-to-any-open?forum=Exch2016MFSM

    Thanks

    Wednesday, September 6, 2017 2:28 PM
  • Hello Mr Off2work

    I used your documents about Exchange 2016 and thank you very much.

    Your documents are very used by me.

    I hope that this documentation will be further completed.

    Especially in relation to the edge server and reverse proxy.

    Best Regard

    Friday, September 8, 2017 5:25 PM