Application Request Routing for Microsoft Exchange Server · PDF fileApplication Request Routing for Microsoft Exchange Server 4 Exchange Server and Reverse Proxy “Do I really need

Application Request Routing for

Microsoft Exchange Server

Jude Perera

Application Request Routing for Microsoft Exchange Server

2

This document describes how you can approach a solution that requires a Microsoft

technology based Reverse Proxy server(s) for an Exchange Server 2013 or 2016

environment that utilizes IIS Application Request Routing (ARR) version 03. You will

find this as a step-by-step guide where you can scale in/out based on your exact

requirement. I hope that you will enjoy the book and its content will help you to grow

your skills for a successful deployment.

If you have any queries, please feel free to drop in your thoughts, requests and

suggestions over to [email protected]

Jude Perera

MVP – Office Servers and Services

https://judeperera.wordpress.com

mailto:[email protected]

https://judeperera.wordpress.com/


3

Table of Contents Exchange Server and Reverse Proxy .......................................................................................................................................4

Network Setup .................................................................................................................................................................................6

Setting up your NIC’s ...............................................................................................................................................................6

Setting up your DNS .............................................................................................................................................................. 10

Setup IIS Server ............................................................................................................................................................................ 12

Certificate Setup ...................................................................................................................................................................... 13

Setup Application Request Routing ..................................................................................................................................... 20

Configure Server Farms ........................................................................................................................................................ 23

Setup Default Service URL (mail.fabrikam.com) ......................................................................................................... 23

Setup AutoDiscover ............................................................................................................................................................... 33

Fine-tune your web farm(s) ................................................................................................................................................ 40


4

Exchange Server and Reverse Proxy

“Do I really need a reverse proxy server for my Exchange environment?” the simplest

answer would be “No!” Yes, you really do not need a reverse proxy. Before going

ahead, let’s look a bit over the Exchange Server client handling.

Basically, you can say Exchange Client Access Server (CAS) is an intermediary that allows ‘things to

work’ between clients; mail applications, mobile devices, browser etc. and your Exchange Server(s) that

holds the Mailbox Databases. Exchange Server 2007 Client Access role was filled with jobs;

authenticating connections, proxy and redirecting as well as data rendering to Exchange web service

protocols. Where as in Exchange 2010, MAPI data rendering was added on top of it.

Exchange Server 2013 and above has redefined how Microsoft handled its client services in its

predecessor versions 2007 and 2010. The Client Access Server no longer performs Data Rendering. So,

what does it do? It acts as a proxy itself. It will perform authentication against the clients (NTLM, Basic,

negotiate etc.) and admits the request, then proxy OR redirect the connection to the Mailbox Database

OR Client Access Server where the specific user’s mailbox is Actively located in OR can be found in. Why

Actively? Well, in Exchange we can have multiple database copies enabled with a Database Available

Group (DAG) with Active and Passive Mailbox Database copies.


5

So yes, as shown in the above diagram, we don’t need a Reverse Proxy. But why we implement one, is

mainly due to security reasons. The way someone could interpret that the above scenario could pose a

direct threat to the internal network. Well, we could all agree to that. Why? If a connection is

compromised, anyone sitting outside of the organization now clearly have access to one of the internal

servers. Therefore, it not only poses a threat to the Client Access Server itself, but to the entire internal

network.

And that’s where the concept of a perimeter network comes into play. In definition, a perimeter

network acts as a logical network that separates an internal network of an organization to an external

network where it’s the internet. By adding this logical network boundary, the organization can publish

their internet facing web services with an additional protection layer, thus an attacker even if being

able to compromise will still be isolated without breaching into the internal network.

For Exchange Server Client Access Services, we achieve that through deploying a reverse proxy.

However, a functionality of a reverse proxy could be achieved in multiple ways; via firewall or 3rd party

open source provides such as squid.

Moving ahead with Microsoft’s approach to cater the functionality, a component named ARR can be

integrated with its built-in IIS Web Server features.


6

Network Setup

Setting up your network topology right is the key to getting your traffic flowing right. The IIS ARR

server will be deployed outside of your Exchange environment, typically together with an Edge server.

IIS ARR can be deployed as a single standalone server, or with multiple servers configured with load

balancing for business-critical environments that need high availability.

Because the IIS ARR server is setup in the perimeter network or the DMZ, it will have network interfaces

that are connected to multiple network segments. In this guide, we will look into a 2 NIC scenario. The

two adapters will be facing the internet facing firewall which we will call ‘External Adapter’ and the

other, “Internal Adapter” facing the internal firewall segment. However, there is a way to configure your

networking using a single Network adapter and based on your perimeter environment, security

guidelines and best practices you can chose your setup.

When you are configuring your network setup, please keep in mind that it is quite essential that you

setup the gateway, DNS and static routes in a correct manner. Now let’s look into each of the

components one by one.

Setting up your NIC’s

Well, you have two NICs to configure now. Each connecting to the Internet/External and Internal facing

network segments. The environment that we will discuss will consider following topology.


7

Configure Internal Network Adapter

1. Click Start, click Control Panel, click Network and Internet, click Network and

Sharing Center and then click Change Adapter Settings.

2. Right-click the connection which is connecting to the Internal network segment,

rename it to “Internal”.

3. Right click the Internal adapter and then click Properties.

4. Double-click Internet Protocol Version 4 (TCP/IP/IPv4).

5. Click Use the following IP address

6. Enter IP address, Subnet mask, as shown in the table. Keep the Default gateway and

DNS server addresses address space empty.

7. Click OK.

8. On the Internal Properties window, click OK to save the changes.

Configure Internal Network Adapter

1. Click Start, click Control Panel, click Network and Internet, click Network and

Sharing Center and then click Change Adapter Settings.

2. Right-click the connection which is connecting to the External network segment,

rename it to “External”.

3. Right click the External adapter and then click Properties.

4. Double-click Internet Protocol Version 4 (TCP/IP/IPv4).

5. Click Use the following IP address

6. In IP address, Subnet mask, and Default gateway, type the IP address, subnet mask,

and default gateway addresses.


8

7. Click OK.

8. On the Internal Properties window, click OK to save the changes.


9

Configure Static Routes

Since we have two network segments, each with different network ranges, we need to point out which

traffic is to go through which network adapter. As for the External network adapter, we have already

configured this via adding the Default gateway entry. However, as our internal servers will be

connecting through the Internal network adapter, we need to manually setup routing to tell the server

to route all traffic bound to the internal IP range, via the internal network adapter. In our case, all traffic

to the IP range 192.168.8.0/24 needs to be routed to the next hop 192.168.8.1

1. Open Command Prompt as Administrator.

2. Enter below command;

“route ADD <network> mask <subnet mask> <next hop ip>”

Verify Routing Configuration

1. To verify external routing,

a. use the below command.

”tracert <external/internet ip>”

b. Verify external gateway IP is displayed in the results.

2. To verify internal routing,

a. use the below command.

”tracert <internal ip>”

b. Verify internal gateway/next hop IP is displayed in the results.


10

Setting up your DNS

Because IIS ARR server is in the perimeter network, we will not make it a member of the internal

domain structure. Therefore, we need to manually configure the server’s DNS suffix. To setup the DNS

Suffix, please do the following;

1. Open Control Panel, and then choose System Properties.

2. Choose the Computer Name tab.

3. Choose Change.

4. On the Computer Name Changes page, click More.

5. In Primary DNS suffix of this computer, type the primary DNS suffix.

6. To prevent the primary DNS suffix from changing when the computer moves to

another Active Directory domain, clear the Change primary DNS suffix when

domain membership changes check box

7. Click OK to save your settings.

8. Restart your server.

There are two ways to configure the interface that is connected to the internal network segment

(where your Exchange servers reside) to lookup for DNS for the internal servers and Exchange service

URLs;

⁂ Configure to use a DNS server: If you have a DNS server placed in the perimeter

network, you can manually add resource entries for related servers and URLs in a

forward lookup zone and configure it on the internal network adapter of the IIS ARR

server

OR

⁂ Modify Host File: If you have no DNS servers inside your perimeter network, you can

edit the Hosts file on the IIS ARR server to include the Host records for the Mailbox

servers and URLs

Let’s proceed with Modify Host File option;

1. Open Notepad in Administrator mode.


11

2. Click File, Open and navigate to “\%Systemroot%\System32\Drivers\Etc”

3. Open hosts file

4. Add your Exchange Server and Virtual Directory URL IP and Host names mapping

entries.

5. Save the hosts file.


12

Setup IIS Server

ARR is a service that relies on Microsoft IIS services. First things first, let’s get started with the IIS.

1. Mount your Windows Server 2012 R2 installation media.

2. Open Windows PowerShell.

3. Run the following command to install the required Windows components.

Install-WindowsFeature Web-Static-Content,Web-Default-

Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Net-Ext,Web-

Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-

Filtering,Web-Stat-Compression,Web-Mgmt-Console,NET-

Framework-Core,NET-WCF-Services45,NET-Non-HTTP-Activ,NET-

HTTP-Activation, Web-Server -source D:\sources\sxs

4. Wait for the installation to complete.

5. Close PowerShell console


13

Certificate Setup

The next step we import the SSL Certificate that’s been used by Exchange IIS services. First, go through

the below steps to export the Exchange Certificate;

1. Open the EAC and navigate to Servers, Certificates.

2. In the Select server list, select the Exchange Client Access server.

3. Select the proper Exchange certificate and click More options , and select Export

Exchange certificate.

4. On the Export Exchange certificate page that opens, enter the following information:

File to export to

Password

5. When you are finished, click OK.

If you are using an internal Certificate Authority generated certificate, you need to export the Domain

Root Certificate. Do the following to export and import the Root Certificate;

1. On the Domain Controller or Exchange Server, open the browser

2. Logon into Root Certification Authority Web Enrollment Site via

http://<root_CA_ip>/certsrv

3. Click the Download a CA certificate, certificate chain, or CRL link.

4. Click on Download CA certificate link.

5. Save the file "RootCA.cer".

Now that we have exported the Root CA, let’s import it on the Reverse Proxy Server.

1. On the Reverse Proxy server, click Start, type mmc, and then press ENTER.

2. On the File menu, click Add/Remove Snap-in.


14

3. Under Available snap-ins, double click Certificates.

4. On the This snap-in will always manage certificates for window, click Computer

account, and then click Next.


15

5. Click Local computer, and click Finish.

6. Click OK.

7. In the console tree, double-click Certificates.

8. Right-click the Trusted Root Certification Authorities store.

9. Click Import to import the certificates and follow the steps in the Certificate Import

Wizard and provide the above imported Root certificate(RootCA.cer).


16


17

Now that we have imported the Root Certificate Authority, let’s go through the steps to import your

Exchange Certificate on the Reverse Proxy Server;

1. On the Reverse Proxy server, open Internet Information Services (IIS) Manager.

2. Select the Server name from the Connections pane.

3. From the window, double click Server Certificate under IIS.

4. In the Server Certificates window, click Import from the Actions pane.


18

5. On the Import Certificate wizard, Provide the Certificate path, Password values and ensure

the Select Certificate Store is selected as Personal. Click OK.

6. Verify that the Certificate is listed.

7. To assign the certificate to HTTPS bindings, on the IIS Manager Connections pane, expand

Server Name, Sites and select Default Web Site.

8. Click on Bindings from the Action pane.


19

9. On the Site Bindings window, click Add.

10. From the Add Site Binding window, select https as Type.

11. From the SSL certificate drop down list, select the Exchange certificate that you just imported.

12. Click OK.

13. Click Close.


20

Setup Application Request Routing

So again, if you are not familiar with IIS or ARR, in a nutshell, we can use ARR features to handle our

Exchange Server Web Service request through proxy’ing.

Some of the key features of ARR that we will be looking at includes, but not limited to;

⁂ HTTP based routing decisions built using rules that examine HTTP request information

⁂ Sophisticated load balancing algorithms to determine appropriate servers to service the

HTTP requests

⁂ Health monitoring for live traffic and specific URLs to determine the health of servers

⁂ Management of multiple server farms

⁂ Management and monitoring of all configuration settings and aggregated runtime

statistics through IIS Manager interface.

The following steps will guide you through installation of ARR component for IIS;

1. Download and run Application Request Routing 3.0 Stand-alone package 64-bit version

from here.

2. Click Yes to proceed

“IIS ARR” aka IIS Application Request Routing enables Web server administrators,

hosting providers, and Content Delivery Networks (CDNs) to increase Web

application scalability and reliability through rule-based routing, client and host

name affinity, load balancing of HTTP server requests, and distributed disk caching.

With ARR, administrators can optimize resource utilization for application servers to

reduce management costs for Web server farms and shared hosting environments

“IIS.NET”

https://www.microsoft.com/en-us/download/details.aspx?id=47332


21

3. Click Yes on the License Agreement page and proceed with the installation to complete.

4. Re-open IIS Manager, Expand the server and verify that Server Farms module is present.

Now we need to perform some tweaking at the IIS Request Filtering level.

5. Go to IIS Manager, select your server and double click Request Filtering from the Features

view.

6. From the Actions pane, click on Edit Feature Settings…


22

7. Change the value of Maximum allowed content length to 2147483648.

8. Click OK.


23

Configure Server Farms

Setting up ARR means we will be configuring the Exchange Server virtual directory URLs and enabling

high availability, proxying etc. In order to do so, we create server farm(s) to each of the service URL(s).

For this scenario, we will be configuring two server farms; mail.fabrikam.com and

autodiscover.fabrikam.com.

Setup Default Service URL (mail.fabrikam.com)

1. Open IIS Manager.

2. In the Connections pane, expand the server node.

3. Under the server node, right-click Server Farms, and then select Create Server Farm….

4. In the Create Server Farm dialog box, on the Specify Server Farm Name page, type the

name for your server farm. Click Next.


24

5. On the Add Server page, enter the server addresses/FQDNs of your Exchange Client Access

Servers that you want to add. Once all servers are added, click Finish.

Note: If you have a load balanced internal Exchange server environment. Enter the IP or the

FQDN of the single namespace for the internal VIP of the load balancer. If you don’t have a

load balancer, you can ‘Add’ all the servers here. Thus external connection load balancing will

be done from the IIS ARR itself.


25

6. On the Rewrite Rules window, Click Yes.

Configure Server Farm properties

1. On the IIS Connections pane, under Server Farms expand the newly created server farm

entry. Double click Caching from the main window.

2. Un-select Enable disk cache option.


26

3. Click Apply to save settings.

4. Go back to the Server Farms window and double click on Health Check.

The Health Check feature enables you to generate events based on the service availability for a

particular URL. So basically, we provide an URL and IIS will probe the URL at a given interval

and based on the retrieved HTTP Access Code it will mark a server as healthy or not.

In the case of Exchange Server, we need to probe for the Web URLs; OWA, ECP, EWS, OAB,

AutoDiscover etc.)

Now in this scenario, there’s a catch. Mainly because of how we can publish Exchange Server

URLs.

Option 1, Consolidate all the URLs into a single namespace. In this scenario, all services will be

assigned with a single namespace. mail.fabrikam.com for an example. If you have chosen this

method for publishing your URLs, then you have an option of using a health check probe point

of either one of the protocols. However, the downside of this would be, in a scenario where the

OWA service is down, and all other services are running, ARR will notice the OWA status as

unhealthy and put the server to unhealthy status as well. While the other services are still up

and running. Leaving us to say that this will not provide true High Availability proxy’ing.

Option 2: To get rid of the problem above, we can have multiple namespaces in the Exchange

CAS. Where for each virtual directory, there would be a unique access URL. Which means for us

when configuring ARR, we could create a separate unique server farm for each of the services,

thus providing a separate health probe point. This will mitigate the limitation where if one

service goes down, other service access proxy’ing will not be affected.

The Health Check URL for Exchange 2013 and above will be in the following format.

https://<External FQDN>/<protocol>/healthcheck.htm


27

Eg: https://mail.contoso.com/owa/healthcheck.htm

If the protocol is working properly, you will be getting a response like below.

200 OK

<ServerName>.<Domain>.COM (ex: 13ml-01.fabrikam.com)

For the guide below, we are considering Option 1.

5. On the properties window under the URL Test: enter the below information;

a. URL – URL that will be used to ping for checking if its accessible.

b. Interval – Interval the test should run

c. Acceptable status code – The status code returned by the Exchange server that will

be considered as the server to be in a healthy state.


28

6. Click Verify URL Test to check the health status, ensure the output is Pass.

If you are receiving Fail as the status, probably means there is an accessibility issue to the

provided URL. What you might want to do is, go to your browser from the Reverse Proxy server

and type it in. Ensure that you can visit a page with the server information. DNS resolution (host

file or DMZ DNS server) can be a point of cause if you are unable to resolve.

7. Click Close and click Apply to save settings.

8. Go back to the server farm properties page and double click Routing Rules.

9. On the Routing Rules page, uncheck the Enable SSL offloading setting and click Apply.

Let’s see why and what we are trying to achieve here;

We know that Exchange Server and the client communication is encrypted. When the client

tries to communicate with the Server, information will be encrypted and decrypted at the

Exchange Server it-self. Here, apart from the typical Exchange services, there will be additional

CPU utilization for this purpose. This is usually calculated when you do the server capacity

planning.

When we put up a secondary server such as a Reverse Proxy, we have two options;

SSL Offloading: Here, the Client to Server connection will be interrupted by

the reverse proxy server. Client to Reverse Proxy SSL connection will be

terminated at the Reverse proxy and the reverse proxy to Exchange server will

be via plain text. This means that the Encryption and Decryption CPU load will

be borne by the Reverse Proxy and Exchange Server will have a reduced CPU

load. If you are planning for this method, ensure that you do the server sizing

right.


29

Pass-through SSL connection: In this situation, the reverse proxy will not

perform any encryption/decryption. Rather it will be straight away passed to

the Exchange Server. In this section, we are focusing on this method.

10. Go back to the Server Farms window and double click on Proxy.

11. Change the Time-out value to 180. I have noticed that Outlook clients will fail to keep a

persistent connection and try to reconnect to the Exchange Server time to time if you do not

change this value.


30

12. Under the Buffer Settings, make the Response buffer threshold(KB) to 0

13. On the IIS Manager, select the server from the Connections pane. On the Features View

section, double-click URL Rewrite.

14. Select the appropriate entry that will include ARR_<server-farm-name>_loadbalance_SSL

from the list and double click.

15. Expand the Conditions in the Edit Inbound Rule.

16. Click Add.


31

17. Fill in below on the Add Condition window and click OK.

a. Condition input: {HTTPS}

b. Check if input string: Matches the Pattern (Default)

c. Pattern: on

d. Ignore care: <keep checked>

18. Click Add again.


a. Condition input: {HTTP_HOST}


c. Pattern: mail.fabrikam.com



32

20. On the Actions section, under Scheme, select https://


22. Go back to the URLRewrite page. Select the appropriate entry that includes ARR_<server-

farm-name>_loadbalance from the list and double click.

23. On the Action section, change the Scheme to https://

24. Click Apply to save changes.


33

Setup AutoDiscover

Now that we have setup the configurations for mail.fabrikam.com, let’s go ahead and configure

autodiscover.fabrikam.com

1. Open IIS Manager.

2. In the Connections pane, expand the server node.

3. Under the server node, right-click Server Farms, and then select Create Server Farm….

4. In the Create Server Farm dialog box, on the Specify Server Farm Name page, type the

name for your server farm. Click Next.


34

5. On the Add Server page, enter the server addresses/FQDNs of your Exchange Client Access

Servers that you want to add. Once all servers are added, click Finish.

6. On the Rewrite Rules window, Click Yes.

Configure Server Farm properties

25. On the IIS Connections pane, under Server Farms expand the newly created server farm

entry. Double click Caching from the main window.


35

26. Un-select Enable disk cache option.


28. Go back to the Server Farms window and double click on Health Check.

29. On the properties window under the URL Test: enter the below information;

a. URL – URL that will be used to ping for checking if its accessible.

b. Interval – Interval the test should run

c. Acceptable status code – The status code returned by the Exchange server that will

be considered as the server to be in a healthy state.


36

30. Click Verify URL Test to check the health status, ensure the output is Pass.

If you are receiving Fail as the status, probably means there is an accessibility issue to the

provided URL. What you might want to do is, go to your browser from the Reverse Proxy server

and type it in. Ensure that you can visit a page with the server information. DNS resolution (host

file or DMZ DNS server) can be a point of cause if you are unable to resolve.

31. Click Close and click Apply to save settings.

32. Go back to the server farm properties page and double click Routing Rules.


37

33. On the Routing Rules page, uncheck the Enable SSL offloading setting and click Apply.

Let’s see why and what we are trying to achieve here;

34. On the IIS Manager, select the server from the Connections pane. On the Features View

section, double-click URL Rewrite.


38

35. Select the appropriate entry that will include ARR_<server-farm-name>_loadbalance_SSL

from the list and double click.

36. Expand the Conditions in the Edit Inbound Rule.

37. Click Add.


a. Condition input: {HTTPS}


c. Pattern: on


39. Click Add again.


a. Condition input: {HTTP_HOST}


c. Pattern: mail.fabrikam.com



39

41. On the Actions section, under Scheme, select https://


43. Go back to the URLRewrite page. Select the appropriate entry that includes ARR_<server-

farm-name>_loadbalance from the list and double click.

44. On the Action section, change the Scheme to https://

45. Click Apply to save changes.


40

Fine-tune your web farm(s)

Now you’re all good to go, well almost. If you try to set up a connection now theoretically it should

and will work. But if you really really go a bit deep inside the connection requests, there is an issue.

Now let me go through it in case you are curious on the issue.

Now all of our web-farms are configured and the Outlook Web App (OWA) will work without any

problem. But! Yes there’s a big But, if you tell me.

Now your IIS ARR is ready to server Proxy Requests for your Exchange Server environment.

Before putting down your Reverse Proxy servers live, it’s highly recommended that you test things out

for client connectivity. Because trust me, “Trying to Connect to Microsoft Exchange Server.” For

100’s and 100’s of users at the same time is not going to look pretty at all. So, set up a temporary

Windows client machine, put it in the DMZ. Now we need to edit the hosts file and manually enter the

mail.fabrikam.com and autodiscover.fabrikam.com to point out to the reverse proxy server. Install

Outlook and try out all your publishing settings in every way to confirm that you are all good to go!

-//-

Documents

Application Request Routing for Microsoft Exchange Server · PDF fileApplication Request Routing for Microsoft Exchange Server 4 Exchange Server and Reverse Proxy “Do I really need