Features IIS Application Routing Request (ARR) Pre- Authentication Web Application Proxy (WAP) Prerequisites IIS 8.0, IIS 7.0, IIS 6.0 • Windows 2012 R2 Dependency None ADFS has to be set up Load Balancing Inbuilt functionality Requires a Load Balancer OWA Outlook ActiveSync ECP IIS ARR URL Rewrite (Reverse Proxy) Web Farm properties (Load Balancing) URL Rewrite Module • URL Filtering • Allow/Deny URL Web Farm Framework Module • Load Balancing • Health Check URL Rewrite (Reverse Proxy) Web Farm properties (Load Balancing) URL’s https:// mail.sir8.at /OWA https:// mail.sir8.at /ECP https:// mail.sir8.at /OAB https:// mail.sir8.at /EWS/Exchange.asmx https:// mail.sir8.at * https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml IIS ARR URL Rewrite rule: https://mail.contoso.com/* https://autodiscover.contoso.com/* https://autodiscover.contoso.com/* autodiscover.contoso.com (Web Farm) Health Check: https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm Load Balancing: Least Current Requests Affinity: No mail.contoso.com (Web Farm) Health Check: https://mail.contoso.com/OWA/HealthCheck.htm Load Balancing: Least Current Requests Affinity: No IIS ARR URL Rewrite rule: https://mail.contoso.com/* https://mail.contoso.com/* https://autodiscover.contoso.com/* autodiscover.contoso.com (Web Farm) Health Check: https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm Load Balancing: Least Current Requests Affinity: No mail.contoso.com (Web Farm) Health Check: https://mail.contoso.com/OWA/HealthCheck.htm Load Balancing: Least Current Requests Affinity: No IIS ARR URL Rewrite rule: https://mail.contoso.com/* https://mail.contoso.com/* https://autodiscover.contoso.com/* autodiscover.contoso.com (Web Farm) Health Check: https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm Load Balancing: Least Current Requests Affinity: No mail.contoso.com (Web Farm) Health Check: https://mail.contoso.com/OWA/HealthCheck.htm Load Balancing: Least Current Requests Affinity: No CAS 1 https://mail.contoso.com/OAB https://mail.contoso.com/EWS/Exchange.asmx IIS ARR (Reverse Proxy & Load Balancer) CAS 1 https://mail.contoso.com/OAB https://mail.contoso.com/EWS/Exchange.asmx IIS ARR (Reverse Proxy & Load Balancer) CAS 2 IIS ARR User mail.contoso.com ecp.contoso.com ews.contoso.com eas.contoso.com oab.contoso.com oa.contoso.com https://autodicover.contoso.com/Autodiscover/ Autodiscover.xml URL Rewrite Server Farm mail.contoso.com OWA Web Farm https://mail.contoso.com/OWA/HealthCheck.htm ecp.contoso.com ECP Web Farm https://ecp.contoso.com/ECP/HealthCheck.htm ews.contoso.com EWS Web Farm https://ews.contoso.com/EWS/HealthCheck.htm eas.contoso.com EAS Web Farm oab.contoso.com OAB Web Farm https://oab.contoso.com/OAB/HealthCheck.htm oa.contoso.com OA Web Farm https://oa.contoso.com/RPC/HealthCheck.htm autodiscover.contoso. com AutoDiscover CAS https://eas.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm https://autodicover.contoso.com/Autodiscover/HealthCheck.htm Web Farm Performing per-protocol Health Check Exchange Virtual Directories: mail.contoso.com,ECP.contoso.com, EWS.contoso.com, EAS.contoso.com, OAB.contoso.com, OA.contoso.com AutoDiscover.contoso.com Solution Option 1 Option 2 True distribution of traffic destined for multiple CAS servers Load Balancing of traffic destined for multiple CAS servers Exchange Virtual Directories (OWA, ECP, OAB etc) [except AutoDiscover] No per-protocol Health Check (Server Availability) Yes* Share a common namespace Per-protocol Health Check (Service Availability) Yes Certificate & DNS Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) mail.tailspintoys.com Namespace for each protocol Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com) Multiple additional DNS entries mail.tailspintoys.com EWS.tailspintoys.com EAS.tailspintoys.com OAB.tailspintoys.com etc Solution Option 1 Option 2 3 High Availability of traffic destined for multiple CAS servers Load Balancing of traffic destined for multiple CAS servers Exchange Virtual Directories (OWA, ECP, OAB etc) [except AutoDiscover] No per-protocol Health Check (Server Availability) Yes* Share a common namespace Per-protocol Health Check (Service Availability) Yes Certificate & DNS Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) mail.tailspintoys.com Namespace Share a common for each namespace protocol Certificate Minimal (mail.tailspintoys.com entry for each protocol and (mail.tailspintoys.com, autodiscover.tailspintoys.com) EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com) Multiple additional DNS entries mail.tailspintoys.com EWS.tailspintoys.com EAS.tailspintoys.com OAB.tailspintoys.com etc Solution Option 1 Option 3 High Availability of traffic destined for multiple CAS servers Load Balancing of traffic destined for multiple CAS servers Exchange Virtual Directories (OWA, ECP, OAB etc) [except AutoDiscover] No per-protocol Health Check (Server Availability) Yes Share a common namespace Per-protocol Health Check (Service Availability) Yes Certificate & DNS Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) mail.tailspintoys.com Share a common namespace Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) mail.tailspintoys.com Option 2 Per-protocol Health Check (Service Availability) Yes Namespace for each protocol Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com) Multiple additional DNS entries mail.tailspintoys.com EWS.tailspintoys.com EAS.tailspintoys.com OAB.tailspintoys.com etc URL Rewrite User IIS ARR Server Farm CAS /OWA* OWA Web Farm https://mail.contoso.com/OWA/HealthCheck.htm /ECP* ECP Web Farm https://mail.contoso.com/ECP/HealthCheck.htm /EWS* EWS Web Farm /EAS* /OAB* mail.contoso.com autodiscover.contoso.com https://mail.contoso.com/OWA /RPC* /AutoDiscover* EAS Web Farm https://mail.contoso.com/EWS/HealthCheck.htm https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm OAB Web Farm https://mail.contoso.com/OAB/HealthCheck.htm OA Web Farm https://mail.contoso.com/RPC/HealthCheck.htm AutoDiscover Web Farm Performing per-protocol Health Check https://autodicover.contoso.com/Autodiscover/HealthCheck.htm Exchange Virtual Directories: mail.contoso.com AutoDiscover.contoso.com URL Rewrite User IIS ARR Server Farm CAS /OWA* OWA Web Farm https://mail.contoso.com/OWA/HealthCheck.htm /ECP* ECP Web Farm https://mail.contoso.com/ECP/HealthCheck.htm /EWS* EWS Web Farm /EAS* /OAB* mail.contoso.com autodiscover.contoso.com https://mail.contoso.com/EWS/Exchange.asmx /RPC* /AutoDiscover* EAS Web Farm https://mail.contoso.com/EWS/HealthCheck.htm https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm OAB Web Farm https://mail.contoso.com/OAB/HealthCheck.htm OA Web Farm https://mail.contoso.com/RPC/HealthCheck.htm AutoDiscover Web Farm Performing per-protocol Health Check https://autodicover.contoso.com/Autodiscover/HealthCheck.htm Exchange Virtual Directories: mail.contoso.com AutoDiscover.contoso.com configure OWA Outlook ActiveSync IIS ARR URL Rewrite (Reverse Proxy) Web Farm properties (Load Balancing) ECP OWA Outlook ActiveSync IIS ARR URL Rewrite (Reverse Proxy) Web Farm properties (Load Balancing) ECP External User External Firewall IIS ARR Reverse Proxy + Load Balancer Internal Firewall Internal User External User External Firewall IIS ARR Reverse Proxy Internal Firewall IIS ARR Load Balancer Internal User External User External Firewall IIS ARR Reverse Proxy Internal Firewall IIS ARR Internal Load Balancer Internal User IIS ARR External Load Balancer - IIS ARR (Reverse Proxy + L7 Load Balancer) - DMZ O365 Mailbox OnPremise Mailbox ADFS Proxy ADFS INTRANET - INTERNET O365 Exchange Online Hybrid Configuration OnPremise Mailbox O365 Mailbox AD FS AuthN Web UI AD FS Proxy Web Application Proxy Firewall Load Balancer Firewall (browser, Office client or modern app) Config. API over HTTPS HTTP HTTP/S Claims, IWA or pass-through AuthN Internet DMZ Load Balancer Client Config. Store AuthN Active Directory Domain Controller Obtain KCD ticket for IWA AuthN Backend Server Backend BackendServer Server Corporate Network https://mail.fabrikam.com/owa https://sts.fabrikam.com https://sts.fabrikam.com https://mail.fabrikam.com/owa https://mail.fabrikam.com/owa https://sts.fabrikam.com https://sts.fabrikam.com GET https://mail.fabrikam.com/owa https://mail.fabrikam.com/owa https://sts.fabrikam.com https://sts.fabrikam.com GET https://mail.fabrikam.com/owa https://mail.fabrikam.com/owa https://sts.fabrikam.com https://sts.fabrikam.com POST https://mail.fabrikam.com/owa https://mail.fabrikam.com/owa https://sts.fabrikam.com https://sts.fabrikam.com 302 FOUND https://mail.fabrikam.com/owa MSISAuth (session cookie) https://mail.fabrikam.com/owa https://sts.fabrikam.com https://sts.fabrikam.com GET 307 Redirect https://mail.fabrikam.com/owa MSISAuth (session cookie) https://mail.fabrikam.com/owa https://sts.fabrikam.com https://sts.fabrikam.com 301 moved permanetly https://mail.fabrikam.com/owa MSISAuth (session cookie EdgeAccessCookie (session cookie) GET /w AuthToken! KCD for Principal Name Shows ticket issued for SPN https://mail.fabrikam.com/owa https://sts.fabrikam.com https://sts.fabrikam.com GET https://mail.fabrikam.com/owa Shows ticket issued for SPN https://mail.fabrikam.com/owa Actual OWA logon! https://mail.fabrikam.com/owa 401 Unauthorized 401 Unauthorized https://mail.fabrikam.com/owa http://technet.microsoft.com/en-us/library/hh831477.aspx https://sts.fabrikam.com https://sts.contoso.com https://sts.fabrikam.com https://mail.fabrikam.com/owa https://mail.fabrikam.com/owa … and after a while of not using it, it stops working WAP uses a short-lifed certificate (15 days) to authenticate to ADFS. If you don’t use your WAP lab for 15 days, WAP will be essentially stranded as the expired certificate will be rejected by ADFS. You can either re-install WAP (the config will remain as it is stored in ADFS), or rerun the configuration wizard via the Remote Access UI (preferred) For the Remote Access UI, to let you run through the wizard again, change HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus to 1 (meaning “not configured”) instead of 2 (“configured”). Reopen the UI. No reboot required.
© Copyright 2024 Paperzz