Académique Documents
Professionnel Documents
Culture Documents
Pre- Authentication
Prerequisites
Windows 2012 R2
Dependency
None
Load Balancing
Inbuilt functionality
OWA
Outlook
ActiveSync
ECP
IIS ARR
URL Rewrite
(Reverse Proxy)
URL Rewrite
(Reverse Proxy)
URLs
https://
mail.sir8.at
/OWA
https://
mail.sir8.at
/ECP
https://
mail.sir8.at
/OAB
https://
mail.sir8.at
/EWS/Exchange.asmx
https://
mail.sir8.at *
https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml
IIS ARR
URL Rewrite rule:
https://mail.contoso.com/*
https://autodiscover.contoso.com/*
https://autodiscover.contoso.com/*
Health Check:
https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm
Load Balancing:
Least Current Requests
Affinity: No
Health Check:
https://mail.contoso.com/OWA/HealthCheck.htm
Load Balancing:
Least Current Requests
Affinity: No
IIS ARR
URL Rewrite rule:
https://mail.contoso.com/*
https://mail.contoso.com/*
https://autodiscover.contoso.com/*
Health Check:
https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm
Load Balancing:
Least Current Requests
Affinity: No
Health Check:
https://mail.contoso.com/OWA/HealthCheck.htm
Load Balancing:
Least Current Requests
Affinity: No
IIS ARR
URL Rewrite rule:
https://mail.contoso.com/*
https://mail.contoso.com/*
https://autodiscover.contoso.com/*
Health Check:
https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm
Load Balancing:
Least Current Requests
Affinity: No
Health Check:
https://mail.contoso.com/OWA/HealthCheck.htm
Load Balancing:
Least Current Requests
Affinity: No
CAS 1
https://mail.contoso.com/OAB
https://mail.contoso.com/EWS/Exchange.asmx
IIS ARR
(Reverse Proxy & Load Balancer)
CAS 1
https://mail.contoso.com/OAB
https://mail.contoso.com/EWS/Exchange.asmx
IIS ARR
(Reverse Proxy & Load Balancer)
CAS 2
IIS ARR
User
mail.contoso.com
ecp.contoso.com
ews.contoso.com
eas.contoso.com
oab.contoso.com
oa.contoso.com
https://autodicover.contoso.com/Autodiscover/
Autodiscover.xml
URL Rewrite
Server Farm
mail.contoso.com
OWA
Web Farm
https://mail.contoso.com/OWA/HealthCheck.htm
ecp.contoso.com
ECP
Web Farm
https://ecp.contoso.com/ECP/HealthCheck.htm
ews.contoso.com
EWS
Web Farm
https://ews.contoso.com/EWS/HealthCheck.htm
eas.contoso.com
EAS
Web Farm
oab.contoso.com
OAB
Web Farm
https://oab.contoso.com/OAB/HealthCheck.htm
oa.contoso.com
OA
Web Farm
https://oa.contoso.com/RPC/HealthCheck.htm
autodiscover.contoso.
com
AutoDiscover
CAS
https://eas.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm
https://autodicover.contoso.com/Autodiscover/HealthCheck.htm
Web Farm
Solution
Option 1
Option 2
No per-protocol Health
Check
(Server Availability)
Yes*
Yes
mail.tailspintoys.com
mail.tailspintoys.com
EWS.tailspintoys.com
EAS.tailspintoys.com
OAB.tailspintoys.com etc
Solution
Option 1
Option 2
3
No per-protocol Health
Check
(Server Availability)
Yes*
Yes
mail.tailspintoys.com
Namespace
Share a common
for each
namespace
protocol
Certificate
Minimal (mail.tailspintoys.com
entry for each protocol
and
(mail.tailspintoys.com,
autodiscover.tailspintoys.com)
EWS.tailspintoys.com,
EAS.tailspintoys.com,
OAB.tailspintoys.com etc.) or one
Wildcard certificate (*.tailspintoys.com)
mail.tailspintoys.com
EWS.tailspintoys.com
EAS.tailspintoys.com
OAB.tailspintoys.com etc
Solution
Option 1
Option 3
No per-protocol Health
Check
(Server Availability)
Yes
Yes
mail.tailspintoys.com
mail.tailspintoys.com
Option 2
Yes
mail.tailspintoys.com
EWS.tailspintoys.com
EAS.tailspintoys.com
OAB.tailspintoys.com etc
URL Rewrite
User
IIS ARR
Server Farm
CAS
/OWA*
OWA
Web Farm
https://mail.contoso.com/OWA/HealthCheck.htm
/ECP*
ECP
Web Farm
https://mail.contoso.com/ECP/HealthCheck.htm
/EWS*
EWS
Web Farm
/EAS*
/OAB*
mail.contoso.com
autodiscover.contoso.com
https://mail.contoso.com/OWA
/RPC*
/AutoDiscover*
EAS
Web Farm
https://mail.contoso.com/EWS/HealthCheck.htm
https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm
OAB
Web Farm
https://mail.contoso.com/OAB/HealthCheck.htm
OA
Web Farm
https://mail.contoso.com/RPC/HealthCheck.htm
AutoDiscover
Web Farm
https://autodicover.contoso.com/Autodiscover/HealthCheck.htm
URL Rewrite
User
IIS ARR
Server Farm
CAS
/OWA*
OWA
Web Farm
https://mail.contoso.com/OWA/HealthCheck.htm
/ECP*
ECP
Web Farm
https://mail.contoso.com/ECP/HealthCheck.htm
/EWS*
EWS
Web Farm
/EAS*
/OAB*
mail.contoso.com
autodiscover.contoso.com
https://mail.contoso.com/EWS/Exchange.asmx
/RPC*
/AutoDiscover*
EAS
Web Farm
https://mail.contoso.com/EWS/HealthCheck.htm
https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm
OAB
Web Farm
https://mail.contoso.com/OAB/HealthCheck.htm
OA
Web Farm
https://mail.contoso.com/RPC/HealthCheck.htm
AutoDiscover
Web Farm
https://autodicover.contoso.com/Autodiscover/HealthCheck.htm
configure
OWA
Outlook
ActiveSync
IIS ARR
URL Rewrite
(Reverse Proxy)
ECP
OWA
Outlook
ActiveSync
IIS ARR
URL Rewrite
(Reverse Proxy)
ECP
External User
External Firewall
IIS ARR
Reverse Proxy + Load Balancer
Internal Firewall
Internal User
External User
External Firewall
IIS ARR
Reverse Proxy
Internal Firewall
IIS ARR
Load Balancer
Internal User
External User
External Firewall
IIS ARR
Reverse Proxy
Internal Firewall
IIS ARR
Internal Load Balancer
Internal User
IIS ARR
External Load Balancer
IIS ARR
(Reverse Proxy + L7 Load Balancer)
DMZ
O365 Mailbox
OnPremise Mailbox
ADFS Proxy
ADFS
INTRANET
INTERNET
OnPremise Mailbox
O365 Mailbox
AD FS
AuthN
Web UI
AD FS Proxy
Web
Application
Proxy
Firewall
Load Balancer
Firewall
(browser,
Office client
or modern
app)
Config. API
over HTTPS
HTTP
HTTP/S
Claims, IWA or
pass-through
AuthN
Internet
DMZ
Load Balancer
Client
Config.
Store
AuthN
Active Directory
Domain
Controller
Obtain KCD
ticket for IWA
AuthN
Backend
Server
Backend
BackendServer
Server
Corporate Network
https://mail.fabrikam.com/owa
https://sts.fabrikam.com
https://sts.fabrikam.com
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
https://sts.fabrikam.com
https://sts.fabrikam.com
GET
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
https://sts.fabrikam.com
https://sts.fabrikam.com
GET
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
https://sts.fabrikam.com
https://sts.fabrikam.com
POST
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
https://sts.fabrikam.com
https://sts.fabrikam.com
302 FOUND
https://mail.fabrikam.com/owa
MSISAuth
(session cookie)
https://mail.fabrikam.com/owa
https://sts.fabrikam.com
https://sts.fabrikam.com
GET
307 Redirect
https://mail.fabrikam.com/owa
MSISAuth
(session cookie)
https://mail.fabrikam.com/owa
https://sts.fabrikam.com
https://sts.fabrikam.com
301 moved
permanetly
https://mail.fabrikam.com/owa
MSISAuth
(session cookie
EdgeAccessCookie
(session cookie)
GET /w AuthToken!
KCD for
Principal
Name
Shows ticket
issued for
SPN https://mail.fabrikam.com/owa
https://sts.fabrikam.com
https://sts.fabrikam.com
GET
https://mail.fabrikam.com/owa
Shows ticket
issued for
SPN https://mail.fabrikam.com/owa
Actual OWA
logon!
https://mail.fabrikam.com/owa
401
Unauthorized
401
Unauthorized
https://mail.fabrikam.com/owa
http://technet.microsoft.com/en-us/library/hh831477.aspx
https://sts.fabrikam.com
https://sts.contoso.com
https://sts.fabrikam.com
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
For the Remote Access UI, to let you run through the wizard again, change
HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus to 1 (meaning not configured)
instead of 2 (configured). Reopen the UI. No reboot required.