Scribd Logo
Upload

Welcome to Scribd!

  • What Client Access Server

    Uploaded by

    Sukhbir
    39 views3 pages
    CCS

    Original Title

    1. What Client Access Server

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    CCS

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    39 views3 pages

    What Client Access Server

    Uploaded by

    Sukhbir
    CCS

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    All messaging clients connect to a Client Access server when accessing an Exchange Server mailbox.

    For
    users to access their mailbox, you must deploy a Client Access server in the same site as the Mailbox
    server.

    In Microsoft Exchange Server 2007 or earlier Exchange server versions, MAPI clients such as Microsoft
    Office Outlook, connect directly to Mailbox servers.

    In Exchange Server 2010, with the introduction of the Remote Procedure Call (RPC) Client Access service,
    MAPI clients no longer connect directly to the Mailbox servers for mailbox access.

    How Client Access Servers Work

    1. Internet client connect to CAS server by client protocol except MAPI clients
    2. MAPI clients connects to CAS server by MAPI RPC protocol in the internal network
    3. Client access server connects to AD by Kerberos protocol to authenticate the user.
    4. Internet Information Services (IIS) or the RPC Client Access service on the Client Access server
    performs the authentication.
    5. The Client Access server uses a Lightweight Directory Access Protocol (LDAP) request to a global
    catalog server to locate the Mailbox server that manages the user’s mailbox.
    6. The Client Access server also provides a directory lookup service for all clients. When the client
    requests the global address list (GAL), or searches the GAL for a specific recipient, the Client
    Access server performs the Active Directory lookup for the client.
    7. The Client Access server connects to the Mailbox server using a MAPI RPC to submit messages to
    the mailbox database, or to read messages.

    How Client Access Works with Multiple Internet Access Points.

    If you have multiple Active Directory sites, you can provide Internet access to each site’s Client Access
    servers. To enable this option, you must configure an external URL for each Client Access server. You
    also must ensure that clients can resolve the URL name in the Domain Name System (DNS) and can
    connect to the Client Access server using the appropriate protocol.

    When an Internet client connects to the Client Access server from the Internet in this scenario, the
    Client Access server authenticates the user, and then queries a global catalog server for the user mailbox
    location. At this point, the Client Access server has two options:

    1. If the user’s mailbox is located in the same site as the Client Access server, then the Client
    Access server connects to the mailbox server to fulfill the client request.
    2. If the user’s mailbox is located in a different site from the Client Access server, the Client Access
    server contacts a domain controller to locate the Client Access server in the site where the user
    mailbox is located.
     If you configure the Client Access server with an external URL, then the Client Access
    server redirects the client request to the Client Access server in the site that contains
    the user mailbox.
     Exchange Server presents the user with a page that provides the correct URL for the
    Client Access server, so that the user can connect to the appropriate Client Access
    server in their home site.
     If you do not configure an external URL for the Client Access server in the site that
    contains the user mailbox, the Client Access server receiving the request proxies the
    client request to the Client Access server in the appropriate site.

    Note: - Exchange Server can redirect only Outlook Web App client’s request to another CAS servers. All
    other clients request is proxies except IMAP4 and POP3 clients.

    How Client Access Works with a Single Internet Access Point

    The Client Access server in the site containing the user mailbox might not be accessible from the
    Internet, or it might not have an external URL configured. In this scenario, when the user connects to a
    Client Access server in a site that does not contain the user mailbox, the Client Access server proxies the
    client request to the Client Access server in the site where the user’s mailbox is located.

    You should remember below things when you configure proxies system in the exchange organization

    1. You must configure the Client Access servers as Integrated Windows authentication that is not
    accessible from the Internet because by default Web App virtual directory is configured to use
    forms-based authentication.
    2. You should ensure that you enable forms-based authentication on the Client Access server that
    is accessible from the Internet.

    Note: - Exchange Server supports using a proxy for clients that use Outlook Web App, Microsoft
    Exchange ActiveSync, and Exchange Web Services.

    Note: - Exchange Server supports using a proxy from one Client Access server to another, when the
    destination Client Access server is running the same Exchange Server version or an earlier version as the
    source Client Access server.

    How many virtual directories are created when CAS server is installed?

    Eight directories are created when CAS server is installed

    1. Autodiscover
    2. ecp
    3. EWS
    4. Microsoft-Server-ActiveSync
    5. OAB
    6. owa
    7. RPC
    8. RPCWithCert

    How many Authentication standards are used by client access server

    Client access server uses four kind client authentication system

    Integrated Windows authentication: - Integrated Windows authentication is the most secure standard
    authentication option. When you use Integrated Windows authentication and users log on with a
    domain account, users are not prompted for a user name or password.
    The windows security packages installed on the client computer to obtain the user name and password
    of the logged-on user. It transferred encrypted information across the network

    For Integrated Windows authentication, the Client Access server URL must be in the client’s Intranet
    zone of web browser.

    Note: - When using a single Internet-accessible Client Access server for all sites, you must enable
    Windows Integrated authentication on all of the Client Access servers that are not Internet accessible.
    For example, the outward-facing Outlook Web App server can use forms-based authentication, but the
    internal Client Access servers must be configured to allow Integrated Windows authentication.

    Digest authentication: - Digest authentication secures the password by transmitting it as a hash value
    over the network. To use Digest authentication, users must have an account that is stored in the AD DS.

    Basic authentication: - Basic authentication transmits passwords in clear text over the network.
    Therefore, you should always secure Basic authentication by using SSL encryption. Basic authentication
    is the authentication option that is most widely supported by clients. Single sign-on is not supported, so
    workstation credentials are never automatically passed over Basic authentication.

    Forms-Based Authentication: - Forms-based authentication is available only for Outlook Web App and
    Exchange Control Panel (ECP). When you use this option, it replaces the other authentication methods.
    This is the preferred authentication option for Outlook Web App because it provides enhanced security.
    When you use forms-based authentication, Exchange Server uses cookies to encrypt the user logon
    credentials in the client computer's Web browser. Tracking the use of this cookie allows Exchange Server
    to time-out inactive sessions. Automatic time-out of inactive sessions is valuable because it protects
    user accounts from unauthorized access if users leave their session logged on while away from their
    computers.

    Instead of a pop-up screen, forms-based authentication creates a logon Web page for Outlook Web App.
    You can modify the logon page by configuring the logon prompt (user name, domain\user name, or user
    principal name), language, graphics, and text. User credentials entered into the Outlook Web App logon
    page are transmitted in clear text similar to Basic authentication. However, forms-based authentication
    requires the use of SSL. SSL encrypts the user credentials as they are transmitted over the network.

    Forms-based authentication is enabled by default for Outlook Web App, and for ECP.However, you
    might consider changing this to Windows Integrated authentication for Client Access servers that are
    not internet facing, because Forms-Based Authentication does not support single-sign on.

    Note: - You can configure the time-out values for public and private computers by modifying the Client
    Access server registry. You can do this by using the Regedit utility, or the Set-ItemProperty cmdlet. For
    more information about how to configure these settings, see the “Set the Forms-Based Authentication
    Private Computer Cookie Time-Out Value” topic in Exchange Server 2010 Help.

    You might also like