Onion Slices

When I am trying to learn something, my goal is to find at least one thing that I didn’t know before and to celebrate the improvement of my understanding. Today’s topic is CAS server proxy, redirection and authentication.

First off, back when I was on some early versions of the Exchange 2010 TAP program, I heard about CAS redirection and proxy activities and I didn’t really have a firm grasp of it. Now I’ve had some time to kick it around in my head and I understand things a bit better. When you have two AD sites, each with Internet-facing CAS servers (open through the firewall AND reachable DNS URL), the CAS server you connect to will redirect you to the correct CAS (and correct URL) if your mailbox is in a different site. If only ONE site has an Internet-facing CAS server, then the one you connect to will PROXY your connection to the correct CAS server.

Today, this bit of information was a double-whammy, not because I learned something new, but because I now understand a different little bit that I was waggling around. An Internet-facing  CAS server can use any kind of authentication (forms-based, Basic), but you need to have “Integrated Windows Authentication” turned to ON, on all the internal CAS servers that it will be serving as a proxy.

One of the lines of introspection and discovery that I now want to pursue is how the authentication works in a legacy (2007) domain when installing a 2010 CAS server (the first step in a good migration). I know many people already know and understand all of this, but it’s not something that I come across every day, so I count it as extra knowledge!