[ExchangeList] Re: CAS to CAS proxying - HTTP 403 forbidden

  • From: Mahadevan Subramanian <devan.scorp@xxxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Fri, 24 Jul 2009 08:45:48 +0530

Hello James,
Thanks for the response.
Yes integrated Auth is checked. To give you some more information on this..
Site X : HUB/CAS in  Server A & MBX in Server B
Site Y: HUB/CAS/MBX in same server Server C
The IIS Metabase of server C uses davex.dll, since it has the CAS/MBX role together.
The IIS Metabase of Server A users exprox.dll for proxying. Since these dll's are varying there is some communication gap in CAS-CAS proying, i believe.
I have even edited the Metabase of Server C and replaced the davex.dll with exprox.dll. If i do that the CAS-CAS proxying is working in unidirection (That is, if i login using a user mailbox in Site X using https://ServerC/exchange or https://ServerC/Owa it does the CAS-CAS proxying.)
But when i login using a user mailbox located in Site Y using the url of https://ServerA/exchange it says, the there is no CAS server detected in the AD for the site where the user mailbox resides, please contact administrator. This error happens after the Metabase chage. But if i revert it back everything is back to pavilion. CAS to CAS proxying does not work both the sides. hope this mail is not confusing... :-)
My question is...
First - Is it possible to have 3 roles in same server, while other sites does not. Does any one have this type of setup.
Second - Is there a work around for this...? or is there a specific setting which is bit tweeky or different from default settings if the all 3 roles are installed..?
We are starting with the actual mailbox migration in another 20 days. We can not demad for another server to the custumer at this point to have the CAS role isolated for this site. More over, this site has hardly 500 users, hence we decided to club all roles..
Any suggestion/help is highly appreciated..
Regards, maha

On Thu, Jul 23, 2009 at 11:23 PM, James Chong <jchong@xxxxxxxxxxxxxx> wrote:

Is integrated authentication checked on owa and exchange vdir?


From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Mahadevan Subramanian
Sent: Wednesday, July 22, 2009 11:40 PM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] CAS to CAS proxying - HTTP 403 forbidden


Hello All,


We are in mid of transitioning from Exchange 2003 to Exchnage 2007. We have 7 sites in new environment and we have adopted Start topology (ie:One site as the central site) We are now facing issue with OWA access in particular site, where we have CAS,HUB & MBX installed on same server. The other sites have HUB & CAS on one server and MBX on other server.


The OWA URL is pointed to F5, which does the load balancing and routes the requests (Https://SeverFQDN/Exchange) to the CAS servers in the central site. From Central Site the CAS servers proxies the requests based on the user mailbox location (Either Exchange 2003 or Exchnage 2007). This works fine for all location and exchnage 2003 users as well. but we face issue in one site where we have all three roles installed in the same server.


The error is HTTP 403 Forbidden..


If i directly access the /Exchnage or /owa in the same server where all three roles are installed, we are able to acces the user mailbox which is located on the same server. But if i try logging in using a user account located in different site.. It does not allow.. It shows page can not be displayed. Simillarly from other CAS server in other sites, if i try to login with the user mailbox located in this problamatic site.. It gives HTTP 403 Forbidden error..


The OWA is only for internal purpose and hence we do not ahve any externalURL. The internalURLs are properly set.


Regards... Maha

Regards... Maha

Other related posts: