Proxying Outbound Email Through Exchange 2013 Client Access Servers

In an Exchange Server 2013 organization the Mailbox server role is responsible for sending outbound email via a Send Connector.

If you take a look at the properties of a Send Connector you will notice an option to proxy through a Client Access server.


When this option is enabled outbound email that is being sent via a Send Connector does not go directly out from the Mailbox server, and instead is proxied through a Client Access server in the site.

There is nothing complicated going on here, the Client Access server simply acts as a proxy for the connection so that the receiving host out on the internet sees the connection as coming from the Client Access server name and IP address rather than the Mailbox server.

To demonstrate, here is a message header for an email sent without the proxy option enabled.


Notice that in hop 2 the message is received by E15MB1, and then in hop 3 you can see E15MB1 send to In other words, it was send directly without proxying.

And here is a message header for an email sent with the proxy option enabled. Note the extra hop before the email goes out to the Google mail servers.


Notice the subtle difference. In hop 2 the message is received by E15MB3, but then in hop 3 the message is being sent from E15MB1 to E15MB3 has silently proxied the message through the Client Access server role on E15MB1.

This option is likely to be more useful for organizations that do not use a smart host or Edge Transport server for outbound email routing, and want to control where outbound SMTP connections are coming from. A justification for this would be to simplify the firewall rules.


Personally I don’t expect to see this option used much in small environments, however it could certainly be useful in some larger organizations.


  1. Michael says

    Thank you again for such wonderful articles.

    Would you please tell me what is the logic behind this? Why would anyone want to proxy traffic to go through CAS servers?

    I did look at the last paragraph but I am still fuzzy.

    I hope there is a good scenario for doing this.

    • says

      This -> “A justification for this would be to simplify the firewall rules.”

      Take a look at the diagram. Now consider that you need to configure outbound SMTP access through the firewall for the Exchange servers that will be sending email to the outside world.

      Is it simpler to configure firewall rules for 16 Mailbox servers, or for 4 Client Access servers?

      The size of the environment and how they have designed their server roles will determine whether this is a useful option to consider.

      • DK says

        Why would you configure firewall rules for 16 mailbox servers or 4 CAS? You’d have a single IP for the DAG that the 16 mailboxes would share, and a single IP address for the 4 CAS to share using WNLB. Unless the CAS can proxy inbound mail as well, what’s the point?

        • says

          The DAG IP has nothing to do with transport (inbound/outbound email).

          The WNLB (or any load balancer) IP address is for incoming client traffic. You can load balance incoming SMTP if you want to as well, but outbound email is sent from the server’s own IP address not the load balanced IP.

          The CAS *can* proxy outbound email. That is the point of this article.

  2. Suriya says

    I’m confuse. E15MB1 is Client Access Server and E15MB2/3 are Mailbox servers…right. If yes, I don’t see any different with/without tick the proxy option reason E15MB1 (Client Access) send out the email to Internet in both cases

    For me, the different is E15MB2 (Mailbox server) receive the email and pass to E15MB1 to internet while on second screenshot E15MB2 pass email to E15MB3 before send to E15MB1 (Client Access).

    Could you please clarify further.

  3. SteveTill says


    Great article. Quick question for you. How can you know what client access server the email is being proxied to? Further, how could you send this to a load balanced set of Front end servers?

    • says

      You can see which client access server processed a message by inspecting the headers of the message.

      You can’t target it to a load balancer… Exchange will choose an available CAS to proxy through.

  4. S Subramanian says

    If my SMTP source server is installed with both Mailbox and CAS roles, can I use the same settings to the route email through different CAS server which is only capable to communicate with external world.

  5. Micke says

    Great article,

    I just wonder if it is possible to use this proxying if you are sending your mails through a smarthost?

    If so, is there any good reason for doing so apart from the firewall rules, or is it just complicating things and not a smart thing to do? My own feeling is just that it is just an unnecessary thing to do.

Leave a Reply

Your email address will not be published. Required fields are marked *