Proxying Outbound Email Through Exchange 2013 Client Access Servers

In an Exchange Server 2013 organization the Mailbox server role is responsible for sending outbound email via a Send Connector.

If you take a look at the properties of a Send Connector you will notice an option to proxy through a Client Access server.

exchange-2013-front-end-proxy-01

When this option is enabled outbound email that is being sent via a Send Connector does not go directly out from the Mailbox server, and instead is proxied through a Client Access server in the site.

There is nothing complicated going on here, the Client Access server simply acts as a proxy for the connection so that the receiving host out on the internet sees the connection as coming from the Client Access server name and IP address rather than the Mailbox server.

To demonstrate, here is a message header for an email sent without the proxy option enabled.

no-fe-proxy

Notice that in hop 2 the message is received by E15MB1, and then in hop 3 you can see E15MB1 send to mx.google.com. In other words, it was send directly without proxying.

And here is a message header for an email sent with the proxy option enabled. Note the extra hop before the email goes out to the Google mail servers.

with-fe-proxy

Notice the subtle difference. In hop 2 the message is received by E15MB3, but then in hop 3 the message is being sent from E15MB1 to mx.google.com. E15MB3 has silently proxied the message through the Client Access server role on E15MB1.

This option is likely to be more useful for organizations that do not use a smart host or Edge Transport server for outbound email routing, and want to control where outbound SMTP connections are coming from. A justification for this would be to simplify the firewall rules.

exchange-2013-front-end-proxy-02

Personally I don’t expect to see this option used much in small environments, however it could certainly be useful in some larger organizations.

Comments

  1. Michael says

    Thank you again for such wonderful articles.

    Would you please tell me what is the logic behind this? Why would anyone want to proxy traffic to go through CAS servers?

    I did look at the last paragraph but I am still fuzzy.

    I hope there is a good scenario for doing this.

    • says

      This -> “A justification for this would be to simplify the firewall rules.”

      Take a look at the diagram. Now consider that you need to configure outbound SMTP access through the firewall for the Exchange servers that will be sending email to the outside world.

      Is it simpler to configure firewall rules for 16 Mailbox servers, or for 4 Client Access servers?

      The size of the environment and how they have designed their server roles will determine whether this is a useful option to consider.

      • DK says

        Why would you configure firewall rules for 16 mailbox servers or 4 CAS? You’d have a single IP for the DAG that the 16 mailboxes would share, and a single IP address for the 4 CAS to share using WNLB. Unless the CAS can proxy inbound mail as well, what’s the point?

        • says

          The DAG IP has nothing to do with transport (inbound/outbound email).

          The WNLB (or any load balancer) IP address is for incoming client traffic. You can load balance incoming SMTP if you want to as well, but outbound email is sent from the server’s own IP address not the load balanced IP.

          The CAS *can* proxy outbound email. That is the point of this article.

  2. Suriya says

    I’m confuse. E15MB1 is Client Access Server and E15MB2/3 are Mailbox servers…right. If yes, I don’t see any different with/without tick the proxy option reason E15MB1 (Client Access) send out the email to Internet in both cases

    For me, the different is E15MB2 (Mailbox server) receive the email and pass to E15MB1 to internet while on second screenshot E15MB2 pass email to E15MB3 before send to E15MB1 (Client Access).

    Could you please clarify further.

  3. SteveTill says

    Paul,

    Great article. Quick question for you. How can you know what client access server the email is being proxied to? Further, how could you send this to a load balanced set of Front end servers?

    • says

      You can see which client access server processed a message by inspecting the headers of the message.

      You can’t target it to a load balancer… Exchange will choose an available CAS to proxy through.

  4. S Subramanian says

    If my SMTP source server is installed with both Mailbox and CAS roles, can I use the same settings to the route email through different CAS server which is only capable to communicate with external world.

  5. Micke says

    Great article,

    I just wonder if it is possible to use this proxying if you are sending your mails through a smarthost?

    If so, is there any good reason for doing so apart from the firewall rules, or is it just complicating things and not a smart thing to do? My own feeling is just that it is just an unnecessary thing to do.

  6. Robert says

    I have a couple of CAS servers and I need only one of them to proxy outbound emails. I can’t have the other CAS do this, so Exchange can not decide. I need to find a way to force the mailbox server to proxy to ONLY the CAS server I decide.

    I have not been able to find out how to do this. Can you please let me know if there is a way?

    I would really appreciate it.

    Thanks,

    Robert.

  7. Robert says

    Because my second CAS server is on a different ISP that I can’t use for SMTP, it’s only for Outlook Anywhere, ActiveSync, IMAP and POP. I need to find the way to tell Exchange 2013 which CAS to use to proxy outbound emails.

    I can’t believe there is no way to do this in a decent way.

    Thanks,

    Robert.

  8. Robert says

    Yes, they are in the same datacenter with no BGP. They are on a different ISPs for redundancy so if one ISP goes down remote users (I switch DNS records automatically) can still check their emails.

    Yes, I know if the one that supports the SMTP is down then there is no email to/from the Internet but remote users can still log in to their mailboxes and check internal, organization emails.

    I think that the topology does not matter, what I really need is use the CAS I want rather than leaving this decision to Exchange.

    Thanks,

    Robert.

    • says

      There’s no method I know for doing it that way. In your situation I would revisit that network architecture. It sounds a awkward to manage. Why not have all servers communicating out via the same L3 switch or router, then both can participate in mail flow.

      • Chris says

        I have the same scenario, I need all to (and from) internet mail to route from one IP address (like I currently do with Exchange 2010) to two smart hosts that are outside of my control and are beyond my network segment.

        Would my only option then be to leave the 2010 CAS server that currently has this configuration?

        2013 is rapidly (and sadly) becoming my least favorite Exchange version.

        • says

          The 2010 CAS is not involved in mail flow, that is a job for the 2010 Hub Transport role.

          I don’t know your environment but I’m confused by the problem you’re describing. Having multiple servers involved in outbound mail flow with smart hosts shouldn’t be an issue, eg if they’re NATing out the same public IP address.

  9. Robert says

    I can’t change the network architecture which by the way had no problems with Exchange 2010 as I could easily determine the CAS server where I configure and enable the Send Connectors. In Exchange 2013 case I can’t create a Send Connector on the CAS as they must be in the MB servers.

    Thanks for your time anyways.

    Robert.

    • says

      2010 had the dedicated Hub Transport role so it could be approached differently. Yes you could home a send connector on a specific HT and use your default gateway/routing config to manage which route it took outbound.

      With 2013 that Transport function was given to the Mailbox server role. You could achieve the same thing here if you were willing to configure default gateway or routes for that Mailbox server.

      If you choose to proxy via the CAS there is no supported method to restrict with CAS is chosen as the proxy from the CAS within that AD site. There’s unsupported workarounds like disabling the outbound proxy connector, or blocking specific network ports on that host, but I don’t recommend heading down that path.

      Why not just have both CAS involved in outbound mail flow via the primary link. Since you need to take manual actions in the event of a link failure (eg update public DNS records for OWA etc) it can just be part of your incident response to also change the gateway on both CAS to work with the other link in those scenarios.

      • Robert says

        Yes, I thought about disabling outbound proxy connectors or ports but do not like the idea either as I am not sure about the side effects.
        Regarding having the two CAS on the primary link is not possible, that’s why the backup link is set up for, for redundancy (except SMTP). I do not change anything manually, the record for (OWA, OA, POP, IMAP) is automatically moved by scripts running on the DNS implementation to the healthy link (ISP), the secondary in this case until the primary link (ISP) is back online. There is no need for anyone to make any change and the only interruption is the 5 minutes TTL of this record(s) while switching ISPs. In rare cases something notice an outage.

        Robert.

        • says

          Fair enough. Sounds like you’re boxed in by all the other elements at play here being unchangeable. Unfortunately I do not see a way around it from an Exchange config perspective.

  10. Chris says

    Ok, so I used the wrong role in my description, my apologies. But that said, I’m in transition between 2010 and 2013. Right now my 2010 CAS/HT is the routing point for all incoming and outgoing. From that machine, mail hits two smart hosts thousands of miles away that are not in my control, and NAT is not involved between my network segment and the destination. This is a sensitive network, so you cannot just decide today that four machines will be relaying email to the smart hosts. Bells and whistles and men with torches and pitchforks will pay a visit quite rapidly.

    The configuration WAS nearly identical to your 2003 to 2010 upgrade guide, one 2010 CAS/HT and one 2010 MB in Site A, one 2010 CAS/MB/HT in Site B. In comes 2013 where we’re trying to create the same scenario…however mail flowing out of the org from 2013 has to hit the smart hosts from one IP. Since we’re in transition, I need to move over to everything routing out of the org from 2013 but just got stumped as to how to proceed.

    I understand redundancy and all, I’m a big fan of it, but sometimes things are beyond control…

    So let me ask this question; how exactly does Exchange decide what machine it’s actually going to relay from? Can any Mailbox Server from any site decide at any point it’s going to relay email? Or can I at least configure it to route mail to the smart hosts from only one AD site?

    • says

      When you create the send connector to route mail to those smart hosts you can choose any one (or several) source Mailbox server. So if you’re only allowed to send to those smart hosts from one IP, make that server the source for the send connector.

      Or put in the required change requests to be allowed to route to the smart hosts from new/multiple IP addresses.

  11. Muraleedaran says

    Dear Paul

    Thankyou for sharing this article.

    I having a 4 node Exchange 2013 CU7 Exchange environment(2 Mbox and 2 CAS) and I have enabled Proxy through Client Access Server option.

    But when I analyze the Message Header I do not see the Client Access Server Role – Can you share some thoughts in this regard?

    NOTE:- The outbound SMTP is NAT to the Client Access Server role.

Leave a Reply

Your email address will not be published. Required fields are marked *