Proxying Outbound Email Through Exchange 2013 Client Access Servers

In an Exchange Server 2013 organization the Mailbox server role is responsible for sending outbound email via a Send Connector.

If you take a look at the properties of a Send Connector you will notice an option to proxy through a Client Access server.

exchange-2013-front-end-proxy-01

When this option is enabled outbound email that is being sent via a Send Connector does not go directly out from the Mailbox server, and instead is proxied through a Client Access server in the site.

There is nothing complicated going on here, the Client Access server simply acts as a proxy for the connection so that the receiving host out on the internet sees the connection as coming from the Client Access server name and IP address rather than the Mailbox server.

To demonstrate, here is a message header for an email sent without the proxy option enabled.

no-fe-proxy

Notice that in hop 2 the message is received by E15MB1, and then in hop 3 you can see E15MB1 send to mx.google.com. In other words, it was send directly without proxying.

And here is a message header for an email sent with the proxy option enabled. Note the extra hop before the email goes out to the Google mail servers.

with-fe-proxy

Notice the subtle difference. In hop 2 the message is received by E15MB3, but then in hop 3 the message is being sent from E15MB1 to mx.google.com. E15MB3 has silently proxied the message through the Client Access server role on E15MB1.

This option is likely to be more useful for organizations that do not use a smart host or Edge Transport server for outbound email routing, and want to control where outbound SMTP connections are coming from. A justification for this would be to simplify the firewall rules.

exchange-2013-front-end-proxy-02

Personally I don’t expect to see this option used much in small environments, however it could certainly be useful in some larger organizations.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Thank you again for such wonderful articles.

    Would you please tell me what is the logic behind this? Why would anyone want to proxy traffic to go through CAS servers?

    I did look at the last paragraph but I am still fuzzy.

    I hope there is a good scenario for doing this.

    • This -> “A justification for this would be to simplify the firewall rules.”

      Take a look at the diagram. Now consider that you need to configure outbound SMTP access through the firewall for the Exchange servers that will be sending email to the outside world.

      Is it simpler to configure firewall rules for 16 Mailbox servers, or for 4 Client Access servers?

      The size of the environment and how they have designed their server roles will determine whether this is a useful option to consider.

      • Why would you configure firewall rules for 16 mailbox servers or 4 CAS? You’d have a single IP for the DAG that the 16 mailboxes would share, and a single IP address for the 4 CAS to share using WNLB. Unless the CAS can proxy inbound mail as well, what’s the point?

        • The DAG IP has nothing to do with transport (inbound/outbound email).

          The WNLB (or any load balancer) IP address is for incoming client traffic. You can load balance incoming SMTP if you want to as well, but outbound email is sent from the server’s own IP address not the load balanced IP.

          The CAS *can* proxy outbound email. That is the point of this article.

        • Then what’s the point of the DAG IP?

        • The DAG IP is used by other servers when they want to communicate with the Primary Active Manager (PAM) for the DAG. The PAM is responsible for answering questions such as when a CAS needs to work out where to proxy a client connection to, ie “Where is the active copy of database DB01?”

          You can read more about Active Manager and how it works in DAGs here:
          http://technet.microsoft.com/en-us/library/dd776123(v=exchg.150).aspx

  2. I’m confuse. E15MB1 is Client Access Server and E15MB2/3 are Mailbox servers…right. If yes, I don’t see any different with/without tick the proxy option reason E15MB1 (Client Access) send out the email to Internet in both cases

    For me, the different is E15MB2 (Mailbox server) receive the email and pass to E15MB1 to internet while on second screenshot E15MB2 pass email to E15MB3 before send to E15MB1 (Client Access).

    Could you please clarify further.

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.