In an Exchange Server 2013 organization the Mailbox server role is responsible for sending outbound email via a Send Connector.
If you take a look at the properties of a Send Connector you will notice an option to proxy through a Client Access server.
When this option is enabled outbound email that is being sent via a Send Connector does not go directly out from the Mailbox server, and instead is proxied through a Client Access server in the site.
There is nothing complicated going on here, the Client Access server simply acts as a proxy for the connection so that the receiving host out on the internet sees the connection as coming from the Client Access server name and IP address rather than the Mailbox server.
To demonstrate, here is a message header for an email sent without the proxy option enabled.
Notice that in hop 2 the message is received by E15MB1, and then in hop 3 you can see E15MB1 send to mx.google.com. In other words, it was send directly without proxying.
And here is a message header for an email sent with the proxy option enabled. Note the extra hop before the email goes out to the Google mail servers.
Notice the subtle difference. In hop 2 the message is received by E15MB3, but then in hop 3 the message is being sent from E15MB1 to mx.google.com. E15MB3 has silently proxied the message through the Client Access server role on E15MB1.
This option is likely to be more useful for organizations that do not use a smart host or Edge Transport server for outbound email routing, and want to control where outbound SMTP connections are coming from. A justification for this would be to simplify the firewall rules.
Personally I don’t expect to see this option used much in small environments, however it could certainly be useful in some larger organizations.
We have 2 CAS 2013 (both with FileShareWitness) and 4 MBX 2013. Now we are migrating all Users to Exchange 2016 Multirole Server.
“Proxy through client access server” is enabled on Internet SendConnector.
How can we prevent Exchange to sent Messages through Exchange 2013 CAS? Because we have FSW, we cannot uninstall the 2013 CAS at the moment.
there was one question here regarding use of smarthost and proxying to CAS. no answer.
so i’m following up, if proxy thru CAS is used PLUS smarthosts, how would that work?
I have 4 CAS server and 3 mail servers and the CAS servers are configured for proxying outbound traffic but the CAS servers do not show up on the mail flow route. what could be the reason/issue? Would you please shed a light on this?
Cheers
In Send connector properties , Scoping , “Source Server List”
When i try to add CAS server here, I can not see CAS server. I can see only which has CAS + MBOX role both installed.
Hi Paul,
When im going to choose which CAS server will proxy, i can’t see my CAS server there?
I can see only which is CAS + MBOX role installed servers?
What do you think?
The Real Person!
The Real Person!
You don’t get to choose which CAS will proxy. It’s just a tick box.
But then it’s not going to do it’s job. When i check this check box, mail’s are not going via CAS. It’s still going via CAS+MBOX server.
I wonder, why i cant see server that only CAS role installed on this list?
Why i cant even see CAS server there?
The Real Person!
The Real Person!
What list are you referring to?
In Send connector properties , Scoping , “Source Server List”
When i try to add CAS server here, I can not see CAS server. I can see only which has CAS + MBOX role both installed.
The Real Person!
The Real Person!
You can only add Mailbox servers or Edge servers to that list, not CAS servers. Like I said earlier, CAS proxying is just a tick box. You don’t get to choose which CAS servers are involved.
Sorry about me but, so that list meaning or doing “Proxying mails, which is coming from mailbox servers in this list” ?
The Real Person!
The Real Person!
The mailbox servers in the list are the source transport servers for the send connector. They are responsible for sending outbound email over that send connector. If you tick the box for CAS proxying, they’ll proxy the outbound mail through a CAS server in the site. You don’t get to control which CAS server they choose for that proxying.
If there are 3 source servers on a send connector how are they chosen?
I have a primary datacenter and a secondary site with a tertiary DAG/mailbox server.
I would only like email to send from the 3rd server when the primary site is down.
How can I achieve this automatically?
The Real Person!
The Real Person!
With multiple servers on a send connector it’s round robin I believe, but I could be wrong on that. It will use them all though.
If you have multiple sites you can configure one connector per site. In the event that your primary site is down and you’re operating out of the secondary site, mail will route out that secondary site connector.
Hello Paul,
I have 2 exchange 2016 mailbox servers in a DAG setup. I have configured external (public) iP on server_1 and server_2 has no external IP. Send connector is associated with both servers. The problem is if a user sends two emails, one is likely to go through server_2 which does not have external IP. In that case it goes through default gateway configured on LAN NIC and eventually outbound IP of email sent will be our Broadband IP. This sometimes causes some emails to be rejected because of PTR issues. (Broadband IP has no PTR record)
With the setup I have described, if we want to maintain one public IP for both exchange servers, what option do you think is best and cheap for us? Your help will be most appreciated.
Thank you
The Real Person!
The Real Person!
Can you explain in more detail what you mean by “I have configured external (public) iP on server_1”?
If checked ‘proxy through a Client Access server ‘,what about ptr?
The Real Person!
The Real Person!
PTR record should still exist. Proxying through a CAS makes no difference to that recommendation.
I use Ms Exchange 2013, and by default the Outbound Proxy FrontEnd (Receive Connector) allows anonymous users in the permission groups, that’s the problem, to correct it we need to uncheck anonymous users.
I tested it again.
#telnet ip_address 717
The Real Person!
The Real Person!
Still can’t repro in my environment. That check box on it’s own doesn’t allow open relay. But if the “NT AUTHORITYANONYMOUS LOGON” user has been granted the “MS-Exch-SMTP-Accept-Any-Recipient” extended right, then anonymous users will be allowed to relay.
You can view the permissions on the connector by running this (replace SERVERNAME with yours):
Get-ReceiveConnector “SERVERNAMEOutbound Proxy Frontend SERVERNAME” | Get-ADPermission | where {$_.User -like “*Anonymous*”} | Select User,AccessRights,ExtendedRights
Does the server (or another server in your org) also have a receive connector added to it that is used for SMTP relay by other servers/devices/applications on the network? If so, then I suspect when the relay connector was being configured, someone ran the Add-AdPermission cmdlet incorrectly and added that extended right to every connector instead of just the relay connector.
Example of that command is here:
https://www.practical365.com/exchange-2013-configure-smtp-relay-connector/
Hi folks,
There’s a security problem on the outbound proxy connector, by default it allows anonymous users on port 717, if your client discover it, they can configure their clients to send email without authentication.
cheers,
Wneiton
The Real Person!
The Real Person!
I just tested this using Telnet and it doesn’t allow me to send unauthenticated email to anyone. If you are finding something different I recommend you compare your connector’s settings against the defaults, in case they have been modified. Or, provide detailed repro steps.
Dear Paul,
I have a requirement where I need to send email from outlook to SAP inbox, I know about sending email from sap to outlook but my requirement is outlook to sap inbox.
As discussed with SAP they said Mail exchange server admin need to do some configuration in Admin level, this scenario is new for us right now we are using 2013 Exchange server. can you please help me on this
Regards,
When proxying through my CAS servers, the “basic authentication” setting gets ignored – Exchange goes ahead with MAIL FROM: instead of AUTH LOGIN.
It works when the proxy setting is disabled so the mailbox server sends it directy. Somebody knows how to fix that?
Dear Paul
Thankyou for sharing this article.
I having a 4 node Exchange 2013 CU7 Exchange environment(2 Mbox and 2 CAS) and I have enabled Proxy through Client Access Server option.
But when I analyze the Message Header I do not see the Client Access Server Role – Can you share some thoughts in this regard?
NOTE:- The outbound SMTP is NAT to the Client Access Server role.
The Real Person!
The Real Person!
I can’t see your environment or the message header so there’s not much I can suggest.
Ok, so I used the wrong role in my description, my apologies. But that said, I’m in transition between 2010 and 2013. Right now my 2010 CAS/HT is the routing point for all incoming and outgoing. From that machine, mail hits two smart hosts thousands of miles away that are not in my control, and NAT is not involved between my network segment and the destination. This is a sensitive network, so you cannot just decide today that four machines will be relaying email to the smart hosts. Bells and whistles and men with torches and pitchforks will pay a visit quite rapidly.
The configuration WAS nearly identical to your 2003 to 2010 upgrade guide, one 2010 CAS/HT and one 2010 MB in Site A, one 2010 CAS/MB/HT in Site B. In comes 2013 where we’re trying to create the same scenario…however mail flowing out of the org from 2013 has to hit the smart hosts from one IP. Since we’re in transition, I need to move over to everything routing out of the org from 2013 but just got stumped as to how to proceed.
I understand redundancy and all, I’m a big fan of it, but sometimes things are beyond control…
So let me ask this question; how exactly does Exchange decide what machine it’s actually going to relay from? Can any Mailbox Server from any site decide at any point it’s going to relay email? Or can I at least configure it to route mail to the smart hosts from only one AD site?
The Real Person!
The Real Person!
When you create the send connector to route mail to those smart hosts you can choose any one (or several) source Mailbox server. So if you’re only allowed to send to those smart hosts from one IP, make that server the source for the send connector.
Or put in the required change requests to be allowed to route to the smart hosts from new/multiple IP addresses.
Appreciate your assistance! Your expertise is well respected.
I can’t change the network architecture which by the way had no problems with Exchange 2010 as I could easily determine the CAS server where I configure and enable the Send Connectors. In Exchange 2013 case I can’t create a Send Connector on the CAS as they must be in the MB servers.
Thanks for your time anyways.
Robert.
The Real Person!
The Real Person!
2010 had the dedicated Hub Transport role so it could be approached differently. Yes you could home a send connector on a specific HT and use your default gateway/routing config to manage which route it took outbound.
With 2013 that Transport function was given to the Mailbox server role. You could achieve the same thing here if you were willing to configure default gateway or routes for that Mailbox server.
If you choose to proxy via the CAS there is no supported method to restrict with CAS is chosen as the proxy from the CAS within that AD site. There’s unsupported workarounds like disabling the outbound proxy connector, or blocking specific network ports on that host, but I don’t recommend heading down that path.
Why not just have both CAS involved in outbound mail flow via the primary link. Since you need to take manual actions in the event of a link failure (eg update public DNS records for OWA etc) it can just be part of your incident response to also change the gateway on both CAS to work with the other link in those scenarios.
Yes, I thought about disabling outbound proxy connectors or ports but do not like the idea either as I am not sure about the side effects.
Regarding having the two CAS on the primary link is not possible, that’s why the backup link is set up for, for redundancy (except SMTP). I do not change anything manually, the record for (OWA, OA, POP, IMAP) is automatically moved by scripts running on the DNS implementation to the healthy link (ISP), the secondary in this case until the primary link (ISP) is back online. There is no need for anyone to make any change and the only interruption is the 5 minutes TTL of this record(s) while switching ISPs. In rare cases something notice an outage.
Robert.
The Real Person!
The Real Person!
Fair enough. Sounds like you’re boxed in by all the other elements at play here being unchangeable. Unfortunately I do not see a way around it from an Exchange config perspective.
Yes, they are in the same datacenter with no BGP. They are on a different ISPs for redundancy so if one ISP goes down remote users (I switch DNS records automatically) can still check their emails.
Yes, I know if the one that supports the SMTP is down then there is no email to/from the Internet but remote users can still log in to their mailboxes and check internal, organization emails.
I think that the topology does not matter, what I really need is use the CAS I want rather than leaving this decision to Exchange.
Thanks,
Robert.
The Real Person!
The Real Person!
There’s no method I know for doing it that way. In your situation I would revisit that network architecture. It sounds a awkward to manage. Why not have all servers communicating out via the same L3 switch or router, then both can participate in mail flow.
I have the same scenario, I need all to (and from) internet mail to route from one IP address (like I currently do with Exchange 2010) to two smart hosts that are outside of my control and are beyond my network segment.
Would my only option then be to leave the 2010 CAS server that currently has this configuration?
2013 is rapidly (and sadly) becoming my least favorite Exchange version.
The Real Person!
The Real Person!
The 2010 CAS is not involved in mail flow, that is a job for the 2010 Hub Transport role.
I don’t know your environment but I’m confused by the problem you’re describing. Having multiple servers involved in outbound mail flow with smart hosts shouldn’t be an issue, eg if they’re NATing out the same public IP address.
Because my second CAS server is on a different ISP that I can’t use for SMTP, it’s only for Outlook Anywhere, ActiveSync, IMAP and POP. I need to find the way to tell Exchange 2013 which CAS to use to proxy outbound emails.
I can’t believe there is no way to do this in a decent way.
Thanks,
Robert.
The Real Person!
The Real Person!
Different ISP? Are these two CAS in the same datacenter? Why have them on different ISPs?
I have a couple of CAS servers and I need only one of them to proxy outbound emails. I can’t have the other CAS do this, so Exchange can not decide. I need to find a way to force the mailbox server to proxy to ONLY the CAS server I decide.
I have not been able to find out how to do this. Can you please let me know if there is a way?
I would really appreciate it.
Thanks,
Robert.
The Real Person!
The Real Person!
Why not allow both? More resilient to failure that way.
Hi Paul
Great explanation.
Thanks lot
Can we use proxies IP’s for sending emails
Great article,
I just wonder if it is possible to use this proxying if you are sending your mails through a smarthost?
If so, is there any good reason for doing so apart from the firewall rules, or is it just complicating things and not a smart thing to do? My own feeling is just that it is just an unnecessary thing to do.
If my SMTP source server is installed with both Mailbox and CAS roles, can I use the same settings to the route email through different CAS server which is only capable to communicate with external world.
Paul,
Great article. Quick question for you. How can you know what client access server the email is being proxied to? Further, how could you send this to a load balanced set of Front end servers?
The Real Person!
The Real Person!
You can see which client access server processed a message by inspecting the headers of the message.
You can’t target it to a load balancer… Exchange will choose an available CAS to proxy through.
I’m confuse. E15MB1 is Client Access Server and E15MB2/3 are Mailbox servers…right. If yes, I don’t see any different with/without tick the proxy option reason E15MB1 (Client Access) send out the email to Internet in both cases
For me, the different is E15MB2 (Mailbox server) receive the email and pass to E15MB1 to internet while on second screenshot E15MB2 pass email to E15MB3 before send to E15MB1 (Client Access).
Could you please clarify further.
The Real Person!
The Real Person!
Read the part that says “Notice the subtle difference.”
It points out the subtle difference 🙂
I have had an Exchange 2013 server working great until the other day when mail stopped sending out to the internet. All other functionality works. I deleted the send connector and created a new one. Still no success. Any ideas on this?
Thank you again for such wonderful articles.
Would you please tell me what is the logic behind this? Why would anyone want to proxy traffic to go through CAS servers?
I did look at the last paragraph but I am still fuzzy.
I hope there is a good scenario for doing this.
The Real Person!
The Real Person!
This -> “A justification for this would be to simplify the firewall rules.”
Take a look at the diagram. Now consider that you need to configure outbound SMTP access through the firewall for the Exchange servers that will be sending email to the outside world.
Is it simpler to configure firewall rules for 16 Mailbox servers, or for 4 Client Access servers?
The size of the environment and how they have designed their server roles will determine whether this is a useful option to consider.
Why would you configure firewall rules for 16 mailbox servers or 4 CAS? You’d have a single IP for the DAG that the 16 mailboxes would share, and a single IP address for the 4 CAS to share using WNLB. Unless the CAS can proxy inbound mail as well, what’s the point?
The Real Person!
The Real Person!
The DAG IP has nothing to do with transport (inbound/outbound email).
The WNLB (or any load balancer) IP address is for incoming client traffic. You can load balance incoming SMTP if you want to as well, but outbound email is sent from the server’s own IP address not the load balanced IP.
The CAS *can* proxy outbound email. That is the point of this article.
Then what’s the point of the DAG IP?
The Real Person!
The Real Person!
The DAG IP is used by other servers when they want to communicate with the Primary Active Manager (PAM) for the DAG. The PAM is responsible for answering questions such as when a CAS needs to work out where to proxy a client connection to, ie “Where is the active copy of database DB01?”
You can read more about Active Manager and how it works in DAGs here:
http://technet.microsoft.com/en-us/library/dd776123(v=exchg.150).aspx
Pingback: Configuring Outbound Mail Flow in Exchange Server 2013