We would like to split our users OWA experience so that internal users will get single sign on plus have access to download attachments (as the currently can). External users will not be able to download attachments via OWA, single sign on obviously shouldn’t hinder the users logon process. I want to check if anyone can think of any glaring issues we can run into as this is being rushed and researching pitfalls and testing is not an option.
Existing infrastructure – all Exchange 2010 SP2 RU6
Live site:
2 X Hub servers
2 X CAS servers in a Windows NLB
2 X MBX servers in a DAG.
DR site:
1 X CAS
1 X HUB
1 X MBX
The plan is to install 2 new CAS servers in a new CAS array at the live site with one additional server at DR. These new servers in a new CAS array will be configured so that they will prevent users from accessing attachments via OWA. No authentication settings will be changed. The existing CAS servers in the original CAS array will be configured to allow single sign on, no attachment control setting will be changed. The existing 3<sup>rd</sup> party certificate will be reminted to include the new CAS servers and installed on all CAS servers. On TMG, a publishing rule will be configured to point external OWA traffic to the new CAS array that has the restricted OWA settings.
On the new CAS array should we:
1 – create new web site with new virtual directories for OWA and ECP on the new CAS servers?
2 – make the configuration changes on the default OWA virtual directory on the new CAS servers?
Questions:
If we remove the internal URL for OWA on the new CAS servers will this mean they no longer service internal requests and we have effectively ring fenced the new CAS array?
Concern:
Although autodiscover.domain.com resolves to the original CAS array I want to make sure introducing new servers will have no negative impact. Previously a colleague added a new CAS server that was not part of the CAS array, the deleted the computer account
in AD and wiped the server. When he did this we could see outlook hanging on send/receive. I know that was because the AD connections points were still live as the server wasn’t decommissioned correctly as he didn’t ask. If we try and ring fence two CAS arrays
I don’t want any similar problems. What services will the new servers offer just by being in AD? What is the overlap?