Joseph Lee

A full-stack engineering mindset

1 minute read

Overview

For the exchange server, almote every clients will need to seperate the network traffic with 443 and 25. In this case, they need reverse proxy. I will use IIS ARR(Application request routing) service as an proxy server. So, here is the a diagram which shows you the architecture of the LAB for this post.

image

Make sure those server located in DMZ have to use two NIC obviously for the internet and private.

ref) Configuration IIS ARR for exchange server:

0. Index

  1. IIS Proxy ARR 1.1 Basic settings 1.2 Server Farms 1.3 URL Rewrite rules

  2. Logs

  3. Warning

  4. Test

1. IIS Proxy ARR

I will skip the install steps..

1.1 Basic settings

First of all, we need to install the exchange server’s public ssl certificate on the ARR server. And go to “IIS manager > Sites > Default Web Site > Bindings > https > Edit”. From here, you should assign the public ssl certificate with https. image

Second, Go to the Home > Application Request Routing Cache. image

go to server proxy settings. image

Check “Enable proxy”. image

and lastly, create new server farms.

1.2 Server Farms

Once you created the server farms, you have few options there. image

Caching, uncheck “Enable disk cache” and apply. image

Health Test, enter your external exchange server “https://FQDN/owa/healthcheck.htm” image

image

image

Monitoring and Management, once your health test have passed, your server will be available and Healthy. image

Proxy, Set as following image. image

Routing Rules, uncheck both options. image

1.3 URL Rewrite rules

Now, this is the important part in the whole configuration.

From the Routing rules in the server farms, go to URL Rewrite. image

I already add the URL Rewrite rule here. Let’s take a look for the details. image

If the request URL matches (all urls), check the two conditions: is it https? and is the host matches with the pattern(.all.run.place)? image

If the prerequisites meets, the requests are redirected to the server farm with the https. image

2. Logs

All the logs are in this path:

  • C:\inethub\logs\LogFiles\W3SVC1

e.g. image

3. Warning

If the inbound rule is not match exactly with the requested URL, you will encounter 500 error like below. This is quite tricky if you address this kind of LB.

image

4. Test

Do the test for the exchange server services.

image

Result

This is so customisable so it’s too difficult to handle… Good luck.

Leave a comment

You may also enjoy

Understanding Digital Signing

4 minute read

0. Overview You’ve probably seen a message like “This software is from a trusted publisher” — or the opposite, a Windows Defender warning that says “This fil...

ADFS Deep-Dive

1 minute read

0. Overview This post is just a introduce the techcommunity post from Microsoft. Please refer the link below: https://techcommunity.microsoft.com/blog/cor...

MacOS Entra joined with PSSO

4 minute read

0. Overview In this post, we will learn how to make the mac device “Microsoft Entra joined” The result would be like: