Hello: I have three existing CAS/MB/DAG servers which are currently configured in the CAS array cas-array-01.my-domain.local. I’m using DNS round-robin and have to manually change the records during failovers. For added redundancy and less manual intervention during failovers, I plan to set up two new CAS servers in an NLB cluster and change the DNS entry of cas-array-01.my-domain.local to point to the VIP of the NLB cluster. Right now we don’t have the budget for a hardware load balancer, so that’s why we’re going with NLB. Some questions: 1. My SSL certs have all my server names and CAS arrays listed, so do I need to change the Exchange-related IIS virtual directories on the CAS NLB cluster servers, per http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/40f05965-a496-440e-b9fb-0db763aabdff/? 2. Even though the backend CAS/MB servers still have the CAS roles, once clients connect to the CAS NLB cluster, would the CAS NLB cluster connect to the MB roles directly, bypassing the CAS roles of the MB servers? 3. If my assumption in question 2 is correct, is there any issue with removing the CAS roles on the MB servers? 4. Are there any other issues or settings that I need to consider when making this change? Thank you.

1. My SSL certs have all my server names and CAS arrays listed, so do I need to change the Exchange-related IIS virtual directories on the CAS NLB cluster servers, per http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/40f05965-a496-440e-b9fb-0db763aabdff/? You don't need CAS array name in your SAN certificate. It is used internally only. Do you have this cert configured on exisiting CAS now? You would configure the IIS virtual directories on your CAS arrays. 2. Even though the backend CAS/MB servers still have the CAS roles, once clients connect to the CAS NLB cluster, would the CAS NLB cluster connect to the MB roles directly, bypassing the CAS roles of the MB servers? You would change all your mailbox databases to use CAS array as the RPCclientaccesserver 3. If my assumption in question 2 is correct, is there any issue with removing the CAS roles on the MB servers? Yes 4. Are there any other issues or settings that I need to consider when making this change? Make sure your CAS array is configured and is reponding to user internally and externally before removing CAS role on CAS\MBX server

1. My SSL certs have all my server names and CAS arrays listed, so do I need to change the Exchange-related IIS virtual directories on the CAS NLB cluster servers, per http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/40f05965-a496-440e-b9fb-0db763aabdff/? You don't need CAS array name in your SAN certificate. It is used internally only. Do you have this cert configured on exisiting CAS now? You would configure the IIS virtual directories on your CAS arrays. 2. Even though the backend CAS/MB servers still have the CAS roles, once clients connect to the CAS NLB cluster, would the CAS NLB cluster connect to the MB roles directly, bypassing the CAS roles of the MB servers? You would change all your mailbox databases to use CAS array as the RPCclientaccesserver 3. If my assumption in question 2 is correct, is there any issue with removing the CAS roles on the MB servers? Yes 4. Are there any other issues or settings that I need to consider when making this change? Make sure your CAS array is configured and is reponding to user internally and externally before removing CAS role on CAS\MBX server

Hi, Thank LMurthy for sharing the reply. And do you have any update? ThanksPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I updated the CAS array with an NLB cluster and it's working fine. The only change I've made so far is changing the DNS entry of cas-array-01.my-domain.local to point to the VIP of the NLB cluster. My comments to LMurthy's comments are below. 1. My SSL certs have all my server names and CAS arrays listed, so do I need to change the Exchange-related IIS virtual directories on the CAS NLB cluster servers, perhttp://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/40f05965-a496-440e-b9fb-0db763aabdff/? You don't need CAS array name in your SAN certificate. It is used internally only. Do you have this cert configured on exisiting CAS now? You would configure the IIS virtual directories on your CAS arrays. SysAdmin-E.com: I haven't made this change, but I think I would need the CAS array name in the SAN certificate if I want clients to connect using the CAS array name, even if the clients are internal. 2. Even though the backend CAS/MB servers still have the CAS roles, once clients connect to the CAS NLB cluster, would the CAS NLB cluster connect to the MB roles directly, bypassing the CAS roles of the MB servers? You would change all your mailbox databases to use CAS array as the RPCclientaccesserver SysAdmin-E.com: This isn't necesary because I'm still using the same CAS array name. I'm just replacing the existing CAS servers with an NLB cluster. 3. If my assumption in question 2 is correct, is there any issue with removing the CAS roles on the MB servers? Yes SysAdmin-E.com: I'll leave the CAS role on the MB servers for now in case there are issues with the CAS array. 4. Are there any other issues or settings that I need to consider when making this change? Make sure your CAS array is configured and is reponding to user internally and externally before removing CAS role on CAS\MBX server

1. Mapi does not use make use of https connections so you don't need ssl certs for your cas array. 2. Yes 3. No I don't see any issue 4. No I don't see any issueJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

James: Regarding your response "Mapi does not use make use of https connections so you don't need ssl certs for your cas array," this is one area that I'm not clear on. Wouldn't the CAS array be used for more than just MAPI/RPC? It's a CAS role, so wouldn't internal clients access it for OWA, OAB, etc? If not, then why would there be the issue mentioned in http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/40f05965-a496-440e-b9fb-0db763aabdff/? From what I've read, the focus of the CAS array is for HA of the RPC Client Access service, so there isn't much discussion of using the CAS array for the other CAS services. Assuming I have no other CAS roles in my org other than the two NLB nodes in my CAS array, my clients wouldn’t have any choice but to use the CAS array/nodes for all CAS services. The clients could connect to each node directly, but that would defeat the purpose of HA, so wouldn't I want all CAS services to be using the FQDN of the CAS array? Am I on the right track with this? Thanks.

Yes the "cas server" will. The WNLB name will require SSL certs, the cas array name does not. The cas server and WLNB does not need to be the same, typically their not. WLNB name would typically be mail.company.com requiring ssl CASarray could be casarray.company.com When configuring WLNB you only create the cluster for mail.company.com, but you also create a DNS record for casarray.company.com that also points to the same WLNB cluster ip for mail.company.com. No you don't run into those issues in that thread because you don't set the internalURL's to be that of your casarray name but your WLNB name.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

You can set the internalURL to the cas array name (which then you need SSL cert) however for CAS to CAS proxying across sites it must use the internal servername and not cas array name. For smaller environments in which you don't need to do CAS proxying across sites that's fine. So for internlURL it's the internal FQDN of the exchagne server name and for externalURL it's the WLNB (not casarray name) With this config you won't get any cert errors as long as your SAN cert has all the internal FQDNs of your exchange servers.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Important point: the internal CAS Array Name ( The FQDN you have set on the mailbox databases for mapi client access), should NOT be accessible externally in DNS, otherwise Outlook Anywhere clients will attempt to connect to it causing longer than usual connection times.

I thought I did enough reading on CAS arrays, but it seems that I’ve missed some areas. I’ll have to do some more reading. I had set up my NLB cluster FQDN and CAS array FQDN to be the same, which is cas-array-01.my-domain.local. This is only for internal MAPI access and it seems to work fine. Thanks to everyone for your replies.