Forum Discussion
scorpa_121336
Nimbostratus
NimbostratusOutlook password promt when CAS Exchange failover
Hello!
We have two Exchange 2010 CAS servers which is load balanced via F5. F5 has been configured with iApp exchange2010_Cas2012_06_08 without any changes and all working fine except outlook in...
Hi scorpa, this is a known issue and there's no way to completely solve it, other than to migrate your users to Outlook Anywhere. We recommend that in general since RPC Client Access has been deprecated for Exchange 2013.
If you have Outlook clients that are left open, those clients will send keep alives that will prevent the TCP idle timeout setting from tearing down the connections. When you reboot the CAS they are connected to, or take it down for maintenance, they will be prompted for authentication.
You can drain-stop the pool member by disabing it and waiting until the TCP idle timeout period has passed (by default it's 2 hours), but your clients will still need to authenticate when they connect to the other CAS.
thanks
Mike
Hi scorpa, this is a known issue and there's no way to completely solve it, other than to migrate your users to Outlook Anywhere. We recommend that in general since RPC Client Access has been deprecated for Exchange 2013.
If you have Outlook clients that are left open, those clients will send keep alives that will prevent the TCP idle timeout setting from tearing down the connections. When you reboot the CAS they are connected to, or take it down for maintenance, they will be prompted for authentication.
You can drain-stop the pool member by disabing it and waiting until the TCP idle timeout period has passed (by default it's 2 hours), but your clients will still need to authenticate when they connect to the other CAS.
thanks
Mike
scorpa_121336Thank you Mike for your reply! But we have deployed Outlook anywhere already and as i understood we can't use it inside our local network, can it ? And what about scheme with NLB, because with NLB there isn't any authentication prompts in case of CAS failover. What will be if we tune TCP idle timeout on server side TCP connections below Outlook dead timers?- You can absolutely use Outlook Anywhere in your local network. Another benefit of OA from an F5 perspective is that the iApp uses an EAV monitor to log into the mailbox, instead of a simple TCP monitor (which is all we have for RPC). BTW, I recommend going to downloads.f5.com and downloading the f5.microsoft_exchange_2010_2013_cas.v1.2.0.tmpl template. It includes many fixes and new features over the 06_08 version. I did some reading up on NLB, and Microsoft's documentation on NLB states: "When its client affinity parameter setting is enabled, Network Load Balancing directs all TCP connections from one client IP address to the same cluster host. This allows session state to be maintained in host memory. However, should a server or network failure occur during a client session, a new logon may be required to re-authenticate the client and re-establish session state." I'd read that to mean that you should be getting prompted when using NLB, or at least that the mechanism to prevent it is not built into NLB. But I'm not very familiar with it, either. You can change the idle timeout setting, but when the connections time out, those clients will still need to reauthenticate.