Client Access Server (CAS)
What is Client Access Server (CAS)?
The Client Access Server (CAS) is a server role that handles all client connections to Exchange Server 2010 and Exchange 2013. It supports all client connections to Exchange Server from Microsoft Outlook and Outlook Web App (OWA), as well as ActiveSync applications. The CAS also provides access to free/busy data in Exchange calendars.
Client Access Server explained
The CAS is the server that handles client communication. It replaces the front-end server from Exchange 2000 and 2003, and provides mailbox access for multiple types of Exchange clients, except Outlook MAPI clients. It also routes mail between the Exchange Server and external internet-based email systems.
In addition to client access, the CAS also provides access to:
- offline address book
- autodiscover service
- availability service
In Exchange Server 2007 and Exchange 2010, the CAS is one of five server roles. However, in Exchange Server 2013, it is only one of three server roles -- the other two being the Mailbox server and the Edge Transport server with Service Pack 1.
The CAS is thin and stateless and does not do data rendering. It doesn't store or queue any data on it. The CAS must be installed in every Exchange Server organization and on every Active Directory (AD) site that has the Exchange mailbox server role installed.
Client Access Server in Exchange Server 2013
In Exchange 2013, the CAS redirects SIP traffic generated from incoming calls to the Mailbox server. It functions like a front door that admits all client requests and routes them to the correct active Mailbox database. It accepts clients accessing their mailbox through these protocols:
CAS also supports Exchange ActiveSync (EAS, Outlook AnyWhere -- formerly known as Remote Procedure Call -- and OWA) Additionally, the CAS provides authentication, proxy and limited redirection services. For client authentications, the CAS sends the authentication (AuthN) data to the corresponding Mailbox server.
In addition to managing client connections via redirection and proxy functions, it provides network security, via Secure Sockets Layer (SSL), and client authentication. In some scenarios, the CAS may redirect the request to a more suitable CAS, such as one running a more recent Exchange Server version or one that resides in a different location.
Fewer namespaces are required in Exchange 2013 for site-resilient solutions than were required in Exchange 2010. Also, it's no longer necessary to provide affinity for the RPC Client Access service.
Client Access Server features
Here are several major features of CAS:
Stateless server
As a stateless server, CAS eliminates the need for session affinity, which was a challenge in previous versions of Exchange. For instance, in the Outlook Web App, all requests from a particular client had to be handled by a specific CAS within a load-balanced array of CAS.
In Exchange Server 2013, mailbox-related processing happens on the Mailbox server. Consequently, it doesn't matter which CAS receives each individual client request and session affinity is no longer a necessity at the load balancer level. This change allows balanced inbound connections to CAS using simple load balancing technology like DNS round robin. And hardware load balancing devices can support more concurrent connections.
Connection pooling
To connect with the mailbox servers and effectively pool all connections to them, the CAS uses a privileged account which is a member of the Exchange Servers group. An array of CAS is capable of handling millions of client connections from the internet while requiring fewer connections to proxy the requests to the mailbox servers. This improves processing efficiency and latency.
Exchange architecture before and after 2013
The Exchange architecture has undergone several changes.
Consolidated server roles
In Exchange 2013 and earlier versions, users could install the CAS role and the Mailbox server role on separate computers. In Exchange 2016 and later, the CAS is automatically installed as part of the Mailbox server role, rather than as a separate installation option.
The multi-role Exchange server architecture ensures that all Exchange servers in the environment use the same hardware and configuration. It also reduces the need for physical Exchange servers.
This simplifies the maintenance of Exchange Servers and improves scalability by effectively distributing the workload across a larger number of physical machines. Finally, a multi-role Exchange server can survive a greater number Client Access role or service failures, increasing resilience and service availability.
Improved search capabilities
From Exchange 2013 onwards, the local search instance can read data from the local mailbox database copy, reducing bandwidth requirements by 40% or more. Asynchronous disk reads are now possible during search, providing sub-second search query latency for online clients (e.g., Outlook on the web).
Office online server preview for Outlook
In Exchange 2016 and later, Outlook on the web uses Office Online Server Preview to provide rich document preview and editing capabilities. It also ensures a consistent document experience when used with other products such as Microsoft SharePoint or Skype for Business.
MAPI over HTTP connection
In Exchange 2013 Service Pack 1, J over HTTP offers improvements over the older Outlook Anywhere (RPC over HTTP) connection method. In Exchange 2016 and later, MAPI over HTTP per user can be enabled or disabled. It can also be advertised to external clients.
Changes to client connectivity
RPC/TCP direct access protocol is no longer supported in Exchange Server 2013. Instead, all Outlook connectivity uses RPC over HTTPS, or with Exchange 2013 SP1, Outlook 2013 SP1, or MAPI over HTTP. Consequently, there's no need to have the RPC Client Access service on the CAS.
See also: the most important email security protocols, browse 9 email security gateway options for your enterprise, top 11 email security best practices for 2022, use these 6 user authentication types to secure networks and how to create a company password policy.