Home » Exchange Server » Proxying Outbound Email Through Exchange 2013 Client Access Servers

Proxying Outbound Email Through Exchange 2013 Client Access Servers

In an Exchange Server 2013 organization the Mailbox server role is responsible for sending outbound email via a Send Connector.

If you take a look at the properties of a Send Connector you will notice an option to proxy through a Client Access server.


When this option is enabled outbound email that is being sent via a Send Connector does not go directly out from the Mailbox server, and instead is proxied through a Client Access server in the site.

There is nothing complicated going on here, the Client Access server simply acts as a proxy for the connection so that the receiving host out on the internet sees the connection as coming from the Client Access server name and IP address rather than the Mailbox server.

To demonstrate, here is a message header for an email sent without the proxy option enabled.


Notice that in hop 2 the message is received by E15MB1, and then in hop 3 you can see E15MB1 send to mx.google.com. In other words, it was send directly without proxying.

And here is a message header for an email sent with the proxy option enabled. Note the extra hop before the email goes out to the Google mail servers.


Notice the subtle difference. In hop 2 the message is received by E15MB3, but then in hop 3 the message is being sent from E15MB1 to mx.google.com. E15MB3 has silently proxied the message through the Client Access server role on E15MB1.

This option is likely to be more useful for organizations that do not use a smart host or Edge Transport server for outbound email routing, and want to control where outbound SMTP connections are coming from. A justification for this would be to simplify the firewall rules.


Personally I don’t expect to see this option used much in small environments, however it could certainly be useful in some larger organizations.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. Michael says:

    Thank you again for such wonderful articles.

    Would you please tell me what is the logic behind this? Why would anyone want to proxy traffic to go through CAS servers?

    I did look at the last paragraph but I am still fuzzy.

    I hope there is a good scenario for doing this.

    • This -> “A justification for this would be to simplify the firewall rules.”

      Take a look at the diagram. Now consider that you need to configure outbound SMTP access through the firewall for the Exchange servers that will be sending email to the outside world.

      Is it simpler to configure firewall rules for 16 Mailbox servers, or for 4 Client Access servers?

      The size of the environment and how they have designed their server roles will determine whether this is a useful option to consider.

      • DK says:

        Why would you configure firewall rules for 16 mailbox servers or 4 CAS? You’d have a single IP for the DAG that the 16 mailboxes would share, and a single IP address for the 4 CAS to share using WNLB. Unless the CAS can proxy inbound mail as well, what’s the point?

        • The DAG IP has nothing to do with transport (inbound/outbound email).

          The WNLB (or any load balancer) IP address is for incoming client traffic. You can load balance incoming SMTP if you want to as well, but outbound email is sent from the server’s own IP address not the load balanced IP.

          The CAS *can* proxy outbound email. That is the point of this article.

  2. Suriya says:

    I’m confuse. E15MB1 is Client Access Server and E15MB2/3 are Mailbox servers…right. If yes, I don’t see any different with/without tick the proxy option reason E15MB1 (Client Access) send out the email to Internet in both cases

    For me, the different is E15MB2 (Mailbox server) receive the email and pass to E15MB1 to internet while on second screenshot E15MB2 pass email to E15MB3 before send to E15MB1 (Client Access).

    Could you please clarify further.

  3. SteveTill says:


    Great article. Quick question for you. How can you know what client access server the email is being proxied to? Further, how could you send this to a load balanced set of Front end servers?

    • You can see which client access server processed a message by inspecting the headers of the message.

      You can’t target it to a load balancer… Exchange will choose an available CAS to proxy through.

  4. S Subramanian says:

    If my SMTP source server is installed with both Mailbox and CAS roles, can I use the same settings to the route email through different CAS server which is only capable to communicate with external world.

  5. Micke says:

    Great article,

    I just wonder if it is possible to use this proxying if you are sending your mails through a smarthost?

    If so, is there any good reason for doing so apart from the firewall rules, or is it just complicating things and not a smart thing to do? My own feeling is just that it is just an unnecessary thing to do.

  6. Robert says:

    I have a couple of CAS servers and I need only one of them to proxy outbound emails. I can’t have the other CAS do this, so Exchange can not decide. I need to find a way to force the mailbox server to proxy to ONLY the CAS server I decide.

    I have not been able to find out how to do this. Can you please let me know if there is a way?

    I would really appreciate it.



  7. Robert says:

    Because my second CAS server is on a different ISP that I can’t use for SMTP, it’s only for Outlook Anywhere, ActiveSync, IMAP and POP. I need to find the way to tell Exchange 2013 which CAS to use to proxy outbound emails.

    I can’t believe there is no way to do this in a decent way.



  8. Robert says:

    Yes, they are in the same datacenter with no BGP. They are on a different ISPs for redundancy so if one ISP goes down remote users (I switch DNS records automatically) can still check their emails.

    Yes, I know if the one that supports the SMTP is down then there is no email to/from the Internet but remote users can still log in to their mailboxes and check internal, organization emails.

    I think that the topology does not matter, what I really need is use the CAS I want rather than leaving this decision to Exchange.



    • There’s no method I know for doing it that way. In your situation I would revisit that network architecture. It sounds a awkward to manage. Why not have all servers communicating out via the same L3 switch or router, then both can participate in mail flow.

      • Chris says:

        I have the same scenario, I need all to (and from) internet mail to route from one IP address (like I currently do with Exchange 2010) to two smart hosts that are outside of my control and are beyond my network segment.

        Would my only option then be to leave the 2010 CAS server that currently has this configuration?

        2013 is rapidly (and sadly) becoming my least favorite Exchange version.

        • The 2010 CAS is not involved in mail flow, that is a job for the 2010 Hub Transport role.

          I don’t know your environment but I’m confused by the problem you’re describing. Having multiple servers involved in outbound mail flow with smart hosts shouldn’t be an issue, eg if they’re NATing out the same public IP address.

  9. Robert says:

    I can’t change the network architecture which by the way had no problems with Exchange 2010 as I could easily determine the CAS server where I configure and enable the Send Connectors. In Exchange 2013 case I can’t create a Send Connector on the CAS as they must be in the MB servers.

    Thanks for your time anyways.


    • 2010 had the dedicated Hub Transport role so it could be approached differently. Yes you could home a send connector on a specific HT and use your default gateway/routing config to manage which route it took outbound.

      With 2013 that Transport function was given to the Mailbox server role. You could achieve the same thing here if you were willing to configure default gateway or routes for that Mailbox server.

      If you choose to proxy via the CAS there is no supported method to restrict with CAS is chosen as the proxy from the CAS within that AD site. There’s unsupported workarounds like disabling the outbound proxy connector, or blocking specific network ports on that host, but I don’t recommend heading down that path.

      Why not just have both CAS involved in outbound mail flow via the primary link. Since you need to take manual actions in the event of a link failure (eg update public DNS records for OWA etc) it can just be part of your incident response to also change the gateway on both CAS to work with the other link in those scenarios.

      • Robert says:

        Yes, I thought about disabling outbound proxy connectors or ports but do not like the idea either as I am not sure about the side effects.
        Regarding having the two CAS on the primary link is not possible, that’s why the backup link is set up for, for redundancy (except SMTP). I do not change anything manually, the record for (OWA, OA, POP, IMAP) is automatically moved by scripts running on the DNS implementation to the healthy link (ISP), the secondary in this case until the primary link (ISP) is back online. There is no need for anyone to make any change and the only interruption is the 5 minutes TTL of this record(s) while switching ISPs. In rare cases something notice an outage.


  10. Chris says:

    Ok, so I used the wrong role in my description, my apologies. But that said, I’m in transition between 2010 and 2013. Right now my 2010 CAS/HT is the routing point for all incoming and outgoing. From that machine, mail hits two smart hosts thousands of miles away that are not in my control, and NAT is not involved between my network segment and the destination. This is a sensitive network, so you cannot just decide today that four machines will be relaying email to the smart hosts. Bells and whistles and men with torches and pitchforks will pay a visit quite rapidly.

    The configuration WAS nearly identical to your 2003 to 2010 upgrade guide, one 2010 CAS/HT and one 2010 MB in Site A, one 2010 CAS/MB/HT in Site B. In comes 2013 where we’re trying to create the same scenario…however mail flowing out of the org from 2013 has to hit the smart hosts from one IP. Since we’re in transition, I need to move over to everything routing out of the org from 2013 but just got stumped as to how to proceed.

    I understand redundancy and all, I’m a big fan of it, but sometimes things are beyond control…

    So let me ask this question; how exactly does Exchange decide what machine it’s actually going to relay from? Can any Mailbox Server from any site decide at any point it’s going to relay email? Or can I at least configure it to route mail to the smart hosts from only one AD site?

    • When you create the send connector to route mail to those smart hosts you can choose any one (or several) source Mailbox server. So if you’re only allowed to send to those smart hosts from one IP, make that server the source for the send connector.

      Or put in the required change requests to be allowed to route to the smart hosts from new/multiple IP addresses.

  11. Muraleedaran says:

    Dear Paul

    Thankyou for sharing this article.

    I having a 4 node Exchange 2013 CU7 Exchange environment(2 Mbox and 2 CAS) and I have enabled Proxy through Client Access Server option.

    But when I analyze the Message Header I do not see the Client Access Server Role – Can you share some thoughts in this regard?

    NOTE:- The outbound SMTP is NAT to the Client Access Server role.

  12. Florian says:

    When proxying through my CAS servers, the “basic authentication” setting gets ignored – Exchange goes ahead with MAIL FROM: instead of AUTH LOGIN.
    It works when the proxy setting is disabled so the mailbox server sends it directy. Somebody knows how to fix that?

  13. Wneiton says:

    Hi folks,

    There’s a security problem on the outbound proxy connector, by default it allows anonymous users on port 717, if your client discover it, they can configure their clients to send email without authentication.


    • I just tested this using Telnet and it doesn’t allow me to send unauthenticated email to anyone. If you are finding something different I recommend you compare your connector’s settings against the defaults, in case they have been modified. Or, provide detailed repro steps.

  14. Wneiton says:

    I use Ms Exchange 2013, and by default the Outbound Proxy FrontEnd (Receive Connector) allows anonymous users in the permission groups, that’s the problem, to correct it we need to uncheck anonymous users.

    I tested it again.

    #telnet ip_address 717

    • Still can’t repro in my environment. That check box on it’s own doesn’t allow open relay. But if the “NT AUTHORITYANONYMOUS LOGON” user has been granted the “MS-Exch-SMTP-Accept-Any-Recipient” extended right, then anonymous users will be allowed to relay.

      You can view the permissions on the connector by running this (replace SERVERNAME with yours):

      Get-ReceiveConnector “SERVERNAMEOutbound Proxy Frontend SERVERNAME” | Get-ADPermission | where {$_.User -like “*Anonymous*”} | Select User,AccessRights,ExtendedRights

      Does the server (or another server in your org) also have a receive connector added to it that is used for SMTP relay by other servers/devices/applications on the network? If so, then I suspect when the relay connector was being configured, someone ran the Add-AdPermission cmdlet incorrectly and added that extended right to every connector instead of just the relay connector.

      Example of that command is here:

  15. Scott says:

    If there are 3 source servers on a send connector how are they chosen?
    I have a primary datacenter and a secondary site with a tertiary DAG/mailbox server.
    I would only like email to send from the 3rd server when the primary site is down.

    How can I achieve this automatically?

    • With multiple servers on a send connector it’s round robin I believe, but I could be wrong on that. It will use them all though.

      If you have multiple sites you can configure one connector per site. In the event that your primary site is down and you’re operating out of the secondary site, mail will route out that secondary site connector.

      • Amin Ismaila says:

        Hello Paul,
        I have 2 exchange 2016 mailbox servers in a DAG setup. I have configured external (public) iP on server_1 and server_2 has no external IP. Send connector is associated with both servers. The problem is if a user sends two emails, one is likely to go through server_2 which does not have external IP. In that case it goes through default gateway configured on LAN NIC and eventually outbound IP of email sent will be our Broadband IP. This sometimes causes some emails to be rejected because of PTR issues. (Broadband IP has no PTR record)
        With the setup I have described, if we want to maintain one public IP for both exchange servers, what option do you think is best and cheap for us? Your help will be most appreciated.
        Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *