If User 1 tries to access Client Access server 02 using Exchange ActiveSync, they’ll receive an error because Client Access server 01 is the appropriate Client Access server for their mailbox.
1. The following scenario shows how incoming requests are handled for a user who connects to an Exchange 2010 Client Access server named CAS-01 using a mobile device.
2. The Client Access server queries the Active Directory to determine the location of the user’s mailbox and the version of Microsoft Exchange installed on the Mailbox server. If the user’s mailbox is on an Exchange 2010 computer that has the Mailbox server role installed, go to step 3
3. Exchange ActiveSync 都透過proxy 運作至相同或不同AD site 上的Exchange 2003 B-E ActiveSync IIS virtual directory.
E2010 CAS 可直接proxy 至E2K3 B-E.
If the user’s mailbox is on an Exchange 2003 server, the incoming request is proxied to the Exchange 2003 server that hosts the user’s mailbox and the Exchange ActiveSync virtual directory. By default, in Exchange 2003, the Exchange ActiveSync virtual directory was installed on all mailbox servers. If the incoming request is to an Exchange 2010 Client Access server that’s in a different Active Directory site than the destination back-end server, the request will be proxied directly to the destination back-end server, even if there is an Exchange 2010 Client Access server within the destination Active Directory site. If the incoming request is to an Exchange 2010 Client Access server within the same Active Directory site as the destination back-end server, the request will be proxied directly to the destination back-end server.
4. E2K3 上的Windows 整合驗證需啟用才可讓E2K3 B-E users 透過E2010 CAS 進行virtual directory 驗證.
Users who have mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This enables the Exchange 2010 Client Access server and the Exchange 2003 back-end server to communicate using Kerberos authentication.
5. E2010 users 需透過CAS 的 internalURL 及Windows 整合驗證來進行ActiveSync proxy.
否則無法進行ActiveSync proxy.
若有ExternalURL 的CAS, 意即有internet facing 的CAS, 將會無法進行ActiveSync proxy.
必須直接設定所屬AD Site 正確的ExternalURL for ActiveSync Internet Access.
If the user’s mailbox is on an Exchange 2010 Mailbox server, CAS-01 locates a Client Access server in the same Active Directory site as the user’s Mailbox server. If there’s a Client Access server closer to the user’s Mailbox server, Exchange 2010 determines whether the Client Access server has the InternalURL property configured and if the authentication method is Integrated Windows authentication.
If so, the user is proxied to the Client Access server specified by the InternalURL property. Otherwise, the request is rejected. An error code is returned to the mobile phone if the request is rejected. If the proxied Client Access server has the ExternalURL property configured on the Microsoft-Server-ActiveSync virtual directory, an HTTP error code 451 will be returned.
6. Proxy 不支援基本驗證, 需啟用Windows 整合驗證
Proxying isn’t supported between virtual directories that use Basic authentication. For client communications to be proxied between virtual directories on different servers, the virtual directories must use Integrated Windows authentication.
Proxying InternalURL and ExternalURL settings for an Internet-facing Client Access server
Proxying InternalURL and ExternalURL settings for a non-Internet-facing Client Access server
Blog Extended Reading
More Information & Reference
Understanding Proxying and Redirection
Johnnyyao WorkSpace Backup Site 
