Announcement

Collapse
No announcement yet.

Load balancing Client Access Servers using F5 Big IP Load Balancers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Load balancing Client Access Servers using F5 Big IP Load Balancers

    Hi,

    I'm looking to load balance my CAS servers using a F5 Big IP load balancer.

    Environment:

    Two Exchange Servers: MX1 and MX2, both installed with CAS, Hub Transport and Mailbox roles

    DAG

    OWA and external client access using a UAG cluster

    I've got access to a F5 load balancer

    Incoming SMTP traffic is load balanced between the two servers using the load balancer.

    External Access:

    I've setup two UAG servers within the DMZ zone. Created a virtual ip on the load balancer and added both servers as nodes. The external client access domain is pointing to this virtual ip. I've added all my Exchange servers as web servers to the UAG App and published OWA over the DMZ. The SSL certificate is installed on the F5 load balancer, the UAG servers and the Exchange servers.

    Internal Access:

    I'm using DAG in my Exchange environment, so databases are highly available, however the CAS servers are not internally balanced and this is where I need some advise. Let's say I restart MX1, the clients that are connected to their mailboxes through MX1 get disconnected and cannot connect until MX1 is up and running. Ideally, the clients that get disconnected, should automatically connect to their mailboxes using the other MX2. This is not happening, some of my clients connect using MX1 and the others get connected using MX2.

    What do I need do in my environment to achieve load balancing for the CAS?

    I can setup a virtual ip on the load balancer using the RPC port and add both exchange servers as nodes. But how do I point my clients to the virtual ip internally? DNS? If so what A record would have to create? How does the SSL certificate business work? What SANs would I need? I have mx1.domain.com, mx2.domain.com and ofcourse the external access domain on my current SSL certificate. Would I have to add any other SANs to the existing certificate? Any other things I need to consider?

    Thanks,

  • #2
    Re: Load balancing Client Access Servers using F5 Big IP Load Balancers

    As a bare minimum you should have an RPC CAS Array. That should have been there since day 1, because the problem you have now is that to implement it you need to visit every machine and repair the profile. I have not found a way to automatically update Outlook to use the RPC CAS Array address.

    As the CAS Array exists in DNS only, if you were planning to reboot one of the servers then you would simply change the DNS entry to point to the other server. Wait 30 minutes (or double whatever the TTL time is on the DNS entry) so that the clients are now using the other host, then reboot.

    The RPC CAS Array address is exclusive to the Outlook MAPI traffic - it should not be used for anything else, and should not resolve on the internet.

    For web services, you can use the same host name internally as you do externally, with a split DNS system to ensure that it resolves correctly.

    http://semb.ee/hostnames

    If you want internal automatic failover, then due to the design you have implemented you will need a second load balancer.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Load balancing Client Access Servers using F5 Big IP Load Balancers

      That's bad news... well let's say I've decided it take on the unnecessary work and will be happy to correct the CAS entry on each client workstation, what would be the steps?

      This is what I have in mind, anything I've missed?

      1. Create a virtual ip using the RPC port on the load balancer and add both Exchange servers as nodes.
      2. Create a CAS Array with a unique FQDN such as client.domain.com using the Exchange Management Shell
      3. Add all databases to this newly created CAS Array through the management shell.
      4. Create a new A Record on my DNS server pointing the CAS Array domain to the virtual IP address on the load balancer.
      5. Both servers are installed with CAS, Hub Transport and Mailbox roles and the web services are configured the same way it suggests in that page you posted in your answer. So I'm assuming don't have to change web services configuration. The only thing that is worrying me is autodiscovery.
      5. External access is handled by UAG so don't have to change anything on at tip either.
      6. Go to the client machine, remove the email account restart Outlook and Outlook should automatically pickup the array address.
      7. Some people who attempt this are having issues with certificates and credential promtps, is there anything I'm missing in terms of security configuration?

      Thanks,

      Cengiz

      Comment


      • #4
        Re: Load balancing Client Access Servers using F5 Big IP Load Balancers

        Personally I would start with the CAS Array configuration, creating a new host name and pointing it to one of the existing servers with the CAS role.
        Then adjust the database configuration. That way any changes made to an Outlook profile will use the new address.

        For Outlook profiles, it is just a matter of opening the account settings and choosing repair. It is something that end users can do if you send out instructions. However until they are using the CAS Array address they will not be going through any load balancer you may implement later.

        By doing it that way, you can be sure that everything works before you introduce another load balancer, or adjust your existing one. It also means that if something goes wrong, you can just move the DNS entry back to direct rather than a virtual IP address.

        Primary reason for SSL prompts is that you haven't updated all of the URLs including the AutodiscoverServiceInternalURI to match the host name on the SSL certificate.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Load balancing Client Access Servers using F5 Big IP Load Balancers

          Got forwarded to this link... it may resolve the problem of manually reparing the each clients account via Outlook.

          http://social.technet.microsoft.com/...m=exchange2010

          Comment


          • #6
            Re: Load balancing Client Access Servers using F5 Big IP Load Balancers

            May be the key word here.
            You would need to test it, as I think it may create a new Outlook profile. That could cause you some problems.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment

            Working...
            X