Published: 29 April 2013
Load Balancing in Exchange 2013 is an article written by Jaap Wesselius who is Microsoft MVP on Exchange server. And this article will show you how you can Load Balance Exchange 2013 …
I wrote about load balancing in Exchange 2013 earlier, but that blog was based on the beta of Exchange 2013. Time have passed and there’s some more insight so I decided to update this blog…
In an earlier article I explained about load balancing in Exchange 2010. The important topics are the setup of the load balancer (one arm vs two arm), but also routing, persistence, distribution and SSL offloading of the client traffic is important.
One thing to note is that in Exchange 2010 the connection between the client and the Exchange 2010 CAS server is very important. The CAS server is where all the rendering takes place, so the connection between the client and the CAS server is a state-full connection, one that you want to maintain during the lifetime of the connection. Therefore persistence is important in load balancing Exchange 2010.
In Exchange 2013 things are different. All rendering takes place in the Exchange 2013 Back-End (i.e. the Mailbox Server) while the Exchange 2013 Front-End is nothing more than a protocol proxy. The connection between the client and the Exchange 2013 Front-End server is therefore a state-less connection. Don’t interpret this as a ‘clue-less’ connection, the Front-End server is authenticating the client connection and proxying to the correct Mailbox Server and is such is 100% aware of the connection. But if the connection is somehow lost and reconnected through another Exchange 2013 Front-End server it is not such a big deal since the connection with the Mailbox Server is automatically restored.
Another thing to note is that Exchange 2013 does not support SSL Offloading at RTM (this was communicated publically during MEC2012). It is possible to perform SSL bridging at the load balancer (SSL is terminated at the load balancer and re-encrypted towards to the Exchange 2013 Front-End server) to get additional functionality. Using SSL bridging it is possible again to use cookie based persistence or any other form of HTTP header modification (like SuperHTTPS). Of course Exchange 2013 will support SSL Offloading but it is unknown when. Maybe when a Cummulative Update is released (hopefully) or when SP1 is released (too long I’m afraid).
Microsoft is positioning Layer 4 load balancing for Exchange 2013, and thus forwarding directly to the Exchange 2013 Front-End server. The downside of this solution that the only solution for persistence is source IP. On the other hand this is not that important since the connections on the Exchange 2013 Client Access Server is stateless anyway so there’s no need to configure persistence at all. A friendly note from Baptiste Assman, to get this working properly the clients and the servers should NOT be in the same subnet!
Since the load balancer doesn’t do anything with the incoming connections it is a good thing to create multiple Virtual Services on the load balancer, one for every server. In this blog I will create dedicated Virtual Services for:
- OWA & ECP;
- Exchange Web Services;
- Outlook Anywhere;
To configure the load balancer (a KEMP LoadMaster in this example) is not a big deal. Logon to the LoadMaster using a browser. In the menu on the left expand Virtual Services and click Add New. Enter the IP address that you want to use (this is the VIP), the port number and a Service Name. Since there are no templates for Exchange 2013 available (yet) we don’t select anything, and the protocol is TCP. Click Add this Virtual Service to create the new Virtual Service.
In the Virtual Service properties screen we have to configure the new Virtual Service as a Layer 4 service, so deselect the Force Layer 7 checkbox. Since the connection to the Exchange 2013 Client Access Server is stateless we don’t need to configure persistence, so set the persistence option to None.
Please note that the Exchange 2013 CAS servers have the LoadMaster configured as their Default Gateway.
SSL Offloading will not be used so scroll down to the Real Server area. In the Checked Port field enter 443 (don’t forget to click the Set Check Port button!) and leave the URL field empty. Click Add to add both Exchange 2013 Front-End servers.
Now we’ve created a layer 4 Virtual Service that will load balance incoming request across both Exchange 2013 Front-End servers so all logic will now take place on the Exchange 2013 servers. It shows the level of load balancing at the basic properties screen of the Virtual Service.
Of course these steps are repeated for every Virtual Service that needs to be created.
When you click Statistics it is possible to show the number of connections per Real Server or per Virtual Service. You can see that all connections are evenly distributed:
But that Outlook Anywhere contributes the most to all connections:
The only we now have to do is to wait until Microsoft release more information regarding the Managed Availability, especially when it comes to load balancing vendors.
Source : JaapWesselius.com
Follow Jaap on Twitter: @Jaapwess
Responses to Load Balancing in Exchange 2013
SSL Offloading is not officially supported with Exchange 2013 but works like a charm. It will be supported officially, just a matter of time.
SSL Bridging works, indeed. So you should consider Layer7, not Layer4.
I wrote a complete guide how to do this with HAProxy, the engine behind Exceliance appliances (100 times better than KEMP’s).
The article is in French, but the document is in English:
Did you ever wanted to become an Ethical ...
This short course is designed to partially ...
Penetration Testing Framework 0.58 This post ...
If you are trying to use the ...
Speakers: Alan Burchill, Jeremy Moskowitz, ...
Since I have starterd to work for Kemp ...
Did you miss the life sessions for EC Council ...
Microsoft Egypt is Hiring ! If you are based in ...
Articles Most Read
- Certified Ethical Hacking course for FREE
- Free Course :EC Council Network Security Administrator
- Penetration Testing Framework 0.58
- Fix: Couldn’t connect to the source mailbox
- Desktop Security with Windows 7 Applocker, Bitlocker, Forefront End Point Protection
- NLB vs Hardware Load Balancer
- EC Council ENSA Online Course
- Microsoft Egypt is Hiring
- Fix: Exchange Server 2010 SP update errors
- E-Mail Crimes and Violations (how the leakage could occur)