Load balancing Microsoft Exchange

From securityrouter.org, an OpenBSD-based firewall
Revision as of 19:08, 16 October 2013 by Anders (talk | contribs)
Jump to: navigation, search

Exchange 2010

This guide shows how load balance two (or more) Exchange servers, using a single-NIC load balancer; both on the inside network and Internet. The load balancer could be either a hardware appliance, or a virtual machine. To simplify this guide, SSL offloading is not used and therefore all SSL is terminated at the Exchange servers where we have the certificates installed.

Network overview

Both Exchange servers are multi-role running CAS/MB/HT. CAS is running in a CAS Array, MBX is running in a DAG and we will also load balance internal SMTP for 3rd party applications. The diagram shows the Halon load balancer in a cluster (high availability) setup, but this is not a requirement. Configuration is the same no matter if it’s a single-node or a clustered load balancer.

Configure static port mapping

Exchange 2010 uses different protocols for different clients:

Client Protocol TCP ports
Outlook RPC  Random
OWA (web) HTTPS  443
 ActiveSync HTTPS  443
 OA (anywhere) HTTPS 443

By default, Exchange 2010 uses the TCP End Point Mapper port (tcp/135) and the dynamic RPC port range (6005-59530) for outgoing connections every time an Outlook clients establish a connection to Exchange. Creating a load balancer configuration for this can get quite complex, so therefore it’s recommended to configure Exchange to use dedicated ports for RPC client communications. This can easily be configured on the Exchange SP1+ servers by adding the following registry keys. The ports values can be any value you want, but we recommend the below values to be able to easily follow this guide. In this example RPC Client Access Service will use tcp/59532 and Address Book Service will use tcp/59533. As before, tcp/135 is still in use for the initial communication. Note that we assume you are running Exchange 2010 SP1 or newer. Otherwise, see the link below.

Path Type Name Value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC
 REG_DWORD
 ParametersSystem 59532
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters REG_SZ
 RpcTcpPort 59533

After that, you need to restart the following services or reboot the server:

  • Microsoft Exchange RPC Client Access
  • Microsoft Exchange Address Book

No change is needed on the clients since they will automatically use these ports. We also recommend you configure these values using GPP (Group Policy Preferences). For more information, please read the Microsoft official article[1].

Configuring CAS Array

There are a couple of steps you need to take in Exchange to prepare Exchange for load balancing. First you need to create a CAS Array:

New-ClientAccessArray -Name “My CAS Array” -Fqdn “outlook.lab.local” -Site “My AD site”

Then you need to configure all Mailbox databases to use this CAS Array:

Get-MailboxDatabase | Set-MailboxDatabase -RpcClientAccessServer “outlook.lab.local”

Then you need to create a DNS A record so that outlook.lab.local points to the VIP that we will configure shortly. In the meantime, you could configure the DNS A record to point to one of the CAS servers which will result in all clients going to this server.

Please note that all Outlook profiles configured prior to this are using the old server name for their Outlook profiles. They need to be re-configured so that they use the CAS Array name rather than the old server name. If you want to know more regarding the CAS Array and how it’s used, we recommend reading the Exchange team blog post Demystifying the CAS Array Object[2].

Firewall and load balancer setup

We assume you have setup the Halon SR basic network functionality. For more information, please read getting started.

  1. Login to the management HTTPS interface.
  2. Go to Network > Interfaces > edit the NIC > General > Address(es)
  3. Add an unused IP address dedicated for Exchange VIP (Virtual IP) and save
  4. Go to System > Administration > Web (HTTPS) Administration > ”Listen to”
  5. Change this so that it only contains the management IP and not the VIP created above (otherwise, you will not be able to configure the load balancer after you apply the configuration)
  6. Go to Network > Load balancer > Wizard
  7. Unless you will be using the load balancer as the Exchanges' router (default gateway), choose the layer 4+ method
    1. Name: anything you like
    2. Listen (load balance) on: the dedicated VIP that you added above
    3. Service (ports): HTTPS
    4. Hosts (nodes): the IP address of the Exchange CAS servers, one on each line
  8. Press "Add" (this will create the load balancer for HTTPS)
  9. Press the plus (+) icon to the right on the "Listen on" table three times, and add the ports 135, 59532 and 59533
  10. Press "Save"
  11. Deploy the working copy on Configuration > Deploy... (you will temporarily get disconnected, because you changed the web interface settings)

Note the default selected: Redirect sticky address.This will configure stickiness (also called affinity) to source IP which makes sure that a client with a specific source IP gets to the same Exchange server.