Deployment Guide

citrix.com

Guide to Deploying Microsoft Exchange 2013 with Citrix NetScalerExtensive guide covering details of NetScaler ADC deployment with Microsoft Exchange 2013.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

2

Table of ContentsIntroduction 3 Exchange Server 2013 roles 3 Load balancing in Exchange 2013 4 Health Monitoring 5 Namespaceandaffinityscenarios 5 Singlenamespace/Layer4(nosessionaffinity) 6 Singlenamespace/Layer7(nosessionaffinity) 6 Singlenamespace/sessionaffinity 7 Multiplenamespaces/nosessionaffinity 7 Product versions and prerequisites 8Deploying Exchange 2013 with NetScaler 9 Solution features 9Exchange2013deploymentandconfiguration 10 Exchange 2013 deployment topology 10 Exchange2013configuration 10Conclusion 17

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

3

This guide focuses on deploying Microsoft Exchange 2013 with Citrix NetScaler. NetScaler is a world-class application delivery controller(ADC)withtheprovenabilitytoloadbalance,accelerate,optimizeandsecureenterpriseapplications.Exchange,oneofthemostcriticalenterpriseapplications,providesaccesstoemail —the lifeline of any business.

Exchange2013bringsarichsetoftechnologies,featuresandservicestotheExchangeServerproductline.Thegoalistosupportpeopleandorganizationsastheirworkhabitsevolvefromcommunicationfocusedtocollaborationfocused.Atthesametime,Exchange2013helpslowertotalcostofownership,whetheryoudeployitonpremisesorprovisionyourmailboxesinthecloud.Newfeaturesand functionality in Exchange 2013 are designed to do the following:

• Support a multigenerational workforce. Socialintegrationandeaseoffindingpeopleareimportant to users. Smart Search learns from user communication and collaboration behavior toenhanceandprioritizesearchresultsinExchange.Also,withExchange2013,userscanmergecontactsfrommultiplesourcestoprovideasingleviewofapersonbylinkingcontactinforma-tion pulled from multiple locations.

• Provide an engaging experience. MicrosoftOutlook2013andMicrosoftOfficeOutlookWebApphaveafresh,newlook.OutlookWebAppemphasizesastreamlineduserinterfacethatalsosupportstheuseoftouch,enhancingthemobiledeviceexperiencewithExchange.

• Integrate with SharePoint and Lync. Exchange 2013 offers greater integration with MicrosoftSharePoint 2013 and Microsoft Lync 2013 through site mailboxes and In-Place eDiscovery.

• Help meet evolving compliance needs. Compliance and eDiscovery are challenging for manyorganizations.Exchange2013helpsyoutofindandsearchdatanotonlyinExchange,butacrossyourorganization.Withimprovedsearchandindexing,youcansearchacrossExchange2013,Lync2013,SharePoint2013andWindowsfileservers.

• Provide a resilient solution. Exchange 2013 builds upon the Exchange Server 2010 architectureandhasbeenredesignedforsimplicityofscale,hardwareutilizationandfailureisolation.

Exchange Server 2013 rolesThemulti-roleserverarchitectureintroducedwithExchangeServer2007,andcontinuedwithExchange2010,hasbeenconsolidatedinExchangeServer2013.

Exchange 2013 has three server roles that can be installed:

• Client Access server• Mailbox server• EdgeTransportserver(fromSP1orlater)

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

4

Load balancing in Exchange 2013Load balancing has been at the core of any Exchange deployment from the beginning. The major changewithExchange2013isthatitnolongerrequiressessionaffinitytobemaintainedattheloadbalancer. To understand this better and see how it impacts your Exchange 2013 design and deployment,hereisthesampleprotocolflow:

1. Client resolves the namespace to a virtual IP address hosted on the load balancer.2. The load balancer assigns the session to a CAS member in the load balanced pool.3. CAS authenticates the request and does service discovery to retrieve

1. Mailbox version2. Mailbox location information

4.CASmakesadecisiononwhethertoproxytherequestorredirecttherequesttoanotherCASinfrastructure.

5. CAS queries an Active Manager instance that is responsible for the database to determine whichmailbox server is hosting the active copy.

6.CASproxiestherequesttotheMailboxserverhostingtheactivecopy.

Step5isthefundamentalchangethatremovestheneedforsessionaffinityattheloadbalancer.Foragivenprotocolsession,CASnowmaintainsa1:1relationshipwiththeMailboxserverthatishostinguserdata.IntheeventthattheactivedatabasecopyismovedtoadifferentMailboxserver,CASclosesthe sessions to the previous server and establishes sessions to the new server. This means that all sessions,regardlessoftheiroriginationpoint(i.e.,CASmembersintheloadbalancedarray),endupatthesameplace,theMailboxserverhostingtheactivedatabasecopy.

Theprotocolusedinstep6dependsontheprotocolusedtoconnecttoCAS.IftheclientleveragestheHTTPprotocol,thentheprotocolusedbetweentheCASandMailboxserverisHTTP(securedviaSSLusingaself-signedcertificate).IftheprotocolleveragedbytheclientisIMAPorPOP,thentheprotocol used between the CAS and Mailbox server is IMAP or POP.

Telephonyrequestsareunique,however.Insteadofproxyingtherequestatstep6,CASwillredirecttherequesttotheMailboxserverhostingtheactivecopyoftheuser’sdatabase,asthetelephonydevicessupportredirectionandneedtoestablishtheirSIPandRTPsessionsdirectlywiththeunifiedmessaging components on the Mailbox server.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

5

Figure1.Exchange2013ClientAccessprotocolarchitecture

Health MonitoringExchange2013includesabuilt-inmonitoringsolutionknownasManagedAvailability.ManagedAvailabilityincludesanofflineresponder.Whentheofflineresponderisinvoked,theaffectedprotocol(orserver)isremovedfromservice.ToensurethatloadbalancersdonotroutetraffictoaCASthatManagedAvailabilityhasmarkedasoffline,loadbalancerhealthprobesmustbeconfiguredtocheck<virtualdirectory>/healthcheck.htm(e.g.,https://mail.contoso.com/owa/healthcheck.htm.)Notethathealthcheck.htmdoesnotactuallyexistwithinthevirtualdirectories;itisgeneratedinmemorybasedon the component state of the protocol in question.

Iftheloadbalancerhealthprobereceivesa200statusresponse,thentheprotocol/serverisup;iftheloadbalancerreceivesadifferentstatuscode,thenManagedAvailabilityhasmarkedthatprotocolinstancedownontheCAS.Asaresult,theloadbalancershouldalsoconsiderthatendpointdownandremove the CAS from the applicable load balancing pool.

NamespaceandaffinityscenariosNowthatweunderstandhowhealthchecksareperformed,let’slookatfourscenarios:

1.Singlenamespace/Layer4(nosessionaffinity)2.Singlenamespace/Layer7(nosessionaffinity)3.Singlenamespace/sessionaffinity4.Multiplenamespaces/nosessionaffinity

Single namespace / Layer 4 (no session affinity)

Inthisscenario,asinglenamespaceisdeployedforallHTTPprotocolclients(mail.contoso.com).TheloadbalancerisoperatingatLayer4andisnotmaintainingsessionaffinity.TheloadbalancerisalsoconfiguredtocheckthehealthofthetargetCASintheloadbalancingpool;however,becausethisisaLayer4solution,theloadbalancerisconfiguredtocheckthehealthofonlyasinglevirtualdirectory

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

6

(asitcannotdistinguishOWArequestsfromRPCrequests).Administratorswillhavetochoosewhichvirtualdirectorytheywanttotargetforthehealthprobe;theyshouldchooseavirtualdirectorythatisheavilyused.Forexample,ifthemajorityofyourusersutilizeOWA,thentargetingtheOWAvirtualdirectory in the health probe is appropriate.

Figure2.Singlenamespacewithnosessionaffinity

AslongastheOWAhealthproberesponseishealthy,theloadbalancerwillkeepthetargetCASintheloadbalancingpool.However,iftheOWAhealthprobefailsforanyreason,thentheloadbalancerwillremove the target CAS from the load balancing pool for all requests associated with that particular namespace.Inotherwords,inthisexample,healthfromtheperspectiveoftheloadbalancerisper-server,notper-protocol,forthegivennamespace.Thismeansthatifthehealthprobefails,allclientrequestsmustbedirectedtoanotherserver,regardlessofprotocol.

Single namespace / Layer 7 (no session affinity)

Inthisscenario,asinglenamespaceisdeployedforalltheHTTPprotocolclients(mail.contoso.com).TheloadbalancerisconfiguredtoutilizeLayer7,meaningSSLterminationoccursandtheloadbalancerknowsthetargetURL.TheloadbalancerisalsoconfiguredtocheckthehealthofthetargetCASintheloadbalancingpool;inthiscase,ahealthprobeisconfiguredoneachvirtualdirectory.

AslongastheOWAhealthproberesponseishealthy,theloadbalancerwillkeepthetargetCASintheOWAloadbalancingpool.However,iftheOWAhealthprobefailsforanyreason,theloadbalancerwillremovethetargetCASfromtheloadbalancingpoolforOWArequests.Inotherwords,inthisexample,healthisperprotocol;thismeansthatifthehealthprobefails,onlytheaffectedclientprotocol will have to be directed to another server.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

7

Figure3.SinglenamespacewithLayer7(nosessionaffinity)-healthprobefailure

Single namespace / session affinity

Inthisscenario,asinglenamespaceisdeployedforallHTTPprotocolclients(mail.contoso.com).Theloadbalancerisconfiguredtomaintainsessionaffinity(Layer7),meaningSSLterminationoccursandtheloadbalancerknowsthetargetURL.TheloadbalancerisalsoconfiguredtocheckthehealthofthetargetCASintheloadbalancingpool;inthiscase,thehealthprobeisconfiguredoneachvirtualdirectory.

AslongastheOWAhealthproberesponseishealthy,theloadbalancerwillkeepthetargetCASintheOWAloadbalancingpool.However,iftheOWAhealthprobefailsforanyreason,theloadbalancerwillremovethetargetCASfromtheloadbalancingpoolforOWArequests.Inotherwords,inthisexample,healthisperprotocol;thismeansthatifthehealthprobefails,onlytheaffectedclientprotocol will have to be directed to another server.

Multiple namespaces / no session affinity

Thisscenariocombinesthebestofbothworlds–itprovidesaper-protocolhealthcheckwhilenotrequiring complex load balancing logic.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

8

Inthisscenario,auniquenamespaceisdeployedforeachHTTPprotocolclient;forexample:

Figure4.Multiplenamespaceswithnosessionaffinity

Theloadbalancerisconfiguredsosessionaffinity(Layer4)isnotmaintained.TheloadbalancerisalsoconfiguredtocheckthehealthofthetargetCASintheloadbalancingpool.Inthiscase,thehealthprobesareconfiguredtotargetthehealthofeachvirtualdirectory,aseachvirtualdirectoryisdefinedwith a unique namespace.

AslongastheOWAhealthproberesponseishealthy,theloadbalancerwillkeepthetargetCASintheOWAloadbalancingpool.However,iftheOWAhealthprobefailsforanyreason,theloadbalancerwillremovethetargetCASfromtheloadbalancingpoolforOWArequests.Inotherwords,inthisexample,healthisperprotocol;thismeansthatifthehealthprobefails,onlytheaffectedclientprotocol will have to be directed to another server.

The downside to this approach is that it introduces additional namespaces and additional VIPs (one pernamespace),andincreasesthenumberofnamesaddedassubjectalternativenamesonthecertificate,whichcanbeexpensivedependingonyourcertificateprovider.Butthisapproachdoesnotintroduceextracomplexitytotheenduser–theonlyURLtheuserneedstoknowistheOWAURL.ActiveSync,OutlookandExchangeWebServicesclientswillutilizeAutodiscovertodeterminethecorrectURL.

Product versions and prerequisitesProduct VersionMicrosoft Exchange Exchange 2013

License Enterprise Edition

NetScaler® ADC Release 9.3 and above

License Enterprise

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

9

Deploying Exchange 2013 with NetScalerSolution featuresThe following NetScaler features are used in Exchange 2013 deployment. Please ensure these features are enabled in the NetScaler system.

• Content switching• Load balancing• Health monitoring• SSLoffload

Hereisaquickexplanationofhowthesefeatureswork.

Content switching Thecontentswitchingmoduledirectsincomingtraffictoanoptimalmatchingloadbalancingvirtualserver.Thislogicalswitchingofincomingtrafficbasedoncontenttypeallowsyoutoconfigurespecificoptimizationpolicies.

Load balancing NetScalerloadbalancingevenlydistributesrequeststobackendservers.Multiplealgorithmsaresupportedtoprovideefficientloadbalancinglogicforeveryapplicationserver.

Health monitoring NetScalerloadhealthmonitoringensuresthatonlybackendserversingoodstateareselectedaftertheloadbalancingdecisionismade.Intelligentmonitoringofbackendserverspreventsrequestsfrombeing sent to malfunctioning application servers.

SSL offload SSL connections are terminated at the NetScaler appliance. This process allows NetScaler to conduct advancedtrafficmonitoringdiscussedinthisdeploymentguide.Additionally,SSLoffloadcansignificantlyreducethecomputationaloverheadofoffloadingencrypteduserconnectionsonbackendservers.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

10

Exchange 2013 deployment and configuration

Figure5.Exchange2013deploymenttopology

Exchange2013configuration

Note: For this configuration to work as described (with SSL enabled) , you should enable SSL offloading for Exchange 2013. To enable this feature, please read the instructions provided at https://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx

Service group configurationAdd service groups to manage a group of services together.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

11

In this manner, the followingservicegroupsshouldbeadded.Oneservicegroupisaddedforeachprotocol. When the servers are added correctly to each service group, their effective state will be UP as shown below:

Addbackendserversasmembersoftheservicegroupsconfigured.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

12

Add custom monitors as shown below for each protocol. When creating the monitor, make surethe Secure option is enabled, as it is required for the monitor to succesfully poll secure servers (this option is available in the Standard Parameters tab)

Addamonitorforeachserviceyouwanttomonitorusingapplication-specificlogic.

Bindtheappropriatemonitortotheservicegroup.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

13

Add load balancing virtual servers Add load balancing virtual servers as shown below. Set the IP address type to Non Addressable, as clients will not connect to this virtual server directly (In the server listing, this server will show an IP of 0.0.0.0) The content switch virtual server will connect to this virtual serveronthebasisofcontent(orURL). The load balancing virtual server can be configured as HTTP or SSL, it will not make a difference for this deployment (this will matter when authentication is setup on the NetScaler appliance, this will be discussed in detail in a subsequent guide).Note: If an SSL load balancing virtual server is setup, a valid SSL Certificate-Key combination will be required for successful configuration. This certificate can be added on the Basic Settings screen at any time, however the virtual server will be down until it is added.

Bindservicegrouptothevirtualserver.Bindservicesifaservicegroupisnotconfigured.

Inthesameway,addthefollowingvirtualservers,oneforeachprotocol.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

14

Content switch configuration Firstcreatecontentswitchactionsthatwillbetriggeredifacontentswitchingpolicyishit.Selectthevirtualservertowhichtherequestshouldbedirected,asshownbelow.

Addthefollowingactionsforeachvirtualserver(orforeachpolicy).

Add policies as shown below for each virtual server. One policy and action is required for every virtual server.

Deployment Guide

citrix.com

Microsoft Exchange 2013 and Citrix NetScaler

15

Add the content switch virtual server as shown below.

Bindthepoliciestothecontentswitchvirtualserver.

Bindtheservercertificatetothecontentswitchvirtualserver.

0115/PDF

Deployment Guide

citrix.com

Corporate HeadquartersFort Lauderdale, FL, USA

Silicon Valley HeadquartersSanta Clara, CA, USA

EMEA HeadquartersSchaffhausen, Switzerland

India Development CenterBangalore, India

Online Division HeadquartersSanta Barbara, CA, USA

Pacific HeadquartersHong Kong, China

Latin America HeadquartersCoral Gables, FL, USA

UK Development CenterChalfont, United Kingdom

About CitrixCitrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable new ways to work better. Citrix solutions power business mobility through secure, personal workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com.

Copyright © 2015 Citrix Systems, Inc. All rights reserved. Citrix and NetScaler are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.

16

Microsoft Exchange 2013 and Citrix NetScaler

Ensure that the content switch virtual server is up.

Intheconfigurationshownabove,asinglenamespaceisusedforallExchangeprotocols.Forexample,forwebaccess,thenamespaceishttps://mail.ctxns.net/owa,andforOutlookclientsthenamespaceishttps://mail.ctxns.net/oa.

Similarconfigurationstepswithdomain-specificcontentswitchingpolicieswillenablemultiplenamespace use case for all Exchange protocols where a client accesses a particular namespace for everyservice.Forexample,awebclientusesthenamespacehttps://owa.mail.ctxns.net and an Outlookclientuseshttps://oa.mail.ctxns.net.

ConclusionCitrix® NetScaler enables Microsoft Exchange 2013 deployment by ensuring remote access and load balancingofcorecomponentswithintelligentmonitoring.Byservingasthefrontend,NetScalercanimproveperformance,scalability,availabilityandsecurityofallExchange2013deployments.