using a load balancer in your microsoft exchange server 2010 environment jaap wesselius managing...
TRANSCRIPT
Using a Load Balancer in Your Microsoft Exchange Server 2010 EnvironmentJaap WesseliusManaging Consultant & Exchange MVPInovativ UC
EXL307
About the Speaker
Jaap WesseliusManaging partner Inovativ UC
Author of “Exchange 2010 SP1 – A practical approach”
Parts published on Technet Magazine
Contributor to the blogs:MSExchange.orgSimple-Talk.comJaapwesselius.com
Agenda
IntroductionLoad balancing essentialsExchange 2010 and what is means for load balancingHardware load balancersLoad balancing resourcesSummary
History of Load Balancing
WLBS appears first in NT4Renamed to NLB in Windows 2000Still available in Windows 2008 R2In the NT4 timeframe there was no Exchange LBOnly (static) web sitesNLB is configured as a service on Client Access ServersRunning in unicast or multicast modeWorks fine, but there are some drawbacks…
Drawback in Windows NLB
Switch/port flooding when used in Unicast modeScalability with more than 8 nodesNot Service AwareAdd/Remove node causes reconnectOnly Source IP for persistenceCannot be combined with DAG
Multi-role server recommendation http://bit.ly/qKA9nP TechEd 2010: Microsoft recommends Hardware LBBut is NLB supported? Yes, absolutely!
Hardware Load Balancers
Also referred to as ‘Application Delivery Controller’Separate ‘node’ in network, independent of WindowsSmart load distributionService awareMultiple persistence optionsCompression optionsSSL offloadingCaching of OWA attachmentsPacket shaping or packet stream modifications
Take aways
Load balance Exchange for scalability and recoveryMicrosoft recommends hardware load balancerWindows NLB is still supported, but has some drawbacks
Load Balancing Essentials (1/1)
Setup of hardware load balancerOne arm vs two arm setup
Routing with hardware load balancerSource NATDirect Server Return (DSR)Load Balancer Default Gateway (LBDG)
Load Balancing Essentials (2/2)
PersistenceHTTP headerCookiesSource IPSSL session ID
DistributionRound robinLeast connections
Load Balancer Virtual Service
‘Instance’ running on load balancerOwn FQDN and IP address and port number, also referred to as virtual IP (VIP)Each service has its own settings for:
PersistenceDistributionTime-outSSL offload
Load balancer can have multiple virtual servicesEach vendor uses its own naming convention!
One Arm Load Balancer
One Armed, i.e. one NICVirtual IP configured in same subnetCan cause routing issues, Exchange should use LB as default gatewayRouting via Source NAT (SNAT) or via Direct Server Return (DSR)
One Arm Source NAT
PcktSource IP Dest. IP Description
1 10.10.0.200 10.10.0.11User to vIP loadbalancer2 10.10.0.10 10.10.0.2 LB Self IP to EXCH02
3 10.10.0.2 10.10.010 EXCH02 to LB Self IP4 10.10.0.11 10.10.0.200 LB vIP to User
10.10.0.200
1
2
3
4
One Arm Direct Server Return (DSR) (1/2)
PcktSource IP Dest. IP Description
1 10.10.0.200 10.10.0.11User to vIP loadbalancer2 10.10.0.10 10.10.0.2 LB Self IP to EXCH02
3 10.10.0.2 10.10.0.200 EXCH02 to User
10.10.0.200
1
2
3
?
One ArmDirect Server Return (2/2)
Client does NOT expect IP address of CAS serverDSR Requirements:
No NAT but routingLoopback adapter on CAS with VIPLayer 7 persistence not supported
More complex: use Source NAT!
Two Arm Load Balancer
Two Armed, i.e two NIC’sHLB Connected to two networksvIP in subnet1, servers in subnet2Source NAT or load balancer default gateway
Two arm Load BalancerSource NAT
PcktSource IP Dest. IP Description
1 172.16.0.100 172.16.0.1User to vIP loadbalancer2 10.10.0.10 10.10.0.2 LB IP internal to EXCH023 10.10.0.2 10.10.010 EXCH02 to LB IP internal4 172.16.0.1 172.16.0.100 LB vIP to User
1
2 3
4
Persistence
per·sist·ence [per-sis-tuhns]Dictionary reference:1. the act or fact of persisting. 2. the quality of being persistent: You have persistence, I'll
say that for you. 3. continued existence or occurrence: the persistence of
smallpox. 4. the continuance of an effect after its cause is removed.
Persistence Options
Persistence is also referred to as stickyness or affinityStateful connectionPersistence is NOT load distribution!
SSL Session IDCookiesSource IPHash persistence (sometimes SuperHTTPS)Cookie and Hash need SSL offload!
SSL offloading (1/2)
SSL offloading means smart persistenceSSL is terminated at Load BalancerOffloads intensive processor utilization from Client Access ServerLoad Balancer to Exchange can be SSLNo offloading means only Source IP persistence or SSL Session ID persistence
SSL offloading (2/2)
WIKI: How to configure SSL offloading in Exchange 2010OWA registry key
HKLM\System\CurrentControlSet\Services\MSExchange OWAREG_DWORD SSLOffloaded, value “1”
IIS manager SSL settingsOutlook Anywhere: uncheck in Management ConsoleExchange 2010 RTM uses web.config for configuration
Powershell commands for SSL offloadingSet-OutlookAnywhere –Identity "$($env:COMPUTERNAME)\RPC (Default Web Site)" -SSLOffloading $true
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD
Import-Module webadministration
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS:\ -Location "Default Web Site/OWA"
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS:\ -Location "Default Web Site/ECP"
iisreset /noforce
Traffic patterns and Load Balancing
CAS01
CAS02
CAS03
Load Balancer
SNAT10.15.8.
1
10.2.8.5 10.18.7.3
62.4.8.11
12.6.18.5
Uh oh…
Solution? Use Cookie
based persistence
Broadband or mobile provider
Take aways
Transparency is key!One arm or two arm configurationRouting your Exchange trafficPersistence
Persistence requirements
Persistence: Required Persistence: Recommended Persistence: Not Required
RPC Client Access Service
Outlook Anywhere Offline Address Book
Outlook Web App Exchange Active Sync AutoDiscover
Exchange Control Panel Address Book Service POP3
Exchange Web Services Remote PowerShell IMAP4
Client Access Server Array (CAS Array)
CAS Array is MAPI endpoint (FQDN)RPCClientAccessServer property on mailbox database Create Virtual Service with this FQDN and VIP on load balancer
RPC Client Access
MAPI uses port 135 (static) plus dynamic ports (high range) for RPC and Address Book
Use static portsRegistry entries to control behavior
MAPI is stateful sessionSource IP is only persistence option!Round Robin distribution
Least connection can ‘overboost’ CAS after reboot
RPC Static Ports
WIKI page “Configure Static RPC Ports on an Exchange 2010 Client Access Server” – http://bit.ly/LnTQ7n MSExchangeRPC:
HKLM\System\CurrentControlSet\Services\MSExchangeRPCREG_DWORD TCP/IP with port number
Address Book Service:HKLM\System\CurrentControlSet\Services\MSExchangeAB\ParametersREG_SZ key RpcTcpPort with port number
Don’t forget Public Folders!
Powershell commands for static portsNew-Item HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystemSet-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem "TCP/IP Port" 59532 -type dword
New-Item HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB\ParametersSet-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters RpcTcpPort 59533 -type string
Outlook Anywhere
Persistence recommendedSource IPOutlook 2010: OutlookSession CookieOA ends on CAS (IIS) and continues in RPCPROXY.DLL on CAS
Does not use MAPI VIPIf persistence is not used RPC_IN_DATA and RPC_OUT_DATA are used for alignment
Performance penalty
HTTPS – OWA and ECP
OWA and ECP are stateful sessionsSource IP can be used (with large IP range)
SSL offload can be disabled for OWA/ECPHTTPS persistence options can be used
Cookies, Hash or SuperHTTPSSL offload must be used for OWA/ECP
Exchange Web Services
EWS is stateful sessionCookie persistence is recommended
Some mobile clients have issues with cookiesSSL Session IS (if clients do NOT re-initiate!)
ActiveSync
Persistence is recommended but not requiredNo persistence = performance penaltyBasic Authentication, use Authorization header:Basic ZmFrZXVzZXI6eCRwSUFLOUBwOSE= Possible issues:
Mobile operator can use limited set of IP’s (Source NAT issues)SSL Session ID: re-negotiation of Session ID
Client Access Server Vdir settings
AutoDiscoverServiceInternalUri = NLB Web Services InternalNLBBypassURL is set to the Server FQDN
Virtual Directory InternalURL ExternalURL (Internet Facing AD Site)
ExternalURL (Non-Internet Facing AD Site)
/OWA Server FQDN NLB FQDN $null
/ECP NLB FQDN NLB FQDN $null
/Microsoft-Server-ActiveSync
NLB FQDN NLB FQDN $null
/OAB NLB FQDN NLB FQDN $null
/EWS NLB FQDN NLB FQDN $null
Take aways
Think about workloads and their requirementsUse static ports for MAPIDepending on vendor use multiple Virtual Services(check with vendor!)
Exchange 2010 load balancing resources
Wiki: Exchange 2010 Client Access Array and Load Balancing Resources on http://bit.ly/JOPxNiTechnet videos, articles, vendor documentation, load balancer sizing toolsLoad Balancer qualification programhttp://technet.microsoft.com/en-us/exchange/gg176682.aspx
Summary
Hardware load balancer is recommended, but NLB can still be usedThink about the Exchange workloadImportant aspects are
TransparencyRoutingPersistence
Check with your vendor!
Additional Resources
Exchange 2010 LB Deployment http://bit.ly/g7QwPyWIKI CAS Load Balancing – http://bit.ly/JOPxNiTechnet Videos, Community Articles, Vendor documentation, Load Balancer sizing tools
Geek Out with Perry Blog: http://blogs.technet.com/b/perryclarke/
Track Resources
Exchange Team Blog: http://blogs.technet.com/b/exchange/
Exchange TechNet Tech Center: http://technet.microsoft.com/exchange
MEC Website and Registration: http://www.mecisback.com/
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.