Using a Load Balancer in Your Microsoft Exchange Server 2010 EnvironmentJaap WesseliusManaging Consultant & Exchange MVPInovativ UC

EXL307

About the Speaker

Jaap WesseliusManaging partner Inovativ UC

Author of “Exchange 2010 SP1 – A practical approach”

Parts published on Technet Magazine

Contributor to the blogs:MSExchange.orgSimple-Talk.comJaapwesselius.com

Agenda

IntroductionLoad balancing essentialsExchange 2010 and what is means for load balancingHardware load balancersLoad balancing resourcesSummary

INTRODUCTION

Why do you want to load balance?

Redundancy and scalability

Exchange 2010 multi-role with DAG

History of Load Balancing

WLBS appears first in NT4Renamed to NLB in Windows 2000Still available in Windows 2008 R2In the NT4 timeframe there was no Exchange LBOnly (static) web sitesNLB is configured as a service on Client Access ServersRunning in unicast or multicast modeWorks fine, but there are some drawbacks…

Drawback in Windows NLB

Switch/port flooding when used in Unicast modeScalability with more than 8 nodesNot Service AwareAdd/Remove node causes reconnectOnly Source IP for persistenceCannot be combined with DAG

Multi-role server recommendation http://bit.ly/qKA9nP TechEd 2010: Microsoft recommends Hardware LBBut is NLB supported? Yes, absolutely!

Hardware Load Balancers

Also referred to as ‘Application Delivery Controller’Separate ‘node’ in network, independent of WindowsSmart load distributionService awareMultiple persistence optionsCompression optionsSSL offloadingCaching of OWA attachmentsPacket shaping or packet stream modifications

Take aways

Load balance Exchange for scalability and recoveryMicrosoft recommends hardware load balancerWindows NLB is still supported, but has some drawbacks

Load Balancer Essentials

Load Balancing Essentials (1/1)

Setup of hardware load balancerOne arm vs two arm setup

Routing with hardware load balancerSource NATDirect Server Return (DSR)Load Balancer Default Gateway (LBDG)

Load Balancing Essentials (2/2)

PersistenceHTTP headerCookiesSource IPSSL session ID

DistributionRound robinLeast connections

Load Balancer Virtual Service

‘Instance’ running on load balancerOwn FQDN and IP address and port number, also referred to as virtual IP (VIP)Each service has its own settings for:

PersistenceDistributionTime-outSSL offload

Load balancer can have multiple virtual servicesEach vendor uses its own naming convention!

Load Balancing EssentialsBasic layout

Exchange 2010 multi-role with DAG

One Arm Load Balancer

One Armed, i.e. one NICVirtual IP configured in same subnetCan cause routing issues, Exchange should use LB as default gatewayRouting via Source NAT (SNAT) or via Direct Server Return (DSR)

One Arm Source NAT

PcktSource IP Dest. IP Description

1 10.10.0.200 10.10.0.11User to vIP loadbalancer2 10.10.0.10 10.10.0.2 LB Self IP to EXCH02

3 10.10.0.2 10.10.010 EXCH02 to LB Self IP4 10.10.0.11 10.10.0.200 LB vIP to User

10.10.0.200

1

2

3

4

One Arm Direct Server Return (DSR) (1/2)

PcktSource IP Dest. IP Description

1 10.10.0.200 10.10.0.11User to vIP loadbalancer2 10.10.0.10 10.10.0.2 LB Self IP to EXCH02

3 10.10.0.2 10.10.0.200 EXCH02 to User

10.10.0.200

1

2

3

?

One ArmDirect Server Return (2/2)

Client does NOT expect IP address of CAS serverDSR Requirements:

No NAT but routingLoopback adapter on CAS with VIPLayer 7 persistence not supported

More complex: use Source NAT!

Two Arm Load Balancer

Two Armed, i.e two NIC’sHLB Connected to two networksvIP in subnet1, servers in subnet2Source NAT or load balancer default gateway

Two arm Load BalancerSource NAT

PcktSource IP Dest. IP Description

1 172.16.0.100 172.16.0.1User to vIP loadbalancer2 10.10.0.10 10.10.0.2 LB IP internal to EXCH023 10.10.0.2 10.10.010 EXCH02 to LB IP internal4 172.16.0.1 172.16.0.100 LB vIP to User

1

2 3

4

Persistence

per·sist·ence    [per-sis-tuhns]Dictionary reference:1. the act or fact of persisting. 2. the quality of being persistent: You have persistence, I'll

say that for you. 3. continued existence or occurrence: the persistence of

smallpox. 4. the continuance of an effect after its cause is removed.

Persistence Options

Persistence is also referred to as stickyness or affinityStateful connectionPersistence is NOT load distribution!

SSL Session IDCookiesSource IPHash persistence (sometimes SuperHTTPS)Cookie and Hash need SSL offload!

SSL offloading (1/2)

SSL offloading means smart persistenceSSL is terminated at Load BalancerOffloads intensive processor utilization from Client Access ServerLoad Balancer to Exchange can be SSLNo offloading means only Source IP persistence or SSL Session ID persistence

SSL offloading (2/2)

WIKI: How to configure SSL offloading in Exchange 2010OWA registry key

HKLM\System\CurrentControlSet\Services\MSExchange OWAREG_DWORD SSLOffloaded, value “1”

IIS manager SSL settingsOutlook Anywhere: uncheck in Management ConsoleExchange 2010 RTM uses web.config for configuration

Powershell commands for SSL offloadingSet-OutlookAnywhere –Identity "$($env:COMPUTERNAME)\RPC (Default Web Site)" -SSLOffloading $true

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD

Import-Module webadministration

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS:\ -Location "Default Web Site/OWA"

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS:\ -Location "Default Web Site/ECP"

iisreset /noforce

Traffic patterns and Load Balancing

CAS01

CAS02

CAS03

Load Balancer

SNAT10.15.8.

1

10.2.8.5 10.18.7.3

62.4.8.11

12.6.18.5

Uh oh…

Solution? Use Cookie

based persistence

Broadband or mobile provider

Take aways

Transparency is key!One arm or two arm configurationRouting your Exchange trafficPersistence

Exchange 2010 and what it means for load balancing

Hardware Load Balancer in Exchange 2010Traffic patterns

Client Protocols in Exchange 2010

HTTPSMAPIPOP3IMAP4SMTPPublic Folder is not handled by CAS!

Persistence requirements

Persistence: Required Persistence: Recommended Persistence: Not Required

RPC Client Access Service

Outlook Anywhere Offline Address Book

Outlook Web App Exchange Active Sync AutoDiscover

Exchange Control Panel Address Book Service POP3

Exchange Web Services Remote PowerShell IMAP4

Client Access Server Array (CAS Array)

CAS Array is MAPI endpoint (FQDN)RPCClientAccessServer property on mailbox database Create Virtual Service with this FQDN and VIP on load balancer

RPC Client Access

MAPI uses port 135 (static) plus dynamic ports (high range) for RPC and Address Book

Use static portsRegistry entries to control behavior

MAPI is stateful sessionSource IP is only persistence option!Round Robin distribution

Least connection can ‘overboost’ CAS after reboot

RPC Static Ports

WIKI page “Configure Static RPC Ports on an Exchange 2010 Client Access Server” – http://bit.ly/LnTQ7n MSExchangeRPC:

HKLM\System\CurrentControlSet\Services\MSExchangeRPCREG_DWORD TCP/IP with port number

Address Book Service:HKLM\System\CurrentControlSet\Services\MSExchangeAB\ParametersREG_SZ key RpcTcpPort with port number

Don’t forget Public Folders!

Powershell commands for static portsNew-Item HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystemSet-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem "TCP/IP Port" 59532 -type dword

New-Item HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB\ParametersSet-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters RpcTcpPort 59533 -type string

Outlook Anywhere

Persistence recommendedSource IPOutlook 2010: OutlookSession CookieOA ends on CAS (IIS) and continues in RPCPROXY.DLL on CAS

Does not use MAPI VIPIf persistence is not used RPC_IN_DATA and RPC_OUT_DATA are used for alignment

Performance penalty

HTTPS – OWA and ECP

OWA and ECP are stateful sessionsSource IP can be used (with large IP range)

SSL offload can be disabled for OWA/ECPHTTPS persistence options can be used

Cookies, Hash or SuperHTTPSSL offload must be used for OWA/ECP

Exchange Web Services

EWS is stateful sessionCookie persistence is recommended

Some mobile clients have issues with cookiesSSL Session IS (if clients do NOT re-initiate!)

ActiveSync

Persistence is recommended but not requiredNo persistence = performance penaltyBasic Authentication, use Authorization header:Basic ZmFrZXVzZXI6eCRwSUFLOUBwOSE= Possible issues:

Mobile operator can use limited set of IP’s (Source NAT issues)SSL Session ID: re-negotiation of Session ID

Client Access Server Vdir settings

AutoDiscoverServiceInternalUri = NLB Web Services InternalNLBBypassURL is set to the Server FQDN

Virtual Directory InternalURL ExternalURL (Internet Facing AD Site)

ExternalURL (Non-Internet Facing AD Site)

/OWA Server FQDN NLB FQDN $null

/ECP NLB FQDN NLB FQDN $null

/Microsoft-Server-ActiveSync

NLB FQDN NLB FQDN $null

/OAB NLB FQDN NLB FQDN $null

/EWS NLB FQDN NLB FQDN $null

Take aways

Think about workloads and their requirementsUse static ports for MAPIDepending on vendor use multiple Virtual Services(check with vendor!)

Load balancing resources and vendors

Exchange 2010 load balancing resources

Wiki: Exchange 2010 Client Access Array and Load Balancing Resources on http://bit.ly/JOPxNiTechnet videos, articles, vendor documentation, load balancer sizing toolsLoad Balancer qualification programhttp://technet.microsoft.com/en-us/exchange/gg176682.aspx

Hardware Load Balancer vendors

Software Load Balancer vendors

Summary

Summary

Hardware load balancer is recommended, but NLB can still be usedThink about the Exchange workloadImportant aspects are

TransparencyRoutingPersistence

Check with your vendor!

Additional Resources

Exchange 2010 LB Deployment http://bit.ly/g7QwPyWIKI CAS Load Balancing – http://bit.ly/JOPxNiTechnet Videos, Community Articles, Vendor documentation, Load Balancer sizing tools

Geek Out with Perry Blog: http://blogs.technet.com/b/perryclarke/

Track Resources

Exchange Team Blog: http://blogs.technet.com/b/exchange/

Exchange TechNet Tech Center: http://technet.microsoft.com/exchange

MEC Website and Registration: http://www.mecisback.com/

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.