Load Balancing Exchange 2010 on Netscaler 9.1

Overview


 You must enable Content Switching on the Netscaler for this guide to work. On your Netscaler, go to System -> Settings -> Change basic features.

In order to load balance Exchange’s various services like ActiveSync and OWA, the individual service’s persistence settings are critical. This guide actually works unlike Citrix’s Exchange 2010 setup guide, which I could not get to work in my environment.

First, you’ll set up the individual servers and services for use on the Load Balanced Virtual Servers. These Vservers will not have IP addresses applied to them so that content switching will accept all inbound requests. Second, you’ll create Content Switching policies and virtual servers which will direct specific URL calls to their subsequent Load Balancing Virtual Servers. For example, mail.domain.com/owa will be directed to a LB Vserver with specific persistence settings. mail.domain.com/microsoft-server-activesync will be directed to its LB Vserver with different persistence settings. autodiscover.mydomain.com/autodiscover will be directed to the OWA load balancing virtual server.

Our internal DNS server hosts zones for our domain like mail.mydomain.com and autodiscover.mydomain.com and route them to our internal mailserver DAG cluster IP address. This makes it easier than having separate external and internal domains for both content switching and SSL certificate requirements.
System -> Settings -> Change basic features

Create all the things!

  1. Create Load Balancing Servers for each CAS server
    • Load Balancing -> Servers
      • Create a new VServer:

  2. Create Load Balancing Services for each LB Server
    • Load Balancing -> Services
      • Create a new LB Service pointing to the above LB Server:

  3. Create Load Balancing Virtual Servers for OWA
    • Load Balancing -> Virtual Servers
      • Click Add to add a new LB VS.
      • Name it something like exch-owa.
      • Protocol: SSL
      • Do not enter an IP address.
      • Uncheck Directly Addressable, click Yes to the prompt to clear IP information, then uncheck the option once more to finalize the setting.
      • Check the services for the mail server(s)
      • In the Method and Persistence tab:
      • LB Method: Least Connection
      • Time-out (min): 2
      • Persist-Netmask: 255.255.255.0
    • In the SSL Settings tab, apply the mail cert, then go into SSL Parameters and uncheck ‘Enable SSL v2 Redirect’ and ‘Enable Cipher Redirect’ (this prevents weak cipher exploits).
    • Click OK to create the virtual server.






  4. Create a virtual server for Exchange ActiveSync via the steps above, but with the below changes to Method and Persistence
    • Load Balancing -> Virtual Servers
      • Method: Least Connection
      • Persistence: RULE
      • Time-out (min): 2
      • Rule: http.REQ.HEADER(“Authorization”)
  5. OPTIONAL: Create a LB VS to redirect all 80 requests to 443 for OWA
    • Load Balancing -> Virtual Servers
      • Create a non-addressable LB VS as above, but set HTTP as the protocol and name it something like exch-owa-https-rd.
      • In the Advanced tab enter the HTTPS URL to redirect to your OWA such as https://mail.domain.com/owa
      • Click OK to create the VS and note that it shows as down. This is expected. We will use this LB VS in the next section to point to via a CS VS.
  6. Create Content Switching Policies for OWA, EAS & Autodiscover
    • Content Switching -> Policies
      • Click Add to add a new policy.
      • Give it a name like exch-owa-all. This policy will cover OWA, RPC and OAB.
      • Click Configure to create a new expression.
      • Check the Advanced Syntax option and paste the following into the Expression field:
        • HTTP.REQ.HOSTNAME.CONTAINS("mail.domain.com") && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/ews")||HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/rpc")||HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/owa")
      • Click Create twice to create and save the policy.
      • Create an Exchange ActiveSync (mobile) policy as above, but use the following expression:
        • HTTP.REQ.HOSTNAME.CONTAINS("mail.domain.com") && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/microsoft-server-activesync")
      • Create a policy for autodiscover:
        • HTTP.REQ.HOSTNAME.CONTAINS("autodiscover.domain.com") && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/autodiscover")
      • Create a HTTP redirector policy for OWA:
        • HTTP.REQ.HOSTNAME.CONTAINS("mail.domain.com") && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/owa")





  7. Create Content Switching Virtual Servers for the policies
    • Content Switching -> Virtual Servers
      • Click Add to add a new virtual server.
      • Select HTTPS as the protocol.
      • Give it a name like exch-owa.
      • Apply your virtual server IP address (natted internal IP).
      • Apply all policies to the VServer except for HTTP redirector:
        • Click the Advanced Expression option.
        • Click the Insert Policy button and choose the exch-owa-all policy created previously.
        • Set Target to the exch-owa virtual server from the list of Load Balancing Virtual Servers (This was the virtual server created earlier under Load Balancing -> Virtual Servers).
        • Set Priority to 100.Click the Insert Policy button and choose the exch-auto policy created earlier.
        • Set Target to the exch-owa LB VS.
        • Set Priority to 90.
        • Click the Insert Policy button and choose the exch-eas policy created earlier.
        • Set Target to the exch-eas LB VS.
        • Set Priority to 80.
      • Under SSL Settings apply the mail server SSL certificate and uncheck the options under SSL Parameters as done previously for the Load Balancing Virtual Server.
      • Create a second VS and call it something like exch-owa-rd.
      • Set the protocol to HTTP
      • Add the exch-http-rd policy and set its target to the exch-owa-https-rd LB VS.
Content switching HTTPS virtual server 
Content switching HTTP redirect virtual server


NOTES AND FINAL STEPS - DON’T SKIP THESE:
  • Any URL request sent to this VS that does not exist in a policy under the CS VS (i.e., mail.domain.com) will receive the error: Http/1.1 Service Unavailable
  • The Content Switching polices above assume you are accessing your mail server via mail.domain.com/owa, mail.domain.com/Microsoft-server-activesync, etc. If you are using something like owa.domain.com for OWA and activesync.domain.com for ActiveSync, you will have to modify the policies accordingly.
    • Remove the /owa and /Microsoft-server-activesync portions of the expressions and change mail.domain.com to owa.domain.com and activesync.domain.com, respectively.
  • The persistence settings for the LB VServers are critical. ActiveSync will fail without the HTTP Authorization rule setting and OWA will keep bumping you back to the login screen without SOURCEIP persistence.
    • I have set 30 min as my timeout. Citrix's suggestion is to set the timeout value to 540. This caused lots of issues in my environment. Changing this value to 30 minutes fixed them.
    • To further mitigate potential iOS issues, create the following registry value on all CAS servers:
      • HKLM\Software\Policies\Microsoft\Windows NT\RPC
      • DWORD value: MinimumConnectionTimeout
      • Decimal value: 120
    • Set the ASP timeout value for the default site in IIS on all servers to 30 minutes:
      • Open INETMGR -> expand the servername -> expand Sites
      • Highlight the Default Web Site
      • Right-click -> Manage Web Site -> Advanced Settings
      • Under Behavior expand Connection Limits
      • Set the value for Connection Time-out to 1800
      • Save your settings and reset IIS:
        • Open CMD or PowerShell as an administrator and run the following command:
          • iisreset
    • Make sure your firewall allows at least 30 minutes for session timeouts for HTTP/HTTPS
  • Uncheck Require SSL on the following virtual directories on all CAS servers under IIS for the default web site:
    • Autodiscover
    • EWS
    • Exchange
    • Exchweb
    • OWA
  • Enable Basic authentication on the following IIS virtual directories (all connections will be redirected to HTTPS):
    • EWS
    • Microsoft-Server-ActiveSync
    • OAB
    • OWA
  • In order for RPC/Outlook Anywhere to function, you might need to make a change to any Outlook client machines that will connect remotely. The RPC IIS directory forces NTLM authentication. If you modify it to Basic, Exchange will force it back to NTLM a few minutes later. Netscaler 9.1 cannot pass through NTLMv2, so you will basically get a looping authentication prompt on the client. To correct this, make the below registry change on the Outlook client. You should see an immediate fix.
    • In Regedit, locate the following key:
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
      • Create or modify the below DWORD value and set its value to 2:
        • lmcompatibilitylevel

Comments

Post a Comment