Microsoft Exchange 2016

1 Introduction

 The KEMP LoadMaster combines versatility with ease-of-use to speed deployment of the complete portfolio of advanced messaging applications and protocols used by Exchange 2016, including Outlook on the Web, MAPI/HTTP, Outlook Anywhere (OA), Exchange ActiveSync (EAS), Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), Internet Message Access Protocol version 4 (IMAP4) and Office Online Server (OOS). With built-in SSL acceleration and/or overlay, the LoadMaster offloads a key source of CPU drain to improve the capacity of the Exchange 2016 infrastructure. Layer 7 health checking at the LoadMaster ensures that if one of the Client Access components becomes inaccessible, the load balancer will take that component offline for that server, while automatically re-routing and reconnecting users to other functioning servers.

The entire KEMP LoadMaster product family, including the Virtual LoadMaster (VLM) supports Microsoft Exchange 2016.

1.1 About This Manual

This manual addresses how to deploy and configure a LoadMaster appliance with Microsoft Exchange 2016.

KEMP’s LoadMaster family of products is available in various models to support networks of different throughput requirements. Information in this manual applies to all LoadMaster models.

1.2 Prerequisites

This guide assumes the reader is a network administrator or a person otherwise familiar with networking and general computer terminology. Set up an Exchange 2016 environment and install the KEMP LoadMaster.

LoadMaster documentation is available at https://www.kemptechnologies.com/documentation.

At a minimum, you should have:

Installed the Microsoft Servers, Active Directories and followed other Microsoft requirements.

Installed the LoadMaster on the same network as the servers.

Established access to the LoadMaster Web User Interface (WUI).

2 Exchange 2016 Overview

Microsoft Exchange Server is a mail server, calendaring software and contact manager. It is a server program that runs on Windows Server and is part of the Microsoft Servers line of products. The improvements made in Exchange 2016 have made it easier to load balance Exchange-related traffic.

Exchange 2016 includes the following solutions for switchover and failover redundancy:

High availability: Exchange 2016 uses Database Availability Groups (DAGs) to keep multiple copies of your mailboxes on different servers synchronized. That way, if a mailbox database fails on one server, users can connect to a synchronized copy of the database on another server.

Site resilience: You can deploy two Active Directory sites in separate geographic locations, keep the mailbox data synchronized between the two, and have one of the sites take on the entire load if the other fails.

Online mailbox moves: During an online mailbox move, email accounts are still accessible. Users are locked out for a brief period at the end of the process, when the final synchronization occurs. Online mailbox moves can be performed across forests or in the same forest.

Shadow redundancy: Shadow redundancy protects the availability and recoverability of messages while they are in transit. With shadow redundancy, the deletion of a message from the transport databases is delayed until the transport server verifies that all the next hops for that message have completed. If any of the next hops fail before reporting successful delivery, the message is resubmitted for delivery to the hop that did not complete.

2.1 Differences Between Exchange 2013 and Exchange 2016

Although there are a lot of similarities between Exchange 2013 and Exchange 2016, there are a couple of areas to mention relating to the roles and the Preferred Architecture.

The Exchange 2016 Preferred Architecture is to use unbound namespace load balanced across datacenters in a Layer 7 configuration that does not leverage session affinity.

An Office Online Server farm is deployed in each datacenter, with each farm having a unique namespace (bound model). The load balancer now manages session affinity. This server allows users to view and modify supported file attachments within Outlook on the Web.

New to the server roles with Exchange 2016 is that Client Access role has now been moved to the Mailbox Server. In older versions of Exchange the Client Access role could be deployed on a dedicated server or coexist on the mailbox server. In Exchange 2016 there are just two server roles:

The Mailbox Server combines all prior rolls including Mailbox, Hub Transport, Unified Messaging and Client Access (CAS).

The Edge Transport server provides secure inbound/outbound mail flow.

The CAS still acts as a reverse proxy. The CAS determines which mailbox database their mailbox is located on and provides the request to the back-end mailbox server that hosts the database. The mailbox server then renders the OWA content, not the CAS.

Clients no longer interact with Exchange using RPC, it is all done over HTTPS. MAPI over HTTP and Outlook Anywhere are the protocols that Outlook clients use to access their mailbox.  In Exchange 2016 MAPI/HTTP is enabled by default.

Outlook 2010 with KB2965295 or greater is required with Exchange 2016.

2.2 Understanding Server Load Balancing

Server load balancing is a way to manage which servers receive traffic. Server load balancing provides failover redundancy to ensure users continue to receive service in case of failure. It also enables your deployment to handle more traffic than one server can process while offering a single host name for clients.

Server load balancing serves two primary purposes. It reduces the impact of server failures within an Exchange Organization. In addition, server load balancing ensures that the load on the CAS and Transport services are optimally distributed.

Two key changes in Exchange 2016 make load balancing a lot simpler:

HTTPS-only access from clients means that there is only one protocol to consider. The HTTP failure states are well known and clients typically respond in a similar way.

As OWA is rendered on the same server that is hosting the user’s mailbox database; if a client hits a different CAS there is no performance degradation as the session rendering for that user is already up and running.

Since Exchange 2013 Client Access Server role is just an intelligent proxy, it can proxy the mailbox requests to an Exchange 2016 server. This means Exchange 2013 and Exchange 2016 Client Access Services can co-exist in the same KEMP Virtual Service.

There are improvements to forms-based authentication. The authentication cookie is provided to the user after logon and it is encrypted using the CAS’s SSL certificate. This allows a logged in user to resume their session on a different CAS without having to re-authenticate (if servers share the same SSL certificate).

2.3 Enable Subnet Originating Requests Globally

It is best practice to enable the Subnet Originating Requests option globally.

In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.

In a two-armed setup where the Virtual Service is on network/subnet A, for example, and the Real Servers are on network B - Subnet Originating Requests should be enabled on LoadMasters with firmware version 7.1-16 and above.

When Subnet Originating Requests is enabled, the LoadMaster will route traffic so that the Real Server will see traffic arriving from the LoadMaster interface that is in that network/subnet not the Virtual Service address.

When Subnet Originating Requests is enabled globally, it is automatically enabled on all Virtual Services. If the Subnet Originating Requests option is disabled globally, you can choose whether or not to enable Subnet Originating Requests on a per-Virtual Service basis.

To enable Subnet Originating Requests globally, follow the steps below:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to System Configuration > Miscellaneous Options > Network Options.

2. Tick the Subnet Originating Requests check box.

2.4 100-Continue Handling

To avoid issues with Exchange Web Services, especially in a hybrid configuration, configure 100-continue handling to comply with RFC-7231 instead of standard setting of RFC-2616.

To resolve this issue, set the 100-Continue Handling setting to RFC-7231 Complaint.

1. In the main menu of the LoadMaster WUI, go to System Configuration > Miscellaneous Options > L7 Configuration.

100 Continue Handling.png

2. Select RFC-7231 Complaint under 100-Continue Handling.

2.5 Additional L7 Header

When using the built-in Mail client on Mac, you may experience connectivity issues. This happens due to how Mail client on Mac handles Persistent-Auth headers from the Exchange server.  This behaviour will not be present on Outlook for Mac clients or any Windows Office clients.

To resolve this issue, apply the following settings on the KEMP LoadMaster:

Globally set Additional L7 Header to None. Follow the steps below:

1. In the main menu of the LoadMaster WUI, go to System Configuration > Miscellaneous Options > L7 Configuration.

Additional L7 Header.png

2. Select None under Additional L7 Header.

 

Additional L7 Header_1.png

3 Virtual Service Templates

KEMP have developed templates containing our recommended settings for Exchange 2016. These templates can be installed on the LoadMaster and can be used when creating each of the Virtual Services. Using a template automatically populates the settings in the Virtual Services. This is quicker and easier than manually configuring each Virtual Service. If needed, you can make changes to any of the Virtual Service settings after using the templates.

Released templates can be downloaded from the KEMP documentation page: http://www.kemptechnologies.com/documentation/.

For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description.

The Microsoft Exchange 2016 templates currently available are grouped in three downloadable files as follows:

Exchange 2016 Core Services

This file contains templates for non-SSL offloaded HTTPS, SSL offloaded HTTPS and SMTP Virtual Services.

This is the primary set of services needed to balance Exchange 2016.

Exchange 2016 ESP Services

This file contains individual templates for a HTTPS service with SSL offloading and an SMTP service, both with ESP enabled.

These services are only necessary if you want to use ESP functionality.

Exchange 2016 ESP and WAF Services

This file contains individual templates for HTTPS services with ESP and the Web Application Firewall (WAF) enabled.

Before using this template, download the OWASP ModSecurity Core Rule Set and import the rules into the LoadMaster.

These services are only necessary if you want to use ESP and WAF functionality.

If you try to install this template on a LoadMaster that does not have a WAF license, an error message will appear. Please contact KEMP to upgrade your license, if needed.

Exchange 2016 Additional Services

This file contains templates for IMAP, POP and SMTP services, including variants for STARTTLS and SSL secured services.

4 Configuring Virtual Services for Exchange 2016

The sections below give instructions on how to configure the various Virtual Services related to Microsoft Exchange. KEMP recommends these settings. They may not be applicable to your specific configuration. For further information and help, please contact our Support team.

4.1 HTTPS Virtual Service

Follow the instructions below to set up a HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

7. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Basic Properties

Service Type HTTP/HTTPS  
Standard Options Force L4 Disabled When L7 is referred to in KEMP documentation, it is in relation to the actual TCP connection. When Microsoft refer to L7 for Exchange it is in relation to SSL decryption and re-encryption. This is different and what KEMP recommends is not necessarily L7 configuration unless SSL acceleration is enabled.

 

Transparency Disabled  

 

Persistence Mode None  
  Scheduling Method round robin  
  Idle Connection Timeout 1800 Click the Set Idle Timeout.
Advanced Options Redirection URL https://%h%s Click Add HTTP Redirector. This creates a new redirect Virtual Service on port 80 with the same IP address.

Real Servers

Real Server Check Method HTTPS Protocol  
  Checked Port 443  
  URL /owa/healthcheck.htm Click Set URL.
  Use HTTP/1.1 Disabled  
  HTTP Method GET  

8. Expand the Real Servers section.

HTTPS Virtual Service_4.png

9. In the Real Servers section, select the following options:

a) Ensure HTTPS Protocol is selected as the health-checking option from the Real Server Check Parameters drop-down list.

b) Enter 443 in the Checked Port field and click Set Check Port.

c) Enter /owa/healthcheck.htm in the URL field and click Set URL.

d) Ensure the Use HTTP/1.1 check box in not selected.

e) Select GET from the HTTP Method drop-down list.

HTTPS Virtual Service_5.png

10. Click Add New…, and select the following options:

a) Enter the Real Server Address for the Exchange Server.

b) Enter Port 443.

c) Select NAT as Forwarding method.

d) Click Add This Real Server.

11. Do this for each Exchange Server in your organization.

Make minor changes to the redirect Virtual Service that was added:

1. Click View/Modify Services in the main menu.

2. Click Modify on the Redirect Virtual Service with the blank name which has the same IP address as the Virtual Service that was just created.

HTTPS Virtual Service_6.png

3. Enter a recognizable Service Name, for example Exchange 2016 HTTP Redirect and click Set Nickname.

HTTPS Virtual Service_7.png

4. In Standard Options, set the Persistence Mode to None.

4.1.1 HTTPS Reencrypted using SubVSs

Follow the instructions below to set up a HTTPS Virtual Service with SubVSs.

4.1.1.1 Create the Parent Virtual Service

Follow the instructions below to set up the parent HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Reencrypted using SubVSs.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS Reencrypt in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

7. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type HTTP/HTTPS  

Standard Options

Force L4 Disabled  
  Transparency Disabled  

 

Persistence Mode none  

 

Scheduling Method round robin  
  Idle Connection Timeout 1800 Click Set Idle Timeout.
SSL Properties SSL Acceleration Enabled  
  Reencrypt Enabled  
  Certificates   Select the certificate to be used for encryption and click > to move it to Assigned Certificates. Click Set Certificates.
  Cipher Set BestPractices  
Advanced Properties Redirection URL https://%h%s Click Add HTTP Redirector. This creates a redirect Virtual Service on port 80 with the same IP address.

4.1.1.2 Create the SubVSs

Follow the instructions below to set up the SubVSs:

1. In the Real Servers section of the Virtual Services options page, click the Add SubVS button.

2. A message stating that the SubVS is created appears, click OK.

The Real Servers section should now be renamed to SubVSs.

The following steps deal with creating a SubVS for an Exchange service such as owa.

3. In the SubVSs section of the SubVS options page, click the Modify button next to the SubVS.

4. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties SubVS Name Enter a relevant name, for example OWA. Click Set Nickname.
  SubVS Type HTTP/HTTPS  

Real Servers

Checked Port 443 Click Set Check Port.
  URL /owa/healthcheck.htm Click Set URL.

 

Use HTTP/1.1 Disabled  

 

HTTP Method GET  

5. When finished editing the SubVS, click Back. Now you can add other SubVSs to this Virtual Service as needed.

6. Configure each SubVS using the settings in the table below.

SubVS Name

 

Healthcheck URL

 

OWA (as in steps above)

 

/owa/healthcheck.htm

 

Autodiscover

 

/autodiscover/healthcheck.htm

 

ECP

 

/ecp/healthcheck.htm

 

EWS

 

/ews/healthcheck.htm

 

ActiveSync

 

/microsoft-server-activesync/healthcheck.htm

 

OAB

 

/oab/healthcheck.htm

 

Powershell

 

/powershell/healthcheck.htm

 

RPC

 

/rpc/healthcheck.htm

 

MAPI

 

/mapi/healthcheck.htm

 

4.1.1.3 Create Content Rules

Content Rules must be created for the Virtual Services to function correctly.

To create a Modify URL rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_6.png

3. Enter a relevant name, for example Redirect_Root, in the Rule Name field.

4. Select Modify URL from the Rule Type drop-down list.

5. Enter /^\/$/ in the Match String field.

6. Enter /owa in the Modified URL field.

7. Click the Create Rule button.

8. To create a Content Matching rule for owa please complete the following steps:

9. Select the Rules & Checking > Content Rules menu option.

10. Click the Create New button.

HTTPS Reencrypted using SubVSs_7.png

11. Enter a relevant name, for example OWA, in the Rule Name field.

12. Select Content Matching from the Rule Type drop-down list.

13. Ensure Regular Expression is selected in the Match Type drop-down list.

14. Enter /^\/owa.*/ in the Match String field.

15. Select the Ignore Case check box.

16. Click Create Rule.

Create additional Content Matching rules following steps Select the Rules & Checking > Content Rules menu option. above but using the values as described in the following table:

Rule Name

Match String

Ignore Case

ActiveSync

/^\/microsoft-server-activesync.*/

yes

Autodiscover

/^\/autodiscover.*/

yes

ECP

/^\/ecp.*/

yes

EWS

/^\/ews.*/

yes

OAB

/^\/oab.*/

yes

PowerShell

/^\/powershell.*/

yes

RPC

/^\/rpc.*/

yes

Root

/^\/$/

yes

MAPI

/^\/mapi.*/

yes

Authentication Proxy

/^\/lm_auth_proxy*$/

yes

4.1.1.4 Apply Content Rules

Once all Content Rules have been created, you must add these to the Virtual Services/SubVSs.

1. Select View/Modify Services under Virtual Services.

2. Select Modify next to the Exchange 2016 HTTPS Re-Encrypt Virtual Service.

HTTPS Reencrypted using SubVSs_8.png

3. In the Advanced Properties section, select Show Header Rules.

4. Select the redirect rule created earlier and select Add.

5. Click Back to return to the Virtual Service settings.

6. Expand the Advanced Properties section.

HTTPS Reencrypted using SubVSs_9.png

7. In the Advanced Properties section, select Enable under Content Switching.

HTTPS Reencrypted using SubVSs_10.png

8. In the SubVS section, select None under Rules for ActiveSync.

HTTPS Reencrypted using SubVSs_11.png

9. Select the Content Rule for ActiveSync that was created in the Create Content Rules section and select Add.

10. Click Back and repeat these steps for all remaining SubVSs.

4.1.2 HTTPS Offloaded Using SubVSs

To set up HTTPS Offloading Using SubVSs, follow the steps in the section below.

4.1.2.1 Create the Parent Virtual Service

Follow the instructions below to set up the parent HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Offloaded Using SubVSs.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS Offloaded in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

7. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type HTTP/HTTPS  

Standard Options

Force L4 Disabled  
  Transparency Disabled  

 

Persistence Mode None  

 

Scheduling Method round robin  
  Idle Connection Timeout 1800 Click Set Idle Timeout.

SSL Properties

SSL Acceleration Enabled  
  Reencrypt Disabled  
  Certificates   Select the certificate to be used for encryption and click > to move it to Assigned Certificates. Click Set Certificates.
  Cipher Set BestPractices  
Advanced Properties Redirection URL https://%h%s Click Add HTTP Redirector. This creates a redirect Virtual Service on port 80 with the same IP address.

 

4.1.2.2 Create the SubVSs

Follow the instructions below to set up the SubVSs:

1. Expand the Real Servers section of the Virtual Services options page and click Add SubVS…

2. Click OK on the message, which appears.

The Real Servers section should now be called SubVSs.

The following steps deal with creating a SubVS for an Exchange service such as owa.

3. In the SubVSs section of the SubVS options page, click the Modify button next to the SubVS.

4. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Basic Properties

SubVS Name   Enter a relevant name, such as OWA.
  SubVS Type HTTP/HTTPS  

Real Servers

Checked Port 80  
  URL /owa/healthcheck.htm Click Set URL.
  Use HTTP/1.1 Disabled  
  HTTP Method GET  

 

5. When finished editing the SubVS, click Back. Now you can add other SubVSs to this Virtual Service as needed.

6. Configure each SubVS using the settings in the following table:

SubVS Name

 

Healthcheck URL

OWA (as in steps above)

 

/owa/healthcheck.htm

Autodiscover

 

/autodiscover/healthcheck.htm

ECP

 

/ecp/healthcheck.htm

EWS

 

/ews/healthcheck.htm

ActiveSync

 

/microsoft-server-activesync/healthcheck.htm

OAB

 

/oab/healthcheck.htm

Powershell

 

/powershell/healthcheck.htm

RPC

 

/rpc/healthcheck.htm

MAPI

 

/mapi/healthcheck.htm

4.1.2.3 Create Content Rules

Content Rules need to be created for the Virtual Services to function correctly.

To create a Modify URL rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_6.png

3. Enter a relevant name, for example Redirect_Root in the Rule Name field.

4. Select Modify URL from the Rule Type drop-down.

5. Enter /^\/$/ in the Match String field.

6. Enter /owa in the Modified URL field.

7. Click the Create Rule button.

8. To create a Content Matching rule for owa please complete the following steps:

9. Select the Rules & Checking > Content Rules menu option.

10. Click the Create New button.

HTTPS Reencrypted using SubVSs_7.png

11. Enter a relevant name, for example OWA in the Rule Name field.

12. Select Content Matching from the Rule Type drop-down list.

13. Select Regular Expression from the Match Type drop-down list.

14. Enter /^\/owa.*/ in the Match String field.

15. Select the Ignore Case check box.

16. Click Create Rule.

Create additional Content Matching rules following steps Select the Rules & Checking > Content Rules menu option. above but using the values as described in the table below.

Rule Name

Match String

Ignore Case

ActiveSync

/^\/microsoft-server-activesync.*/

yes

Autodiscover

/^\/autodiscover.*/

yes

ECP

/^\/ecp.*/

yes

EWS

/^\/ews.*/

yes

OAB

/^\/oab.*/

yes

PowerShell

/^\/powershell.*/

yes

RPC

/^\/rpc.*/

yes

Root

/^\/$/

yes

MAPI

/^\/mapi.*/

yes

4.1.2.4 Apply Content Rules

After creating all Content Rules, add them to the Virtual Services/ SubVSs.

1. Select View/Modify Services under Virtual Services.

2. Select Modify next to the Exchange 2016 HTTPS Offloaded Virtual Service.

3. In the Advanced Properties section, select Show Header Rules.

HTTPS Offloaded Using SubVSs_5.png

4. Select the Redirect Rule created earlier and click Add.

5. Click Back to return to the Virtual Service settings.

HTTPS Reencrypted using SubVSs_9.png

6. In the Advanced Properties section, select Enable beside Content Switching.

HTTPS Reencrypted using SubVSs_10.png

7. In the SubVS section, select None under Rules for ActiveSync.

HTTPS Reencrypted using SubVSs_11.png 

8. Select the Content Rule for ActiveSync created in the Create Content Rules section and then click Add.

9. Click Back and repeat these steps for all remaining SubVSs.

4.1.3 HTTPS Re-Encrypt Using ESP and SubVSs

To set up HTTPS Offloading Using ESP, follow the steps in the section below.

4.1.3.1 Create the Parent Virtual Service

Follow the instructions below to set up the parent HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Re Encrypt Using ESP.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS Reencrypt with ESP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

7. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type HTTP/HTTPS  

Standard Options

Force L4 Disabled  
  Transparency Disabled  

 

Persistence Mode None  

 

Scheduling Method round robin  
  Idle Connection Timeout 1800 Click Set Idle Timeout.
SSL Properties SSL Acceleration Enabled  
  Reencrypt Enabled  
  Cipher Set BestPractices  
Advanced Properties Redirect URL https://%h%s Click Add HTTP Redirector. This creates a redirect Virtual Service on port 80 with the same IP address.

4.1.3.2 Create the SubVSs

Follow the instructions below to set up the SubVSs:

1. In the Real Servers section of the Virtual Services options page, click the Add SubVS button.

2. A message stating that the SubVS has been created appears, click OK.

The Real Servers section should now be renamed to SubVSs.

The following steps deal with creating a SubVS for an Exchange service such as owa.

3. In the SubVSs section of the SubVS options page, click the Modify button next to the SubVS.

4. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties SubVS Name   Enter a relevant name, such as OWA, and click Set Nickname.
  SubVS Type HTTP/HTTPS  

ESP Options

    The configuration of SubVS ESP is outlined in the Enable ESP section.
Real Servers Real Server Check Method HTTPS Protocol  

 

Checked Port 443  
  URL /owa/healthcheck.htm Click Set URL.
  Use HTTP/1.1 Disabled  
  HTTP Method GET  

 

5. When finished editing the SubVS, click Back. Now you can add other SubVSs to this Virtual Service as needed.

6. Configure each SubVS using the settings in the table below.

SubVS Name

 

Healthcheck URL

OWA (as in steps above)

 

/owa/healthcheck.htm

Autodiscover

 

/autodiscover/healthcheck.htm

ECP

 

/ecp/healthcheck.htm

EWS

 

/ews/healthcheck.htm

ActiveSync

 

/microsoft-server-activesync/healthcheck.htm

OAB

 

/oab/healthcheck.htm

Powershell

 

/powershell/healthcheck.htm

RPC

 

/rpc/healthcheck.htm

MAPI

 

/mapi/healthcheck.htm

Authentication Proxy

 

 

If you are using Kerberos Constrained Delegation (KCD) please ensure you add a Real Server to the Authentication Proxy SubVS. For further information on KCD, refer to the KCD, Feature Description.

4.1.3.3 Enable ESP

To enable ESP follow the steps below:

HTTPS Re Encrypt Using ESP_4.png

1. For each of the SubVSs created, ensure that in the ESP section, the Enable ESP check box is selected, and select the following options:

a) Select the User Access, Security and Connection check boxes in ESP Logging.

b) Select the relevant SSO Domain.

For instructions on how to add an SSO domain, refer to the ESP, Feature Description.

Enter all of the allowed virtual hosts into the Allowed Virtual Hosts text box, for example mail.example.com, and click the Set Allowed Virtual Hosts button.

Configure each SubVS using the settings in the table below:

SubVS Name

Allowed Virtual Directories

Pre-Authorization Excluded Directories

Client Auth. mode

Server Auth. mode

SSO Image Set

SSO Greeting Message

Autodiscover

/autodiscover*

 

Delegate to Server

None

n/a

 

ECP

/ecp*

 

Form Based

Form Based

Exchange

Please enter your Exchange credentials.

EWS

/ews*

 

Delegate to Server

None

n/a

 

ActiveSync

/microsoft-server-activesync*

 

Basic Auth.

Basic Auth.

n/a

 

OAB

/oab*

 

Delegate to Server

None

n/a

 

Powershell

/powershell*

 

Delegate to Server

None

n/a

 

RPC

/rpc*

 

Delegate to Server

None

n/a

 

OWA

/owa*

/owa/<guid@smtpdomain>*

Form Based

Form Based

Exchange

Please enter your Exchange credentials.

MAPI

/mapi*

 

Delegate to Server

None

n/a

 

Authentication Proxy

/*

 

Form Based

Basic Auth.

Exchange

Please enter your Exchange credentials.

GUID is unique to each Exchange deployment. To find the correct GUID, run the following command on the Exchange Server:

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “OrganizationCapabilityClientExtensions”} | fl exchangeGUID, primarysmtpaddress

The Logoff String must be set to /owa/logoff.owa in the OWA SubVS. In a customized environment, if the OWA logoff string has been changed, the modified logoff string must be entered in the Logoff String text box.

The Error Code in the Authentication Proxy SubVS should be set to 503 Service Unavailable with an Error Message of Endpoint not available.

043.png

The SSO Greeting Message field accepts HTML code so you can insert your own image if required. However, there are several characters that are not supported. These are the grave accent character ( ` ) and the single quote (’). If a grave accent character is used in the SSO Greeting Message, the character will not display in the output, for example a`b`c becomes abc. If a single quote is used, users will not be able to log in.

4.1.3.4 Create Content Rules

Create Content Rules so that Virtual Services function correctly.

To create a Modify URL rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_6.png

3. Enter a relevant name, for example Redirect_Root in the Rule Name field.

4. Select the Modify URL option in the Rule Type drop-down.

5. Enter /^\/$/ in the Match String field.

6. Enter /owa in the Modified URL field.

7. Click the Create Rule button.

To create a Content Matching rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_7.png

3. Enter a relevant name, for example OWA in the Rule Name field.

4. Ensure the Content Matching option is selected from the Rule Type drop-down list.

5. Ensure the Regular Expression option is selected in the Match Type drop-down list.

6. Enter /^\/owa.*/ in the Match String field.

7. Select the Ignore Case check box.

8. Click the Create Rule button.

Create additional Content Matching rules following steps Select the Rules & Checking > Content Rules menu option.above but using the values as described in the table below.

Rule Name

Match String

Ignore Case

ActiveSync

/^\/microsoft-server-activesync.*/

yes

Autodiscover

/^\/autodiscover.*/

yes

ECP

/^\/ecp.*/

yes

EWS

/^\/ews.*/

yes

OAB

/^\/oab.*/

yes

PowerShell

/^\/powershell.*/

yes

RPC

/^\/rpc.*/

yes

Root

/^\/$/

yes

MAPI

/^\/mapi.*/

yes

Authentication Proxy

/^\/lm_auth_proxy*$/

yes

4.1.3.5 Apply Content Rules

Once all Content Rules have been created, you must add these to the Virtual Services/ SubVSs.

9. Select View/Modify Services under Virtual Services.

10. Select Modify next to the Exchange 2016 HTTPS Reencrypt with ESP Virtual Service.

HTTPS Offloaded Using SubVSs_5.png

11. In the Advanced Properties section, click Show Header Rules.

12. Select the Redirect Rule created earlier and click Add.

13. Click Back to return to the Virtual Service settings.

HTTPS Reencrypted using SubVSs_9.png

14. In the Advanced Properties section, select Enable under Content Switching.

HTTPS Re Encrypt Using ESP_6.png

15. In the SubVS section, select None under Rules for ActiveSync.

  HTTPS Reencrypted using SubVSs_11.png

16. Select the Content Rule for ActiveSync that was created in the Enable ESP section and click Add.

17. Click Back and repeat these steps for all remaining SubVSs.

4.1.4 HTTPS Re-Encrypt Using ESP, WAF and SubVSs

Before configuring the WAF settings, please download and install the latest commercial rulesets. For further information on WAF, please refer to the KEMP Web Application Firewall, Feature Description.

Follow the instructions below to set up the parent HTTPS reencrypted Virtual Service with ESP and WAF:

1. In the main menu of the LoadMaster WUI, go to Virtual Services and click Add New.

HTTPS Re Encrypt Using ESP_1_1.png

2. Enter a valid Virtual Address.

3. Enter 443 as the Port.

4. Enter a Service Name, for example Exchange 2016 HTTPS Reencrypted with ESP and WAF.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Transparency Disabled  
  Idle Connection Timeout 1800 Click Set Idle Timeout.

SSL Properties

SSL Acceleration Enabled  

 

Reencrypt Enabled  
  Cipher Set BestPractices  
Advanced Properties Redirection URL https://%h%s Click Add HTTP Redirector. This creates a redirect Virtual Service on port 80 with the same IP address.
WAF Options Enabled Enabled  
  Available Rulesets
  • owasp_protocol_violations
  • owasp_protocol_anomalies
  • owasp_bad_robots
  • owasp_generic_attacks
  • owasp_common_exceptions
  • owa_attacks

All rules should be enabled for each of these rulesets.

Click Apply.

After setting up the parent Virtual Service, the SubVSs must be added and configured. The steps to add the SubVSs, enable ESP, create the content rules and assign the rules are the same as those in the Create the SubVSs, Enable ESP, Create Content Rules and Apply Content Rules sections.

In the redirect Virtual Service which was created, change the Persistence Mode to None and change the Real Server Check Method to None.

4.1.5 HTTPS Offloaded Using ESP and SubVSs

To set up HTTPS Offloading Using ESP, follow the steps in the section below.

4.1.5.1 Create the Parent Virtual Service

Follow the instructions below to set up the parent HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Offloaded Using ESP.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS Offloaded with ESP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

7. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type HTTP/HTTPS  

Standard Options

Force L4 Disabled  
  Transparency Disabled  

 

Persistence Mode None  

 

Scheduling Method round robin  
  Idle Connection Timeout 1800  
SSL Properties SSL Acceleration Enabled  
  Reencrypt Disabled  
Advanced Properties Add a Port 80 Redirector VS https://%h%s Click Add HTTP Redirector. This creates a redirect Virtual Service on port 80 with the same IP address.

4.1.5.2 Create the SubVSs

Follow the instructions below to set up the SubVSs:

1. In the Real Servers section of the Virtual Services options page, click the Add SubVS button.

A message stating that the SubVS has been created appears, click OK.

The Real Servers section should now be renamed to SubVSs.

The following steps deal with creating a SubVS for an Exchange service such as owa.

2. In the SubVSs section of the SubVS options page, click the Modify button next to the SubVS.

3. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties SubVS Name   Enter a relevant name, such as OWA and click Set Nickname.
  SubVS Type HTTP/HTTPS  
ESP Options Various options Various values The configuration of the SubVS ESP settings is outlined in the Enable ESP section.

Real Servers

Checked Port 80 Click Set Check Port.
  URL /owa/healthcheck.htm Click Set URL.

 

Use HTTP/1.1 Enabled  

 

HTTP Method GET  

4. When finished editing the SubVS, click Back. Now you can add other SubVSs to this Virtual Service as needed.

5. Configure each SubVS using the settings in the table below.

SubVS Name

 

Healthcheck URL

OWA (as in steps above)

 

/owa/healthcheck.htm

Autodiscover

 

/autodiscover/healthcheck.htm

ECP

 

/ecp/healthcheck.htm

EWS

 

/ews/healthcheck.htm

ActiveSync

 

/microsoft-server-activesync/healthcheck.htm

OAB

 

/oab/healthcheck.htm

Powershell

 

/powershell/healthcheck.htm

RPC

 

/rpc/healthcheck.htm

MAPI

 

/mapi/healthcheck.htm

Authentication Proxy

 

 

If you are using Kerberos Constrained Delegation (KCD) please ensure you add a Real Server to the Authentication Proxy SubVS.. For further information on KCD, refer to the KCD, Feature Description.

4.1.5.3 Enable ESP

To enable ESP follow the steps below:

HTTPS Re Encrypt Using ESP_4.png

1. For each of the SubVSs created, ensure that in the ESP section, the Enable ESP check box is selected, and select the following options:

a) Select the User Access, Security and Connection check boxes in ESP Logging.

b) Select the relevant SSO Domain.

For instructions on how to add an SSO domain, refer to the ESP, Feature Description.

Enter all of the allowed virtual hosts into the Allowed Virtual Hosts text box, for example mail.example.com, and click the Set Allowed Virtual Hosts button.

Configure each SubVS using the settings in the table below.

SubVS Name

Allowed Virtual Directories

Pre-Authorization Excluded Directories

Client Auth. mode

Server Auth. mode

SSO Image Set

SSO Greeting Message

Autodiscover

/autodiscover*

 

Delegate to server

None

n/a

 

ECP

/ecp*

 

Form Based

Form Based*

Exchange

Please enter your Exchange credentials.

EWS

/ews*

 

Delegate to Server

None

n/a

 

ActiveSync

/microsoft-server-activesync*

 

Basic Auth.

Basic Authentication

n/a

 

OAB

/oab*

 

Delegate to Server

None

n/a

 

Powershell

/powershell*

 

Delegate to Server

None

n/a

 

RPC

/rpc*

 

Delegate to Server

None

n/a

 

OWA

/owa*

/owa/<guid@smtpdomain>*1

Form Based

Form Based*

Exchange

Please enter your Exchange credentials.

MAPI

/mapi*

 

Delegate to Server

None

n/a

 

Authentication Proxy

/*

 

Form Based

Form Based*

Exchange

Please enter your Exchange credentials.

 

*Adding server side form based authentication is available from version 7.2.37 onwards.

1 GUID is unique to each Exchange deployment. To find the correct GUID, run the following command on the Exchange Server:

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “OrganizationCapabilityClientExtensions”} | fl exchangeGUID, primarysmtpaddress

The Logoff String must be set to /owa/logoff.owa in the OWA SubVS. In a customized environment, if the OWA logoff string has been changed, the modified logoff string must be entered in the Logoff String text box.

The Error Code in the Authentication Proxy SubVS should be set to 503 Service Unavailable with an Error Message of Endpoint not available.

The SSO Greeting Message field accepts HTML code, so the users can insert their own image if desired. The grave accent character ( ` ) is not supported. If this character is entered in the SSO Greeting Message, the character will not display in the output, for example a`b`c becomes abc.

4.1.5.4 Create Content Rules

Create the content rules so the Virtual Services function correctly.

To create a Modify URL rule for owa please complete the following steps:

1. In the main menu of the LoadMaster WUI, click Rules & Checking.

2. Click Content Rules.

3. Click the Create New button.

HTTPS Reencrypted using SubVSs_6.png

4. Enter a relevant name, for example Redirect_Root in the Rule Name field.

5. Select the Modify URL option in the Rule Type drop-down.

6. Enter /^\/$/ in the Match String field.

7. Enter /owa in the Modified URL field.

8. Click the Create Rule button.

9. To create a Content Matching rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_7.png

3. Enter a relevant name, for example OWA in the Rule Name field.

4. Ensure the Content Matching option is selected in the Rule Type drop-down list.

5. Ensure the Regular Expression option is selected in the Match Type drop-down list.

6. Enter /^\/owa.*/ in the Match String field.

7. Select the Ignore Case check box.

8. Click the Create Rule button.

Create additional Content Matching rules following steps Select the Rules & Checking > Content Rules menu option. to Click the Create Rule button. above but using the values as described in the following table:

Rule Name

Match String

Ignore Case

ActiveSync

/^\/microsoft-server-activesync.*/

yes

Autodiscover

/^\/autodiscover.*/

yes

ECP

/^\/ecp.*/

yes

EWS

/^\/ews.*/

yes

OAB

/^\/oab.*/

yes

PowerShell

/^\/powershell.*/

yes

RPC

/^\/rpc.*/

yes

Root

/^\/$/

yes

MAPI

/^\/mapi.*/

yes

Authentication Proxy

/^\/lm_auth_proxy*$/

yes

4.1.5.5 Apply Content Rules

Once all Content Rules have been created, you must add these to the Virtual Services/SubVSs:

1. Select View/Modify Services under Virtual Services.

2. Click Modify next to the Exchange 2016 HTTPS Offloaded with ESP Virtual Service.

HTTPS Offloaded Using ESP_6.png

3. In the Advanced Properties section, click Show Header Rules.

4. Select the Redirect Rule created earlier and click Add.

5. Click Back to return to the Virtual Service settings.

HTTPS Reencrypted using SubVSs_9.png

6. In the Advanced Properties section, select Enable under Content Switching.

HTTPS Re Encrypt Using ESP_6.png

7. In the SubVS section, click None under Rules for ActiveSync.

HTTPS Offloaded Using ESP_7.png

8. Select the Content Rule for ActiveSync that was created in the Create Content Rules section and select Add.

9. Click Back and repeat these steps for all remaining SubVSs.

4.1.6 HTTPS Offloaded Using ESP, WAF and SubVSs

Before configuring the Web Application Firewall (WAF) settings, please download and install the latest commercial rulesets. For further information on WAF, please refer to the KEMP Web Application Firewall, Feature Description.

Follow the instructions below to set up the parent Exchange 2016 HTTPS Offloaded with ESP and WAF Virtual Service:

1. In the main menu, go to Virtual Services and click Add New.

HTTPS Offloaded Using ESP_1_1.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 443 as the Port.

4. Enter a Service Name, for example Exchange 2016 HTTPS Offloaded with ESP and WAF.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Idle Connection Timeout 1800  
SSL Properties SSL Acceleration Enabled  

 

Cipher Set BestPractices  

Advanced Properties

Redirection URL https://%h%s Click Add HTTP Redirector. This creates a redirect Virtual Service on port 80 with the same IP address.
WAF Options Available Rulesets
  • owasp_protocol_violations
  • owasp_protocol_anomalies
  • owasp_bad_robots
  • owasp_generic_attacks
  • owasp_common_exceptions
  • owa_attacks

All rules should be enabled for each of these rulesets.

Click Apply.

 

After setting up the parent Virtual Service, the SubVSs must be added and configured. The steps to add the SubVSs, enable ESP, create the content rules and assign the rules are the same as those in the Create the SubVSs, Enable ESP, Create Content Rules and Apply Content Rules sections.

In the redirect Virtual Service which was created, change the Persistence Mode to None and change the Real Server Check Method to None.

4.2 Office Online Server Virtual Service

Follow the instructions below to set up an Office Online Server Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services and click Add New.

Office Online Server Virtual.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 443 as the Port.

4. Enter a Service Name, for example Exchange 2016 Office Online Server.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
SSL Properties SSL Acceleration Enabled  
  Reencrypt Enabled  
  Cipher Set BestPractices  

Standard Options

Transparency Disabled  
  Persistence Mode Super HTTP and Source IP  

 

Persistence Timeout 30 Minutes  

 

Scheduling Method least connection  
  Idle Connection Timeout 1800 Click Set Idle Timeout.

Real Servers

URL /hosting/discovery Click Set URL.
  Use HTTP/1.1 Enabled  
  HTTP Method GET  

4.3 IMAP Virtual Service

Follow the instructions below to set up an IMAP Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

IMAP Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 143 in the Port field.

4. Type a name, for example Exchange 2016 IMAP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

7. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type Generic  

Standard Options

Force L4 Disabled  
  Transparency Disabled  

 

Server Initiating Protocols IMAP4  

 

Persistence Mode None  
  Scheduling Method round robin  
  Idle Connection Timeout 3600  
SSL Properties SSL Acceleration Disabled  

Real Servers

Real Server Check Method Mailbox (IMAP) Protocol  
  Checked Port 143  

4.3.1 IMAP STARTTLS Virtual Service

To configure the IMAP STARTTLS Virtual Service, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

IMAP STARTTLS Virtual Service.png

2. Enter a Virtual Address.

3. Enter 143 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 IMAP with STARTTLS.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type STARTTLS protocols  

Standard Options

Transparency Disabled  
  STARTTLS mode IMAP  

 

Idle Connection Timeout 3600  

Real Servers

Checked Port 143  

4.3.2 IMAPS Virtual Service

To configure the IMAPS Virtual Service, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

IMAPS Virtual Service.png

2. Enter the IP address in the Virtual Address text box.

3. Enter 993 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 IMAPS.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Transparency Disabled  
  Server Initiating Protocols IMAP4  

 

Idle Connection Timeout 3600  

Real Servers

Real Server Check Method TCP Connection Only  
  Checked Port 993 Click Set Check Port.

4.3.3 IMAPS Offloaded Virtual Service

To configure the IMAPS Offloaded, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

IMAPS Offloaded Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 993 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 IMAPS Offloaded.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Transparency Disabled  
  Server Initiating Protocols IMAP4  

 

Idle Connection Timeout 3600 Click Set Idle Timeout.

SSL Properties

SSL Acceleratioin Enabled  

Real Servers

Real Server Check Method Mailbox (MAP) Protocol  
  Checked Port 143 Click Set Check Port.

 

4.4 POP Virtual Service

Follow the instructions below to set up a POP Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

POP Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 110 in the Port field.

4. Type a name, for example Exchange 2016 POP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

7. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type Generic  

Standard Options

Force L4 Disabled  
  Transparency Disabled  

 

Server Initiating Protocols POP3  

 

Persistence Mode none  
  Scheduling Method round robin  
  Idle Connection Timeout 3600 Click Set Idle Timeout.

Real Servers

Real Server Check Method Mailbox (POP3) Protocol  
  Checked Port 110 Click Set Check Port.

4.4.1 POP with STARTTLS Virtual Service

To configure a POP Virtual Service with STARTTLS, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

POP with STARTTLS Virtual.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 110 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 POP with STARTTLS.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type STARTTLS protocols  

Standard Options

Transparency Disabled  
  Idle Connection Timeout 3600  

Real Servers

Real Server Check Method Mailbox (POP3) Protocol  
  Checked Port 110  

4.4.2 POPS Virtual Service

To configure a POPS VS, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

POPS Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 995 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 POPS.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Transparency Disabled  
  Server Initiating Protocols POP3  

 

Idle Connection Timeout 3600 Click Set Idle Timeout.

Real Servers

Checked Port 995 Click Set Check Port.

4.4.3 POPS Offloaded Virtual Service

To configure a POPS Offloaded Virtual Service, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

POPS Offloaded Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 995 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 POPS Offloaded.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Transparency Disabled  
  Server Initiating Protocols POP3  

 

Idle Connection Timeout 3600 Click Set Idle Timeout.

SSL Properties

SSL Acceleration Enabled  

Real Servers

Real Server Check Method Mailbox (POP3) Protocol  
  Checked Port 110 Click Set Check Port.

4.5 SMTP Virtual Service

Follow the instructions below to set up an SMTP Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

SMTP Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 25 in the Port field.

4. Type a name, for example Exchange 2016 SMTP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

7. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type Generic  

Standard Options

Force L4 Disabled  
  Transparency Disabled  

 

Server Initiating Protocols SMTP  

 

Persistence Mode Source IP Address  
  Persistence Timeout 1 Hour  
  Scheduling Method round robin  
  Idle Connection Timeout 120 Click Set Idle Timeout.

Real Servers

Real Server Check Method Mailbox (SMTP) Protocol  
  Checked Port 25 Click Set Check Port.

4.5.1 SMTPS Virtual Service

To configure an SMTPS Virtual Service, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

SMTPS Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 587 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 SMTPS.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Transparency Disabled  
  Server Initiating Protocols SMTP  

 

Persistence Mode Source IP Address  

 

Timeout 1 Hour  
  Idle Connection Timeout 120 Click Set Idle Timeout.

Real Servers

Checked Port 587 Click Set Check Port.

4.5.2 SMTPS Offloaded Virtual Service

To configure a SMTPS Offloaded Virtual Service, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

SMTPS Offloaded Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 587 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 SMTPS Offloaded.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
SSL Properties SSL Acceleration Enabled  

Standard Options

Transparency Disabled  
  Server Initiating Protocol SMTP  

 

Persistence Mode Source IP Address  

 

Persistence Timeout 1 Hour  
  Idle Connection Timeout 120 Click Set Idle Timeout.

Real Servers

Real Server Check Method Mail (SMTP) Protocol  
  Checked Port 25 Click Set Check Port.

4.5.3 SMTP with STARTTLS Virtual Service

To configure a SMTP Virtual Service with STARTTLS, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

SMTP with STARTTLS Virtual.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 25 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 SMTP with STARTTLS.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
Basic Properties Service Type STARTTLS protocols  

Standard Options

Transparency Disabled  
  STARTTLS mode SMTP (STARTTLS if requested)  

 

Persistence Mode Source IP Address  

 

Persistence Timeout 1 Hour  
  Idle Connection Timeout 120 Click Set Idle Timeout.

Real Servers

Checked Port 25 Click Set Check Port.

4.5.4 SMTP with ESP Virtual Service

To configure a SMTP VS with ESP, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

SMTP with ESP Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 25 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 SMTP with ESP.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Transparency Disabled  
  Server Initiating Protocols SMTP  

 

Persistence Mode Source IP Address  

 

Persistence Timeout 1 Hour  
  Idle Connection Timeout 120 Click Set Idle Timeout.
ESP Options Enable ESP Enable  
  Connection Logging Enabled  
  Permitted Domains   Enter the all the permitted domains allowed to be received by this service and click the Set Permitted Domains button. (Multiple permitted domains can be entered using a space-separated list.)

Real Servers

Real Server Check Method Mail (SMTP) Protocol  
  Checked Port 25 Click Set Check Port.

4.5.5 Office Online Server Virtual Service

To configure a Virtual Service for Office Online Servers, follow the steps below:

1. Click the Add New button.

Office Online Server Virtual_1_1.png

2. Enter a Virtual Address.

3. Enter 443 in the Port field.

4. Enter a recognisable Service Name, for example Office Online Server.

5. Ensure TCP is set as the Protocol.

6. Click Add This Virtual Service.

7. Configure the settings as recommended in the following table:

Section

Option

Value

Comment
SSL Properties SSL Acceleration Enabled  
  Reencrypt Enabled  

Standard Options

Persistence Mode Super HTTP and Source IP  
  Persistence Timeout 30 Minutes  

 

Scheduling Method least connection  

 

Idle Connection Timeout 1800 Click Set Idle Timeout.

Real Servers

Real Server Check Method HTTPS Protocol  
  URL /hosting/discovery  
  Use HTTP/1.1 Enabled  
  HTTP Method GET  

5 References

Unless otherwise specified, the documents below can be found at http://www.kemptechnologies.com/documentation

Web User Interface (WUI), Configuration Guide

Virtual Services and Templates, Feature Description

ESP, Feature Description

Microsoft Exchange 2010, Deployment Guide

Microsoft Exchange 2013, Deployment Guide

Exchange Team Blog post on Load Balancing in Exchange 2016

http://blogs.technet.com/b/exchange/archive/2015/10/08/load-balancing-in-exchange-2016.aspx

KCD, Feature Description

KEMP Web Application Firewall, Feature Description

Last Updated Date

This document was last updated on 28 March 2018.

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
tal

in the guid powershell command fl was f1