Microsoft Exchange 2016

1 Introduction

 The KEMP LoadMaster combines versatility with ease-of-use to speed deployment of the complete portfolio of advanced messaging applications and protocols used by Exchange 2016, including Outlook on the Web, MAPI/HTTP, Outlook Anywhere (OA), Exchange ActiveSync (EAS), Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), Internet Message Access Protocol version 4 (IMAP4) and Office Online Server (OOS). With built-in SSL acceleration and/or overlay, the LoadMaster offloads a key source of CPU drain to improve the capacity of the Exchange 2016 infrastructure. Layer 7 health checking at the LoadMaster ensures that if one of the Client Access components becomes inaccessible, the load balancer will take that component offline for that server, while automatically re-routing and reconnecting users to other functioning servers.

The entire KEMP LoadMaster product family, including the Virtual LoadMaster (VLM) supports Microsoft Exchange 2016.

1.1 About This Manual

This manual addresses how to deploy and configure a LoadMaster appliance with Microsoft Exchange 2016.

KEMP’s LoadMaster family of products is available in various models to support networks of different throughput requirements. Information in this manual applies to all LoadMaster models.

1.2 Prerequisites

This guide assumes the reader is a network administrator or a person otherwise familiar with networking and general computer terminology. Set up an Exchange 2016 environment and install the KEMP LoadMaster.

LoadMaster documentation is available at https://www.kemptechnologies.com/documentation.

At a minimum, you should have:

Installed the Microsoft Servers, Active Directories and followed other Microsoft requirements.

Installed the LoadMaster on the same network as the servers.

Established access to the LoadMaster Web User Interface (WUI).

2 Exchange 2016 Overview

Microsoft Exchange Server is a mail server, calendaring software and contact manager. It is a server program that runs on Windows Server and is part of the Microsoft Servers line of products. The improvements made in Exchange 2016 have made it easier to load balance Exchange-related traffic.

Exchange 2016 includes the following solutions for switchover and failover redundancy:

High availability: Exchange 2016 uses Database Availability Groups (DAGs) to keep multiple copies of your mailboxes on different servers synchronized. That way, if a mailbox database fails on one server, users can connect to a synchronized copy of the database on another server.

Site resilience: You can deploy two Active Directory sites in separate geographic locations, keep the mailbox data synchronized between the two, and have one of the sites take on the entire load if the other fails.

Online mailbox moves: During an online mailbox move, email accounts are still accessible. Users are locked out for a brief period at the end of the process, when the final synchronization occurs. Online mailbox moves can be performed across forests or in the same forest.

Shadow redundancy: Shadow redundancy protects the availability and recoverability of messages while they are in transit. With shadow redundancy, the deletion of a message from the transport databases is delayed until the transport server verifies that all the next hops for that message have completed. If any of the next hops fail before reporting successful delivery, the message is resubmitted for delivery to the hop that did not complete.

2.1 Differences Between Exchange 2013 and Exchange 2016

Although there are a lot of similarities between Exchange 2013 and Exchange 2016, there are a couple of areas to mention relating to the roles and the Preferred Architecture.

The Exchange 2016 Preferred Architecture is to use unbound namespace load balanced across datacenters in a Layer 7 configuration that does not leverage session affinity.

An Office Online Server farm is deployed in each datacenter, with each farm having a unique namespace (bound model). The load balancer now manages session affinity. This server allows users to view and modify supported file attachments within Outlook on the Web.

New to the server roles with Exchange 2016 is that Client Access role has now been moved to the Mailbox Server. In older versions of Exchange the Client Access role could be deployed on a dedicated server or coexist on the mailbox server. In Exchange 2016 there are just two server roles:

The Mailbox Server combines all prior rolls including Mailbox, Hub Transport, Unified Messaging and Client Access (CAS).

The Edge Transport server provides secure inbound/outbound mail flow.

The CAS still acts as a reverse proxy. The CAS determines which mailbox database their mailbox is located on and provides the request to the back-end mailbox server that hosts the database. The mailbox server then renders the OWA content, not the CAS.

Clients no longer interact with Exchange using RPC, it is all done over HTTPS. MAPI over HTTP and Outlook Anywhere are the protocols that Outlook clients use to access their mailbox.  In Exchange 2016 MAPI/HTTP is enabled by default.

Outlook 2010 with KB2965295 or greater is required with Exchange 2016.

2.2 Understanding Server Load Balancing

Server load balancing is a way to manage which servers receive traffic. Server load balancing provides failover redundancy to ensure users continue to receive service in case of failure. It also enables your deployment to handle more traffic than one server can process while offering a single host name for clients.

Server load balancing serves two primary purposes. It reduces the impact of server failures within an Exchange Organization. In addition, server load balancing ensures that the load on the CAS and Transport services are optimally distributed.

Two key changes in Exchange 2016 make load balancing a lot simpler:

HTTPS-only access from clients means that there is only one protocol to consider. The HTTP failure states are well known and clients typically respond in a similar way.

As OWA is rendered on the same server that is hosting the user’s mailbox database; if a client hits a different CAS there is no performance degradation as the session rendering for that user is already up and running.

Since Exchange 2013 Client Access Server role is just an intelligent proxy, it can proxy the mailbox requests to an Exchange 2016 server. This means Exchange 2013 and Exchange 2016 Client Access Services can co-exist in the same KEMP Virtual Service.

There are improvements to forms-based authentication. The authentication cookie is provided to the user after logon and it is encrypted using the CAS’s SSL certificate. This allows a logged in user to resume their session on a different CAS without having to re-authenticate (if servers share the same SSL certificate).

2.3 Enable Subnet Originating Requests Globally

It is best practice to enable the Subnet Originating Requests option globally.

In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.

In a two-armed setup where the Virtual Service is on network/subnet A, for example, and the Real Servers are on network B - Subnet Originating Requests should be enabled on LoadMasters with firmware version 7.1-16 and above.

When Subnet Originating Requests is enabled, the LoadMaster will route traffic so that the Real Server will see traffic arriving from the LoadMaster interface that is in that network/subnet not the Virtual Service address.

When Subnet Originating Requests is enabled globally, it is automatically enabled on all Virtual Services. If the Subnet Originating Requests option is disabled globally, you can choose whether or not to enable Subnet Originating Requests on a per-Virtual Service basis.

To enable Subnet Originating Requests globally, follow the steps below:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to System Configuration > Miscellaneous Options > Network Options.

SCMONO002.png

2. Tick the Subnet Originating Requests check box.

2.4 100-Continue Handling

To avoid issues with Exchange Web Services, especially in a hybrid configuration, configure 100-continue handling to comply with RFC-7231 instead of standard setting of RFC-2616.

To resolve this issue, set the 100-Continue Handling setting to RFC-7231 Complaint.

1. In the main menu of the LoadMaster WUI, go to System Configuration > Miscellaneous Options > L7 Configuration.

100 Continue Handling.png

2. Select RFC-7231 Complaint under 100-Continue Handling.

2.5 Additional L7 Header

When using the built-in Mail client on Mac, you may experience connectivity issues. This happens due to how Mail client on Mac handles Persistent-Auth headers from the Exchange server.  This behaviour will not be present on Outlook for Mac clients or any Windows Office clients.

To resolve this issue, apply the following settings on the KEMP LoadMaster:

Globally set Additional L7 Header to None. Follow the steps below:

1. In the main menu of the LoadMaster WUI, go to System Configuration > Miscellaneous Options > L7 Configuration.

Additional L7 Header.png

2. Select None under Additional L7 Header.

 

Additional L7 Header_1.png

3 Virtual Service Templates

KEMP have developed templates containing our recommended settings for Exchange 2016. These templates can be installed on the LoadMaster and can be used when creating each of the Virtual Services. Using a template automatically populates the settings in the Virtual Services. This is quicker and easier than manually configuring each Virtual Service. If needed, you can make changes to any of the Virtual Service settings after using the templates.

Released templates can be downloaded from the KEMP documentation page: http://www.kemptechnologies.com/documentation/.

For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description.

The Microsoft Exchange 2016 templates currently available are grouped in three downloadable files as follows:

  • Exchange 2016 Core Services

This file contains templates for non-SSL offloaded HTTPS, SSL offloaded HTTPS and SMTP Virtual Services.

This is the primary set of services needed to balance Exchange 2016.

  • Exchange 2016 ESP Services

This file contains individual templates for a HTTPS service with SSL offloading and an SMTP service, both with ESP enabled.

These services are only necessary if you want to use ESP functionality.

Exchange 2016 ESP and WAF ServicesThis file contains individual templates for a HTTPS services with ESP and the Web Application Firewall (WAF) enabled.

These services are only necessary if you want to use ESP and WAF functionality.

If you try to install this template on a LoadMaster that does not have a WAF license, an error message will appear. Please contact KEMP to upgrade your license, if needed.

  • Exchange 2016 Additional Services

This file contains templates for IMAP, POP and SMTP services, including variants for STARTTLS and SSL secured services.

4 Configuring Virtual Services for Exchange 2016

The sections below give instructions on how to configure the various Virtual Services related to Microsoft Exchange. KEMP recommends these settings. They may not be applicable to your specific configuration. For further information and help, please contact our Support team.

4.1 HTTPS Virtual Service

Follow the instructions below to set up a HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

HTTPS Virtual Service_1.png

Within the Basic Properties section, select the following options:

7. Select HTTP/HTTPS in the Service Type drop-down list.

8. Expand the Standard Options section.

HTTPS Virtual Service_2.png

9. Within the Standard Options section of the Virtual Services options page, select the following options:

a) Ensure the Force L4 check box is clear.

When L7 is referred to in KEMP documentation, it is in relation to the actual TCP connection. When Microsoft refer to L7 for Exchange it is in relation to SSL decryption and re-encryption. This is different and what KEMP recommends is not necessarily L7 configuration unless SSL acceleration is enabled.

b) Ensure the Transparency check box is clear.

c) Ensure none is selected from the Persistence Options drop-down list.

d) Ensure round robin is selected from the Scheduling Method drop-down list.

e) Enter 1800 in the Idle Connection Timeout field and click the Set Idle Timeout button.

10. Expand the Advanced Options section.

HTTPS Virtual Service_3.png

11. Within the Advanced Options section, select the following options:

a) Ensure https://%h%s is the value of the Redirection URL in the Add a Port 80 Redirector VS section.

b) Click Add HTTP Redirector.

This creates a new redirect Virtual Service on port 80 with the same IP address.

12. Expand the Real Servers section.

HTTPS Virtual Service_4.png

13. In the Real Servers section, select the following options:

a) Ensure HTTPS Protocol is selected as the health-checking option from the Real Server Check Parameters drop-down list.

b) Enter 443 in the Checked Port field and click Set Check Port.

c) Enter /owa/healthcheck.htm in the URL field and click Set URL.

d) Ensure the Use HTTP/1.1 check box in not selected.

e) Select GET from the HTTP Method drop-down list.

HTTPS Virtual Service_5.png

14. Click Add New…, and select the following options:

a) Enter the Real Server Address for the Exchange Server.

b) Enter Port 443.

c) Select NAT as Forwarding method.

d) Click Add This Real Server.

15. Do this for each Exchange Server in your organization.

Make minor changes to the redirect Virtual Service that was added:

1. Click View/Modify Services in the main menu.

2. Click Modify on the Redirect Virtual Service with the blank name which has the same IP address as the Virtual Service that was just created.

HTTPS Virtual Service_6.png

3. Enter a recognizable Service Name, for example Exchange 2016 HTTP Redirect and click Set Nickname.

HTTPS Virtual Service_7.png

4. In Standard Options, set the Persistence Mode to None.

4.1.1 HTTPS Reencrypted using SubVSs

Follow the instructions below to set up a HTTPS Virtual Service with SubVSs.

4.1.1.1 Create the Parent Virtual Service

Follow the instructions below to set up the parent HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Reencrypted using SubVSs.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS Reencrypt in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

HTTPS Reencrypted using SubVSs_1.png

7. Within the Basic Properties section of the Virtual Services options page, select the following options:

a) Select HTTP/HTTPS in the Service Type drop-down list.

HTTPS Reencrypted using SubVSs_2.png

8. Within the Standard Options section of the Virtual Services options page, set the fields as outlined below:

a) Ensure the Force L4 check box is clear.

b) Ensure the Transparency check box is clear.

c) Ensure none is selected from the Persistence Options drop-down list.

d) Ensure round robin is selected from the Scheduling Method drop-down list.

e) Enter 1800 in the Idle Connection Timeout field and click the Set Idle Timeout button.

9. Expand the SSL Properties section.

HTTPS Reencrypted using SubVSs_3.png

10. Within the SSL Properties section, select the Enabled check box and click OK.

11. Select the Reencrypt check box.

12. Select the Certificate to be used for encryption and click > to Assigned Certificates.

13. Click Set Certificate.

14. Select BestPractices from the Cipher Set drop-down list.

15. Expand the Advanced Properties section.

HTTPS Reencrypted using SubVSs_4.png

16. Within the Advanced Properties section, select the following options:

a) Ensure https://%h%s is the value of the Redirection URL in the Add a Port 80 Redirector VS section and click Add HTTP Redirector.

This creates a redirect Virtual Service on port 80 with the same IP address.

4.1.1.2 Create the SubVSs

Follow the instructions below to set up the SubVSs:

1. In the Real Servers section of the Virtual Services options page, click the Add SubVS button.

2. A message stating that the SubVS is created appears, click OK.

The Real Servers section should now be renamed to SubVSs.

The following steps deal with creating a SubVS for an Exchange service such as owa.

3. In the SubVSs section of the SubVS options page, click the Modify button next to the SubVS and select the following options:

HTTPS Reencrypted using SubVSs_5.png

a) In the SubVS Name field enter a relevant name such as OWA and click Set Nickname.

b) In the SubVS Type field, select the HTTP/HTTPS option.

4. Expand the Real Servers section.

HTTPS Virtual Service_4.png

5. In the Real Servers section make the following selections:

a) Enter 443 as the Checked Port and click the Set Check Port button.

b) Enter /owa/healthcheck.htm in the URL field and click the Set URL button.

c) Ensure the Use HTTP/1.1 check box is not selected.

d) Select GET from the HTTP Method drop-down list.

6. When finished editing the SubVS, click Back. Now you can add other SubVSs to this Virtual Service as needed.

7. Configure each SubVS using the settings in the table below.

SubVS Name

 

Healthcheck URL

 

OWA (as in steps above)

 

/owa/healthcheck.htm

 

Autodiscover

 

/autodiscover/healthcheck.htm

 

ECP

 

/ecp/healthcheck.htm

 

EWS

 

/ews/healthcheck.htm

 

ActiveSync

 

/microsoft-server-activesync/healthcheck.htm

 

OAB

 

/oab/healthcheck.htm

 

Powershell

 

/powershell/healthcheck.htm

 

RPC

 

/rpc/healthcheck.htm

 

MAPI

 

/mapi/healthcheck.htm

 

4.1.1.3 Create Content Rules

Content Rules must be created for the Virtual Services to function correctly.

To create a Modify URL rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_6.png

3. Enter a relevant name, for example Redirect_Root, in the Rule Name field.

4. Select Modify URL from the Rule Type drop-down list.

5. Enter /^\/$/ in the Match String field.

6. Enter /owa in the Modified URL field.

7. Click the Create Rule button.

8. To create a Content Matching rule for owa please complete the following steps:

9. Select the Rules & Checking > Content Rules menu option.

10. Click the Create New button.

HTTPS Reencrypted using SubVSs_7.png

11. Enter a relevant name, for example OWA, in the Rule Name field.

12. Select Content Matching from the Rule Type drop-down list.

13. Ensure Regular Expression is selected in the Match Type drop-down list.

14. Enter /^\/owa.*/ in the Match String field.

15. Select the Ignore Case check box.

16. Click Create Rule.

Create additional Content Matching rules following steps Select the Rules & Checking > Content Rules menu option. above but using the values as described in the following table:

Rule Name

Match String

Ignore Case

ActiveSync

/^\/microsoft-server-activesync.*/

yes

Autodiscover

/^\/autodiscover.*/

yes

ECP

/^\/ecp.*/

yes

EWS

/^\/ews.*/

yes

OAB

/^\/oab.*/

yes

PowerShell

/^\/powershell.*/

yes

RPC

/^\/rpc.*/

yes

Root

/^\/$/

yes

MAPI

/^\/mapi.*/

yes

Authentication Proxy

/^\/lm_auth_proxy*$/

yes

4.1.1.4 Apply Content Rules

Once all Content Rules have been created, you must add these to the Virtual Services/SubVSs.

1. Select View/Modify Services under Virtual Services.

2. Select Modify next to the Exchange 2016 HTTPS Re-Encrypt Virtual Service.

HTTPS Reencrypted using SubVSs_8.png

3. In the Advanced Properties section, select Show Header Rules.

4. Select the redirect rule created earlier and select Add.

5. Click Back to return to the Virtual Service settings.

6. Expand the Advanced Properties section.

HTTPS Reencrypted using SubVSs_9.png

7. In the Advanced Properties section, select Enable under Content Switching.

HTTPS Reencrypted using SubVSs_10.png

8. In the SubVS section, select None under Rules for ActiveSync.

HTTPS Reencrypted using SubVSs_11.png

9. Select the Content Rule for ActiveSync that was created in the Create Content Rules section and select Add.

10. Click Back and repeat these steps for all remaining SubVSs.

4.1.2 HTTPS Offloaded Using SubVSs

To set up HTTPS Offloading Using SubVSs, follow the steps in the section below.

4.1.2.1 Create the Parent Virtual Service

Follow the instructions below to set up the parent HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Offloaded Using SubVSs.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS Offloaded in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

HTTPS Offloaded Using SubVSs_1.png

7. Within the Basic Properties section of the Virtual Services options page, select the following options:

a) Select HTTP/HTTPS from the Service Type drop-down list.

8. Expand the Standard Options section.

HTTPS Offloaded Using SubVSs_2.png

9. Within the Standard Options section of the Virtual Services options page, set the fields as outlined below:

b) Ensure the Force L4 check box is clear.

c) Ensure the Transparency check box is clear.

d) Select none from the Persistence Options drop-down list.

e) Select round robin from the Scheduling Method drop-down list.

f) Enter 1800 in the Idle Connection Timeout field and click the Set Idle Timeout button.

10. Expand the SSL Properties section.

HTTPS Offloaded Using SubVSs_3.png

11. Select the Enabled check box and click OK.

12. Ensure the Reencrypt check box is not selected.

13. Select the Certificate to be used for encryption and click > to Assigned Certificates.

14. Select BestPractices from the Cipher Set drop-down list and Click Set Certificate.

15. Expand the Advanced Properties section.

HTTPS Reencrypted using SubVSs_4.png

16. Within the Advanced Properties section, select the following options:

a) Enter https://%h%s is the value of the Redirection URL in the Add a Port 80 Redirector VS section. Click Add HTTP Redirector.

This creates a redirect Virtual Service on port 80 with the same IP address.

4.1.2.2 Create the SubVSs

Follow the instructions below to set up the SubVSs:

1. Expand the Real Servers section of the Virtual Services options page and click Add SubVS…

2. Click OK on the message, which appears.

The Real Servers section should now be called SubVSs.

The following steps deal with creating a SubVS for an Exchange service such as owa.

3. In the SubVSs section of the SubVS options page, click the Modify button next to the SubVS and select the following options:

HTTPS Reencrypted using SubVSs_5.png

a) In the SubVS Name field enter a relevant name such as OWA and click Set Nickname.

b) In the SubVS Type field, select the HTTP/HTTPS option.

HTTPS Offloaded Using SubVSs_4.png

4. In the Real Servers section of the SubVS options page select the following options:

a) Enter 80 in the Checked Port field and click Set Check Port.

b) Enter /owa/healthcheck.htm in the URL field and click the Set URL button.

c) Ensure the Use HTTP/1.1 check box is not selected.

d) Select GET from the HTTP Method drop-down list.

5. When finished editing the SubVS, click Back. Now you can add other SubVSs to this Virtual Service as needed.

6. Configure each SubVS using the settings in the following table:

SubVS Name

 

Healthcheck URL

OWA (as in steps above)

 

/owa/healthcheck.htm

Autodiscover

 

/autodiscover/healthcheck.htm

ECP

 

/ecp/healthcheck.htm

EWS

 

/ews/healthcheck.htm

ActiveSync

 

/microsoft-server-activesync/healthcheck.htm

OAB

 

/oab/healthcheck.htm

Powershell

 

/powershell/healthcheck.htm

RPC

 

/rpc/healthcheck.htm

MAPI

 

/mapi/healthcheck.htm

4.1.2.3 Create Content Rules

Content Rules need to be created for the Virtual Services to function correctly.

To create a Modify URL rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_6.png

3. Enter a relevant name, for example Redirect_Root in the Rule Name field.

4. Select Modify URL from the Rule Type drop-down.

5. Enter /^\/$/ in the Match String field.

6. Enter /owa in the Modified URL field.

7. Click the Create Rule button.

8. To create a Content Matching rule for owa please complete the following steps:

9. Select the Rules & Checking > Content Rules menu option.

10. Click the Create New button.

HTTPS Reencrypted using SubVSs_7.png

11. Enter a relevant name, for example OWA in the Rule Name field.

12. Select Content Matching from the Rule Type drop-down list.

13. Select Regular Expression from the Match Type drop-down list.

14. Enter /^\/owa.*/ in the Match String field.

15. Select the Ignore Case check box.

16. Click Create Rule.

Create additional Content Matching rules following steps Select the Rules & Checking > Content Rules menu option. above but using the values as described in the table below.

Rule Name

Match String

Ignore Case

ActiveSync

/^\/microsoft-server-activesync.*/

yes

Autodiscover

/^\/autodiscover.*/

yes

ECP

/^\/ecp.*/

yes

EWS

/^\/ews.*/

yes

OAB

/^\/oab.*/

yes

PowerShell

/^\/powershell.*/

yes

RPC

/^\/rpc.*/

yes

Root

/^\/$/

yes

MAPI

/^\/mapi.*/

yes

4.1.2.4 Apply Content Rules

After creating all Content Rules, add them to the Virtual Services/ SubVSs.

1. Select View/Modify Services under Virtual Services.

2. Select Modify next to the Exchange 2016 HTTPS Offloaded Virtual Service.

3. In the Advanced Properties section, select Show Header Rules.

HTTPS Offloaded Using SubVSs_5.png

4. Select the Redirect Rule created earlier and click Add.

5. Click Back to return to the Virtual Service settings.

HTTPS Reencrypted using SubVSs_9.png

6. In the Advanced Properties section, select Enable beside Content Switching.

HTTPS Reencrypted using SubVSs_10.png

7. In the SubVS section, select None under Rules for ActiveSync.

HTTPS Reencrypted using SubVSs_11.png 

8. Select the Content Rule for ActiveSync created in the Create Content Rules section and then click Add.

9. Click Back and repeat these steps for all remaining SubVSs.

4.1.3 HTTPS Re-Encrypt Using ESP and SubVSs

To set up HTTPS Offloading Using ESP, follow the steps in the section below.

4.1.3.1 Create the Parent Virtual Service

Follow the instructions below to set up the parent HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Re Encrypt Using ESP.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS Reencrypt with ESP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

HTTPS Reencrypted using SubVSs_1.png

7. Within the Basic Properties section of the Virtual Services options page, select the following options:

a) Select HTTP/HTTPS in the Service Type drop-down list.

HTTPS Re Encrypt Using ESP_1.png

8. Within the Standard Options section of the Virtual Services options page, set the fields as outlined below:

a) Ensure the Force L4 check box is clear.

b) Ensure the Transparency check box is clear.

c) Ensure none is selected from the Persistence Options drop-down list.

d) Ensure round robin is selected from the Scheduling Method drop-down list.

e) Enter 1800 in the Idle Connection Timeout field and click the Set Idle Timeout button.

9. Expand the SSL Properties section.

HTTPS Re Encrypt Using ESP_2.png

10. Select the Enabled check box.

11. Select the Reencrypt check box.

12. Select BestPractices from the Cipher Set drop-down list.

13. Expand the Advanced Properties section.

HTTPS Re Encrypt Using ESP_3.png

14. Within the Advanced Properties section, select the following options:

a) Ensure https://%h%s is the value of the Redirect URL in the Add a Port 80 Redirector VS section. Click Add HTTP Redirector.

This creates a redirect Virtual Service on port 80 with the same IP address.

4.1.3.2 Create the SubVSs

Follow the instructions below to set up the SubVSs:

1. In the Real Servers section of the Virtual Services options page, click the Add SubVS button.

2. A message stating that the SubVS has been created appears, click OK.

The Real Servers section should now be renamed to SubVSs.

The following steps deal with creating a SubVS for an Exchange service such as owa.

3. In the SubVSs section of the SubVS options page, click the Modify button next to the SubVS and select the following options:

HTTPS Reencrypted using SubVSs_5.png

a) In the SubVS Name field enter a relevant name such as OWA and click Set Nickname.

b) In the SubVS Type field, select the HTTP/HTTPS option.

4. The configuration of SubVS ESP is outlined in the Enable ESP section.

HTTPS Virtual Service_4.png

5. In the Real Servers section of the SubVS options page select the following options:

a) Select HTTPS Protocol from the Real Server Check Parameters drop-down list.

b) Enter 443 as the Checked Port and click Set Check Port.

c) Enter /owa/healthcheck.htm in the URL field and click Set URL.

d) Ensure the Use HTTP/1.1 check box is not selected.

e) Ensure the GET option is selected from the HTTP Method drop-down list.

6. When finished editing the SubVS, click Back. Now you can add other SubVSs to this Virtual Service as needed.

7. Configure each SubVS using the settings in the table below.

SubVS Name

 

Healthcheck URL

OWA (as in steps above)

 

/owa/healthcheck.htm

Autodiscover

 

/autodiscover/healthcheck.htm

ECP

 

/ecp/healthcheck.htm

EWS

 

/ews/healthcheck.htm

ActiveSync

 

/microsoft-server-activesync/healthcheck.htm

OAB

 

/oab/healthcheck.htm

Powershell

 

/powershell/healthcheck.htm

RPC

 

/rpc/healthcheck.htm

MAPI

 

/mapi/healthcheck.htm

Authentication Proxy

 

 

If you are using Kerberos Constrained Delegation (KCD) please ensure you add a Real Server to the Authentication Proxy SubVS. For further information on KCD, refer to the KCD, Feature Description.

4.1.3.3 Enable ESP

To enable ESP follow the steps below:

HTTPS Re Encrypt Using ESP_4.png

1. For each of the SubVSs created, ensure that in the ESP section, the Enable ESP check box is selected, and select the following options:

a) Select the User Access, Security and Connection check boxes in ESP Logging.

b) Select the relevant SSO Domain.

For instructions on how to add an SSO domain, refer to the ESP, Feature Description.

Enter all of the allowed virtual hosts into the Allowed Virtual Hosts text box, for example mail.example.com, and click the Set Allowed Virtual Hosts button.

Configure each SubVS using the settings in the table below:

SubVS Name

Allowed Virtual Directories

Pre-Authorization Excluded Directories

Client Auth. mode

Server Auth. mode

SSO Image Set

SSO Greeting Message

Autodiscover

/autodiscover*

 

Delegate to Server

None

n/a

 

ECP

/ecp*

 

Form Based

Form Based

Exchange

Please enter your Exchange credentials.

EWS

/ews*

 

Delegate to Server

None

n/a

 

ActiveSync

/microsoft-server-activesync*

 

Basic Auth.

Basic Auth.

n/a

 

OAB

/oab*

 

Delegate to Server

None

n/a

 

Powershell

/powershell*

 

Delegate to Server

None

n/a

 

RPC

/rpc*

 

Delegate to Server

None

n/a

 

OWA

/owa*

/owa/<guid@smtpdomain>*

Form Based

Form Based

Exchange

Please enter your Exchange credentials.

MAPI

/mapi*

 

Delegate to Server

None

n/a

 

Authentication Proxy

/*

 

Form Based

Basic Auth.

Exchange

Please enter your Exchange credentials.

GUID is unique to each Exchange deployment. To find the correct GUID, run the following command on the Exchange Server:

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “OrganizationCapabilityClientExtensions”} | f1 exchangeGUID, primarysmtpaddress

The Logoff String must be set to /owa/logoff.owa in the OWA SubVS. In a customized environment, if the OWA logoff string has been changed, the modified logoff string must be entered in the Logoff String text box.

The Error Code in the Authentication Proxy SubVS should be set to 503 Service Unavailable with an Error Message of Endpoint not available.

HTTPS Re Encrypt Using ESP_5.png

The SSO Greeting Message field accepts HTML code so you can insert your own image if required. However, there are several characters that are not supported. These are the grave accent character ( ` ) and the single quote (’). If a grave accent character is used in the SSO Greeting Message, the character will not display in the output, for example a`b`c becomes abc. If a single quote is used, users will not be able to log in.

4.1.3.4 Create Content Rules

Create Content Rules so that Virtual Services function correctly.

To create a Modify URL rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_6.png

3. Enter a relevant name, for example Redirect_Root in the Rule Name field.

4. Select the Modify URL option in the Rule Type drop-down.

5. Enter /^\/$/ in the Match String field.

6. Enter /owa in the Modified URL field.

7. Click the Create Rule button.

To create a Content Matching rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_7.png

3. Enter a relevant name, for example OWA in the Rule Name field.

4. Ensure the Content Matching option is selected from the Rule Type drop-down list.

5. Ensure the Regular Expression option is selected in the Match Type drop-down list.

6. Enter /^\/owa.*/ in the Match String field.

7. Select the Ignore Case check box.

8. Click the Create Rule button.

Create additional Content Matching rules following steps Select the Rules & Checking > Content Rules menu option.above but using the values as described in the table below.

Rule Name

Match String

Ignore Case

ActiveSync

/^\/microsoft-server-activesync.*/

yes

Autodiscover

/^\/autodiscover.*/

yes

ECP

/^\/ecp.*/

yes

EWS

/^\/ews.*/

yes

OAB

/^\/oab.*/

yes

PowerShell

/^\/powershell.*/

yes

RPC

/^\/rpc.*/

yes

Root

/^\/$/

yes

MAPI

/^\/mapi.*/

yes

Authentication Proxy

/^\/lm_auth_proxy*$/

yes

4.1.3.5 Apply Content Rules

Once all Content Rules have been created, you must add these to the Virtual Services/ SubVSs.

9. Select View/Modify Services under Virtual Services.

10. Select Modify next to the Exchange 2016 HTTPS Reencrypt with ESP Virtual Service.

HTTPS Offloaded Using SubVSs_5.png

11. In the Advanced Properties section, click Show Header Rules.

12. Select the Redirect Rule created earlier and click Add.

13. Click Back to return to the Virtual Service settings.

HTTPS Reencrypted using SubVSs_9.png

14. In the Advanced Properties section, select Enable under Content Switching.

HTTPS Re Encrypt Using ESP_6.png

15. In the SubVS section, select None under Rules for ActiveSync.

  HTTPS Reencrypted using SubVSs_11.png

16. Select the Content Rule for ActiveSync that was created in the Enable ESP section and click Add.

17. Click Back and repeat these steps for all remaining SubVSs.

4.1.4 HTTPS Re-Encrypt Using ESP, WAF and SubVSs

Before configuring the WAF settings, please download and install the latest commercial rulesets. For further information on WAF, please refer to the KEMP Web Application Firewall, Feature Description.

Follow the instructions below to set up the parent HTTPS reencrypted Virtual Service with ESP and WAF:

1. In the main menu of the LoadMaster WUI, go to Virtual Services and click Add New.

HTTPS Re Encrypt Using ESP_1_1.png

2. Enter a valid Virtual Address.

3. Enter 443 as the Port.

4. Enter a Service Name, for example Exchange 2016 HTTPS Reencrypted with ESP and WAF.

5. Click Add this Virtual Service.

HTTPS Re Encrypt Using ESP_1_2.png

6. Remove the tick from the Transparency check box.

7. Enter 1800 in the Idle Connection Timeout text box and click Set Idle Timeout.

8. Expand the SSL Properties section.

HTTPS Re Encrypt Using ESP_1_3.png

9. Tick the Enabled check box.

10. Tick the Reencrypt check box.

11. Select BestPractices as the Cipher Set.

12. Expand the Advanced Properties section.

HTTPS Re Encrypt Using ESP_1_4.png

13. Click the Add HTTP Redirector button.

This creates a redirect Virtual Service on port 80 with the same IP address.

14. Expand the WAF Options section.

HTTPS Re Encrypt Using ESP_1_5.png

15. Tick the Enabled check box.

16. Tick the following rulesets in the Available Rules box:

- owasp_protocol_violations

- owasp_protocol_anomalies

- owasp_bad_robots

- owasp_generic_attacks

- owasp_common_exceptions

- owa_attacks
All rules should be enabled for each of these rulesets.

17. Click Apply.

After setting up the parent Virtual Service, the SubVSs must be added and configured. The steps to add the SubVSs, enable ESP, create the content rules and assign the rules are the same as those in the Create the SubVSs, Enable ESP, Create Content Rules and Apply Content Rules sections.

In the redirect Virtual Service which was created, change the Persistence Mode to None and change the Real Server Check Method to None.

4.1.5 HTTPS Offloaded Using ESP and SubVSs

To set up HTTPS Offloading Using ESP, follow the steps in the section below.

4.1.5.1 Create the Parent Virtual Service

Follow the instructions below to set up the parent HTTPS Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

HTTPS Offloaded Using ESP.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 443 in the Port field.

4. Type a name, for example Exchange 2016 HTTPS Offloaded with ESP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

HTTPS Offloaded Using ESP_1.png

7. Select the following options:

a) Select HTTP/HTTPS from the Service Type drop-down list.

8. Expand the Standard Options section.

HTTPS Offloaded Using ESP_2.png

9. Within the Standard Options section, set the fields as outlined below:

b) Ensure the Force L4 check box is clear.

c) Ensure the Transparency check box is clear.

d) Ensure none is selected in the Persistence Options drop-down list.

e) Ensure round robin is selected in the Scheduling Method drop-down list.

f) Enter 1800 in the Idle Connection Timeout field and click the Set Idle Timeout button.

10. Expand the SSL Properties section.

HTTPS Offloaded Using ESP_3.png

11. Select the Enabled check box.

12. Ensure the Reencrypt check box is not selected.

13. Expand the Advanced Properties section.

HTTPS Reencrypted using SubVSs_4.png

14. Select the following options:

a) Ensure https://%h%s is the value of the Redirect URL in the Add a Port 80 Redirector VS section. Click Add HTTP Redirector.

This creates a redirect Virtual Service on port 80 with the same IP address.

4.1.5.2 Create the SubVSs

Follow the instructions below to set up the SubVSs:

1. In the Real Servers section of the Virtual Services options page, click the Add SubVS button.

A message stating that the SubVS has been created appears, click OK.

The Real Servers section should now be renamed to SubVSs.

The following steps deal with creating a SubVS for an Exchange service such as owa.

2. In the SubVSs section of the SubVS options page, click the Modify button next to the SubVS and select the following options:

HTTPS Reencrypted using SubVSs_5.png

a) In the SubVS Name field enter a relevant name such as OWA and click Set Nickname.

b) In the SubVS Type field select the HTTP/HTTPS option.

HTTPS Offloaded Using ESP_4.png

The configuration of the SubVS ESP settings is outlined in the Enable ESP section.

HTTPS Offloaded Using ESP_5.png

3. In the Real Servers section of the SubVS options page select the following options:

a) Enter 80 as the Checked Port and click Set Check Port.

b) Enter /owa/healthcheck.htm in the URL field and click Set URL.

c) Ensure the Use HTTP/1.1 check box is not selected.

d) Ensure GET is selected from the HTTP Method drop-down list.

4. When finished editing the SubVS, click Back. Now you can add other SubVSs to this Virtual Service as needed.

5. Configure each SubVS using the settings in the table below.

 

SubVS Name

 

Healthcheck URL

OWA (as in steps above)

 

/owa/healthcheck.htm

Autodiscover

 

/autodiscover/healthcheck.htm

ECP

 

/ecp/healthcheck.htm

EWS

 

/ews/healthcheck.htm

ActiveSync

 

/microsoft-server-activesync/healthcheck.htm

OAB

 

/oab/healthcheck.htm

Powershell

 

/powershell/healthcheck.htm

RPC

 

/rpc/healthcheck.htm

MAPI

 

/mapi/healthcheck.htm

Authentication Proxy

 

 

If you are using Kerberos Constrained Delegation (KCD) please ensure you add a Real Server to the Authentication Proxy SubVS.. For further information on KCD, refer to the KCD, Feature Description.

4.1.5.3 Enable ESP

To enable ESP follow the steps below:

HTTPS Re Encrypt Using ESP_4.png

1. For each of the SubVSs created, ensure that in the ESP section, the Enable ESP check box is selected, and select the following options:

a) Select the User Access, Security and Connection check boxes in ESP Logging.

b) Select the relevant SSO Domain.

For instructions on how to add an SSO domain, refer to the ESP, Feature Description.

Enter all of the allowed virtual hosts into the Allowed Virtual Hosts text box, for example mail.example.com, and click the Set Allowed Virtual Hosts button.

Configure each SubVS using the settings in the table below.

SubVS Name

Allowed Virtual Directories

Pre-Authorization Excluded Directories

Client Auth. mode

Server Auth. mode

SSO Image Set

SSO Greeting Message

Autodiscover

/autodiscover*

 

Delegate to server

None

n/a

 

ECP

/ecp*

 

Form Based

Form Based*

Exchange

Please enter your Exchange credentials.

EWS

/ews*

 

Delegate to Server

None

n/a

 

ActiveSync

/microsoft-server-activesync*

 

Basic Auth.

Basic Authentication

n/a

 

OAB

/oab*

 

Delegate to Server

None

n/a

 

Powershell

/powershell*

 

Delegate to Server

None

n/a

 

RPC

/rpc*

 

Delegate to Server

None

n/a

 

OWA

/owa*

/owa/<guid@smtpdomain>*1

Form Based

Form Based*

Exchange

Please enter your Exchange credentials.

MAPI

/mapi*

 

Delegate to Server

None

n/a

 

Authentication Proxy

/*

 

Form Based

Form Based*

Exchange

Please enter your Exchange credentials.

 

*Adding server side form based authentication is available from version 7.2.37 onwards.

1 GUID is unique to each Exchange deployment. To find the correct GUID, run the following command on the Exchange Server:

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “OrganizationCapabilityClientExtensions”} | f1 exchangeGUID, primarysmtpaddress

The Logoff String must be set to /owa/logoff.owa in the OWA SubVS. In a customized environment, if the OWA logoff string has been changed, the modified logoff string must be entered in the Logoff String text box.

The Error Code in the Authentication Proxy SubVS should be set to 503 Service Unavailable with an Error Message of Endpoint not available.

The SSO Greeting Message field accepts HTML code, so the users can insert their own image if desired. The grave accent character ( ` ) is not supported. If this character is entered in the SSO Greeting Message, the character will not display in the output, for example a`b`c becomes abc.

4.1.5.4 Create Content Rules

Create the content rules so the Virtual Services function correctly.

To create a Modify URL rule for owa please complete the following steps:

1. In the main menu of the LoadMaster WUI, click Rules & Checking.

2. Click Content Rules.

3. Click the Create New button.

HTTPS Reencrypted using SubVSs_6.png

4. Enter a relevant name, for example Redirect_Root in the Rule Name field.

5. Select the Modify URL option in the Rule Type drop-down.

6. Enter /^\/$/ in the Match String field.

7. Enter /owa in the Modified URL field.

8. Click the Create Rule button.

9. To create a Content Matching rule for owa please complete the following steps:

1. Select the Rules & Checking > Content Rules menu option.

2. Click the Create New button.

HTTPS Reencrypted using SubVSs_7.png

3. Enter a relevant name, for example OWA in the Rule Name field.

4. Ensure the Content Matching option is selected in the Rule Type drop-down list.

5. Ensure the Regular Expression option is selected in the Match Type drop-down list.

6. Enter /^\/owa.*/ in the Match String field.

7. Select the Ignore Case check box.

8. Click the Create Rule button.

Create additional Content Matching rules following steps Select the Rules & Checking > Content Rules menu option. to Click the Create Rule button. above but using the values as described in the following table:

Rule Name

Match String

Ignore Case

ActiveSync

/^\/microsoft-server-activesync.*/

yes

Autodiscover

/^\/autodiscover.*/

yes

ECP

/^\/ecp.*/

yes

EWS

/^\/ews.*/

yes

OAB

/^\/oab.*/

yes

PowerShell

/^\/powershell.*/

yes

RPC

/^\/rpc.*/

yes

Root

/^\/$/

yes

MAPI

/^\/mapi.*/

yes

Authentication Proxy

/^\/lm_auth_proxy*$/

yes

4.1.5.5 Apply Content Rules

Once all Content Rules have been created, you must add these to the Virtual Services/SubVSs:

1. Select View/Modify Services under Virtual Services.

2. Click Modify next to the Exchange 2016 HTTPS Offloaded with ESP Virtual Service.

HTTPS Offloaded Using ESP_6.png

3. In the Advanced Properties section, click Show Header Rules.

4. Select the Redirect Rule created earlier and click Add.

5. Click Back to return to the Virtual Service settings.

HTTPS Reencrypted using SubVSs_9.png

6. In the Advanced Properties section, select Enable under Content Switching.

HTTPS Re Encrypt Using ESP_6.png

7. In the SubVS section, click None under Rules for ActiveSync.

HTTPS Offloaded Using ESP_7.png

8. Select the Content Rule for ActiveSync that was created in the Create Content Rules section and select Add.

9. Click Back and repeat these steps for all remaining SubVSs.

4.1.6 HTTPS Offloaded Using ESP, WAF and SubVSs

Before configuring the Web Application Firewall (WAF) settings, please download and install the latest commercial rulesets. For further information on WAF, please refer to the KEMP Web Application Firewall, Feature Description.

Follow the instructions below to set up the parent Exchange 2016 HTTPS Offloaded with ESP and WAF Virtual Service:

1. In the main menu, go to Virtual Services and click Add New.

HTTPS Offloaded Using ESP_1_1.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 443 as the Port.

4. Enter a Service Name, for example Exchange 2016 HTTPS Offloaded with ESP and WAF.

5. Click Add this Virtual Service.

HTTPS Offloaded Using ESP_1_2.png

6. Expand the Standard Options section.

7. Enter 1800 into the Idle Connection Timeout text box and click Set Idle Timeout.

8. Expand the SSL Properties section.

HTTPS Offloaded Using ESP_1_3.png

9. Select the Enabled check box.

10. Select BestPractices as the Cipher Set.

11. Expand the Advanced Properties section.

HTTPS Offloaded Using ESP_1_4.png

12. Click the Add HTTP Redirector button.

This creates a redirect Virtual Service on port 80 with the same IP address.

13. In the Available Rulesets list, tick the following rules:

- owasp_protocol_violations

- owasp_protocol_anomalies

- owasp_bad_robots

- owasp_generic_attacks

- owasp_common_exceptions

- owa_attacks
All rules should be enabled for each of these rulesets.

14. Click Apply.

After setting up the parent Virtual Service, the SubVSs must be added and configured. The steps to add the SubVSs, enable ESP, create the content rules and assign the rules are the same as those in the Create the SubVSs, Enable ESP, Create Content Rules and Apply Content Rules sections.

In the redirect Virtual Service which was created, change the Persistence Mode to None and change the Real Server Check Method to None.

4.2 Office Online Server Virtual Service

Follow the instructions below to set up an Office Online Server Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services and click Add New.

Office Online Server Virtual.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 443 as the Port.

4. Enter a Service Name, for example Exchange 2016 Office Online Server.

5. Click Add this Virtual Service.

6. Expand the SSL Properties section.

Office Online Server Virtual_1.png

7. Tick the Enabled check box.

8. Tick the Reencrypt check box.

9. Select BestPractices from the Cipher Set drop-down list.

10. Expand the Standard Options section.

Office Online Server Virtual_2.png

11. Remove the tick from the Transparency check box.

12. Select Super HTTP and Source IP as the Persistence Mode.

13. Select 30 Minutes as the Persistence Timeout.

14. Select least connection as the Scheduling Method.

15. Enter 1800 as the Idle Connection Timeout and click Set Idle Timeout.

16. Expand the Real Servers section.

Office Online Server Virtual_3.png

17. Enter /hosting/discovery as the URL and click Set URL.

18. Tick the Use HTTP/1.1 check box.

19. Select GET as the HTTP Method.

4.3 IMAP Virtual Service

Follow the instructions below to set up an IMAP Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

IMAP Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 143 in the Port field.

4. Type a name, for example Exchange 2016 IMAP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

IMAP Virtual Service_1.png

7. Within the Basic Properties section of the Virtual Services options page, select the following options:

a) Select Generic in the Service Type drop-down list.

IMAP Virtual Service_2.png

8. Within the Standard Options section of the Virtual Services options page, select the following options:

a) Ensure the Force L4 check box is clear.

b) Ensure the Transparency check box is clear.

c) Ensure IMAP4 is selected in Server Initiating Protocols drop-down list.

d) Ensure none is selected in the Persistence Options drop-down list.

e) Ensure round robin is selected in the Scheduling Method drop-down list.

f) Enter 3600 in the Idle Connection Timeout text box and click Set Idle Timeout.

IMAP Virtual Service_3.png

9. Within the SSL Properties section, ensure that the SSL Acceleration check box is not selected.

IMAP Virtual Service_4.png

10. Do not change any of the options within the Advanced Options section.

IMAP Virtual Service_5.png

11. Within the Real Servers section of the Virtual Services options page, select the following options:

a) Ensure Mailbox (IMAP) Protocol has been selected as the health-checking option.

b) Enter 143 in the Checked Port field and click on the Set Check Port button.

4.3.1 IMAP STARTTLS Virtual Service

To configure the IMAP STARTTLS Virtual Service, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

IMAP STARTTLS Virtual Service.png

2. Enter a Virtual Address.

3. Enter 143 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 IMAP with STARTTLS.

IMAP STARTTLS Virtual Service_1.png

5. Within the Basic Properties section of the Virtual Services options page, select the following options:

a) Select STARTTLS protocols in the Service Type drop-down list.

IMAP STARTTLS Virtual Service_2.png

6. Within the Standard Options section of the Virtual Services options page, select the following options:

a) Remove the tick from the Transparency check box.

b) Ensure IMAP is selected in the STARTTLS mode drop-down list.

c) Enter 3600 in the Idle Connection Timeout field and click Set Idle Timeout.

IMAP STARTTLS Virtual Service_3.png

7. In the Real Servers section, enter 143 in the Checked Port text box and click the Set Check Port button.

4.3.2 IMAPS Virtual Service

To configure the IMAPS Virtual Service, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

IMAPS Virtual Service.png

2. Enter the IP address in the Virtual Address text box.

3. Enter 993 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 IMAPS.

5. Click Add this Virtual Service.

IMAPS Virtual Service_1.png

6. Within the Standard Options section of the Virtual Services options page:

a) Remove the tick from the Transparency check box.

b) Select IMAP4 in the Server Initiating Protocols drop-down list.

c) Enter 3600 in the Idle Connection Timeout field and click Set Idle Timeout.

IMAPS Virtual Service_2.png

7. Within the Real Servers section of the Virtual Services options page, select the following options:

a) Ensure TCP Connection Only is selected as the health-checking option.

b) Enter 993 in the Checked Port field and click the Set Check Port button.

4.3.3 IMAPS Offloaded Virtual Service

To configure the IMAPS Offloaded, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

IMAPS Offloaded Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 993 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 IMAPS Offloaded.

IMAPS Virtual Service_1.png

5. Within the Standard Options section of the Virtual Services options page, set the following options:

a) Remove the tick from the Transparency check box.

b) Select IMAP4 in the Server Initiating Protocols drop-down list.

c) Enter 3600 in the Idle Connection Timeout field and click the Set Idle Timeout button.

IMAPS Offloaded Virtual Service_1.png

6. In the SSL Properties section, select the SSL Acceleration - Enabled check box.

7. Click OK.

IMAPS Offloaded Virtual Service_2.png

8. In the Real Servers section of the Virtual Services options page, select the following options:

a) Ensure Mailbox (IMAP) Protocol is selected as the health-checking option.

b) Enter 143 in the Checked Port text box and click Set Check Port.

4.4 POP Virtual Service

Follow the instructions below to set up a POP Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

POP Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 110 in the Port field.

4. Type a name, for example Exchange 2016 POP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

POP Virtual Service_1.png

7. Within the Basic Properties section of the Virtual Services options page, select the following options:

a) Select Generic in the Service Type drop-down list.

POP Virtual Service_2.png

8. Within the Standard Options section of the Virtual Services options page, select the following options:

a) Ensure the Force L4 check box is clear.

b) Ensure the Transparency check box is clear.

c) Ensure POP3 is selected in Server Initiating Protocols drop-down list.

d) Ensure none is selected in the Persistence Options drop-down list.

e) Ensure round robin is selected in the Scheduling Method drop-down list.

f) Enter 3600 in the Idle Connection Timeout field and click Set Idle Timeout.

POP Virtual Service_3.png

9. Within the Real Servers section of the Virtual Services options page, select the following options:

a) Ensure Mailbox (POP3) Protocol has been selected as the health-checking option.

b) Enter 110 in the Checked Port field and click the Set Check Port button.

4.4.1 POP with STARTTLS Virtual Service

To configure a POP Virtual Service with STARTTLS, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

POP with STARTTLS Virtual.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 110 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 POP with STARTTLS.

5. Click Add this Virtual Service.

POP with STARTTLS Virtual_1.png

6. Within the Basic Properties section of the Virtual Services options page, select the following options:

a) Select STARTTLS protocols in the Service Type drop-down list.

POP with STARTTLS Virtual_2.png

7. Within the Standard Options section of the Virtual Services options page, select the following options:

a) Remove the tick from the Transparency check box.

b) Enter 3600 in the Idle Connection Timeout text box and click Set Idle Timeout.

POP with STARTTLS Virtual_3.png

8. In the Real Servers section, make the following selections:

a) Select Mailbox (POP3) Protocol from the Real Server Check Parameters drop-down list.

b) Enter 110 in the Checked Port text box and click the Set Check Port button.

4.4.2 POPS Virtual Service

To configure a POPS VS, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

POPS Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 995 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 POPS.

POPS Virtual Service_1.png

5. In the Standard Options section:

a) Remove the tick from the Transparency check box.

b) Select POP3 in the Server Initiating Protocols drop-down list.

c) Enter 3600 in the Idle Connection Timeout text box and click Set Idle Timeout.

POPS Virtual Service_2.png

6. Within the Real Servers section of the Virtual Services options page, enter 995 in the Checked Port field and click the Set Check Port button.

4.4.3 POPS Offloaded Virtual Service

To configure a POPS Offloaded Virtual Service, follow the steps below:

1. Select the Add New option within the Virtual Services section of the main menu tree.

POPS Offloaded Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 995 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 POPS Offloaded.

5. Click Add this Virtual Service.

POPS Offloaded Virtual Service_1.png

6. Within the Standard Options section of the Virtual Services options page:

a) Remove the tick from the Transparency check box.

b) Select POP3 in the Server Initiating Protocols drop-down list.

c) Enter 3600 in the Idle Connection Timeout text box and click Set Idle Timeout.

IMAPS Offloaded Virtual Service_1.png

7. Within the SSL Properties section, select the SSL Acceleration - Enabled check box.

8. Click OK.

POPS Offloaded Virtual Service_2.png

9. Within the Real Servers section:

d) Select Mailbox (POP3) Protocol from the Real Server Check Parameters drop-down list.

e) Enter 110 in the Checked Port text box and click Set Check Port.

4.5 SMTP Virtual Service

Follow the instructions below to set up an SMTP Virtual Service:

1. Select the Add New option within the Virtual Services section of the main menu tree.

SMTP Virtual Service.png

2. Enter the IP address of the Virtual Service in the Virtual Address field.

3. Enter 25 in the Port field.

4. Type a name, for example Exchange 2016 SMTP in the Service Name field.

5. Select tcp in the Protocol drop-down list.

6. Click the Add this Virtual Service button to add the Virtual Service.

SMTP Virtual Service_1.png

7. Within the Basic Properties section of the Virtual Services options page, select the following options:

a) Select Generic from the Service Type drop-down list

SMTP Virtual Service_2.png

8. Within the Standard Options section of the Virtual Services options page, select the following options:

a) Ensure the Force L4 check box is clear.

b) Ensure the Transparency check box is clear.

c) Ensure SMTP is selected in Server Initiating Protocols drop-down list.

d) Select Source IP Address as the Persistence Mode.

e) Set the Timeout value to 1 Hour.

f) Ensure round robin is selected in the Scheduling Method drop-down list.

g) Enter to 120 in the Idle Connection Timeout text box and click Set Idle Timeout.

SMTP Virtual Service_3.png

9. Within the Real Servers section of the Virtual Services options page, select the following options:

h) Ensure Mailbox (SMTP) Protocol is selected as the health-checking option.

i) Enter 25 in the Checked Port field and click the Set Check Port button.

4.5.1 SMTPS Virtual Service

To configure an SMTPS Virtual Service, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

SMTPS Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 587 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 SMTPS.

5. Click Add this Virtual Service.

SMTPS Virtual Service_1.png

6. Within the Standard Options section, set the fields as follows:

a) Remove the tick from the Transparency check box.

b) Select SMTP from the Server Initiating Protocols drop-down list.

c) Set the Persistence Mode to Source IP Address.

d) Set the Timeout value to 1 Hour.

e) Enter 120 in the Idle Connection Timeout text box and click Set Idle Timeout.

SMTPS Virtual Service_2.png

7. In the Real Servers section, enter 587 and click Set Check Port.

4.5.2 SMTPS Offloaded Virtual Service

To configure a SMTPS Offloaded Virtual Service, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

SMTPS Offloaded Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 587 in the Port field.

4. Enter a recognizable Service Name, for example Exchange 2016 SMTPS Offloaded.

5. Click Add this Virtual Service.

6. Within the SSL Properties section, select Enabled.

7. Click OK.

SMTPS Offloaded Virtual Service_1.png

8. Within the Standard Options section of the Virtual Services options page, select the following options:

a) Remove the tick from the Transparency check box.

b) Select SMTP in the Server Initiating Protocols drop-down list.

c) Select Source IP Address as the Persistence Mode.

d) Select 1 Hour as the Timeout value.

e) Enter 120 in the Idle Connection Timeout field and click Set Idle Timeout.

SMTPS Offloaded Virtual Service_2.png

9. Within the Real Servers section of the Virtual Services options page:

a) Select Mail (SMTP) Protocol as the health-checking option.

b) Enter 25 in the Checked Port text box and click Set Check Port.

4.5.3 SMTP with STARTTLS Virtual Service

To configure a SMTP Virtual Service with STARTTLS, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

SMTP with STARTTLS Virtual.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 25 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 SMTP with STARTTLS.

5. Click Add this Virtual Service.

SMTP with STARTTLS Virtual_1.png

6. Within the Basic Properties section of the Virtual Services options page:

a) Select STARTTLS protocols in the Service Type drop-down list.

SMTP with STARTTLS Virtual_2.png

7. Within the Standard Options section of the Virtual Services options page:

a) Remove the tick from the Transparency check box.

b) Ensure SMTP (STARTTLS if requested) is selected in the STARTTLS mode drop-down list.

c) Set the Persistence Mode to Source IP Address.

d) Set the Timeout value to 1 Hour.

e) Enter 120 in the Idle Connection Timeout text box and click Set Idle Timeout.

SMTP with STARTTLS Virtual_3.png

8. In the Real Servers section:

a) Enter 25 in the Checked Port text box and click Set Check Port.

4.5.4 SMTP with ESP Virtual Service

To configure a SMTP VS with ESP, follow the steps below:

1. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.

SMTP with ESP Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Enter 25 as the Port.

4. Enter a recognizable Service Name, for example Exchange 2016 SMTP with ESP.

5. Click Add this Virtual Service.

SMTP with ESP Virtual Service_1.png

6. Within the Standard Options section, set the fields as follows:

a) Remove the tick from the Transparency check box.

b) Ensure SMTP is selected in the Server Initiating Protocols drop-down list.

c) Set the Persistence Mode to Source IP Address.

d) Set the Timeout value to 1 Hour.

e) Enter 120 in the Idle Connection Timeout text box and click Set Idle Timeout.

SMTP with ESP Virtual Service_2.png

7. Within the ESP Options section, select the following options:

a) Ensure the Enable ESP check box is selected.

b) Ensure the Connection Logging check box is selected.

c) Enter the all the permitted domains allowed to be received by this service and click the Set Permitted Domains button. (Multiple permitted domains can be entered using a space-separated list)

SMTP with ESP Virtual Service_3.png

8. Within the Real Servers section, set the fields as follows:

d) Select Mail (SMTP) Protocol from the Real Server Check Parameters drop-down list.

e) Enter 25 in the Checked Port text box and click Set Check Port.

4.5.5 Office Online Server Virtual Service

To configure a Virtual Service for Office Online Servers, follow the steps below:

1. Click the Add New button.

Office Online Server Virtual_1_1.png

2. Enter a Virtual Address.

3. Enter 443 in the Port field.

4. Enter a recognisable Service Name, for example Office Online Server.

5. Ensure TCP is set as the Protocol.

6. Click Add This Virtual Service.

Office Online Server Virtual_1_2.png

7. Expand the SSL Properties section and select the following options:

a) Select the Enabled check box.

b) Select the Reencrypt check box.

Office Online Server Virtual_1_3.png

8. Expand the Standard Options section and select the following options:

c) Select Super HTTP and Source IP as the Persistence Mode.

d) Select 30 Minutes as the Persistence Timeout.

e) Select least connection as the Scheduling Method.

f) Enter 1800 in the Idle Connection Timeout field and click Set Idle Timeout.

Office Online Server Virtual_1_4.png

9. Expand the Real Servers section and select the following options:

g) Select HTTPS Protocol in the drop-down menu.

h) Enter /hosting/discovery in the URL field and click Set URL.

i) Select the Use HTTP/1.1 check box.

Select GET as the HTTP Method.

5 References

Unless otherwise specified, the documents below can be found at http://www.kemptechnologies.com/documentation

Web User Interface (WUI), Configuration Guide

Virtual Services and Templates, Feature Description

ESP, Feature Description

Microsoft Exchange 2010, Deployment Guide

Microsoft Exchange 2013, Deployment Guide

Exchange Team Blog post on Load Balancing in Exchange 2016

http://blogs.technet.com/b/exchange/archive/2015/10/08/load-balancing-in-exchange-2016.aspx

KCD, Feature Description

KEMP Web Application Firewall, Feature Description

6 Document History

Date

Change

Reason for Change

Ver.

Resp.

Feb 2016

Initial draft

First draft of document

1.0

KG

Mar 2016

Minor updates

Enhancements made

2.0

LB

July 2016

Release updates

Updates for 7.1.35

3.0

LB

Oct 2016

Release updates

Updates for 7.2.36

4.0

POC

Jan 2017

Release updates

Updates for 7.2.37

5.0

POC

July 2017 Updates Changes to templates 6.0 POC

 

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
tal

in the guid powershell command fl was f1