Hey all, very much a beginner with hardware load balancing.
Currently running two, multi-role Exchange 2010 SP1 servers in a CAS array and a DAG. External clients <HTTPS> are going through a firewall and into the internal Exchange servers using NAT. Internal clients <MAPI and HTTPS> are on the same subnet as the Exchange servers. Want to use a Hardware Load Balancer with my DAG setup to make Exchange more available.
Got through reviewing Henrik Walther's article on Load Balancing Exchange 2010 CAS using a Hardware Load Balancer here: http://www.msexchange.org/articles_tuto ... part1.html
According to part 2 of the article, it looks like Henrik is setting up a single arm configuration and using L7 Transparency.
According to the Kemp manual, single arm is defined when the virtual services and the real servers are on the same subnet.
From the Kemp "LoadMaster Deployment Guide for MS Exchange 2010", page 9, it states the following under the L7 Transparency section:
No clients may be located in the same IP subnet with the Real Servers. If necessary, you can use additional ports on the LoadMaster to ensure that Real Servers and Clients are located on distinct IP subnets.
Providing that just the first condition above is met, in a L7 transparent single arm configuration (with Virtual Servers and Real Servers on the same subnet), all clients will be able to still achieve end-to-end connectivity. However, those clients located on the same subnet (and ONLY those clients) will be handled non-transparently, and may experience redundant re-authentication prompts. Virtual Services operating on L4 always act transparently, but end-to-end connectivity will NOT be possible for same-subnet clients.
http://www.kemptechnologies.com/fileadm ... de_5_1.pdf
My questions are:
Can I still use L7 Transparency like Henrik suggests in his guide if my clients and servers are on the same subnet <one-armed config>?
If so, what about the non-transparent issue as suggested by the Kemp manual for one-armed configs? Will Outlook users on the same subnet continually get prompted to re-authenticate then?
Henrik's article suggests setting up static ports for Exchange 2010 RPC/MAPI traffic. It looks like according to the Kemp Deployment Guide referenced above <dated August 2011, page 14>, we can now use the wildcard * for the RPC/MAPI ports. Does this mean we no longer have to use Exchange static ports for a one-armed config?
Henrik's article doesn't mention it, but it seems like I would need an SMTP service as well on the HLB? Inbound mail flows from the internet, to firewall, to anti-spam appliance, to Exchange currently. Since I need to put the HLB in front of Exchange, I would also need to setup an SMTP service on the HLB and point the various SMTP rules I have in place to the VIP of the HLB correct?
Thanks in advance for any help on this.