Questions about HLB and Exchange 2010

0

Hey all, very much a beginner with hardware load balancing.

Currently running two, multi-role Exchange 2010 SP1 servers in a CAS array and a DAG. External clients <HTTPS> are going through a firewall and into the internal Exchange servers using NAT. Internal clients <MAPI and HTTPS> are on the same subnet as the Exchange servers. Want to use a Hardware Load Balancer with my DAG setup to make Exchange more available.

Got through reviewing Henrik Walther's article on Load Balancing Exchange 2010 CAS using a Hardware Load Balancer here: http://www.msexchange.org/articles_tuto ... part1.html

According to part 2 of the article, it looks like Henrik is setting up a single arm configuration and using L7 Transparency.

According to the Kemp manual, single arm is defined when the virtual services and the real servers are on the same subnet.

From the Kemp "LoadMaster Deployment Guide for MS Exchange 2010", page 9, it states the following under the L7 Transparency section:

No clients may be located in the same IP subnet with the Real Servers. If necessary, you can use additional ports on the LoadMaster to ensure that Real Servers and Clients are located on distinct IP subnets.

Providing that just the first condition above is met, in a L7 transparent single arm configuration (with Virtual Servers and Real Servers on the same subnet), all clients will be able to still achieve end-to-end connectivity. However, those clients located on the same subnet (and ONLY those clients) will be handled non-transparently, and may experience redundant re-authentication prompts. Virtual Services operating on L4 always act transparently, but end-to-end connectivity will NOT be possible for same-subnet clients.

http://www.kemptechnologies.com/fileadm ... de_5_1.pdf

My questions are:

  1. Can I still use L7 Transparency like Henrik suggests in his guide if my clients and servers are on the same subnet <one-armed config>?

  2. If so, what about the non-transparent issue as suggested by the Kemp manual for one-armed configs? Will Outlook users on the same subnet continually get prompted to re-authenticate then?

  3. Henrik's article suggests setting up static ports for Exchange 2010 RPC/MAPI traffic. It looks like according to the Kemp Deployment Guide referenced above <dated August 2011, page 14>, we can now use the wildcard * for the RPC/MAPI ports. Does this mean we no longer have to use Exchange static ports for a one-armed config?

  4. Henrik's article doesn't mention it, but it seems like I would need an SMTP service as well on the HLB? Inbound mail flows from the internet, to firewall, to anti-spam appliance, to Exchange currently. Since I need to put the HLB in front of Exchange, I would also need to setup an SMTP service on the HLB and point the various SMTP rules I have in place to the VIP of the HLB correct?

Thanks in advance for any help on this.

13 comments

Avatar
James Rago -- K360 Technical Product Manager Official comment

Seems like you have a pretty good understanding of the situation. Here are some answers I hope you find helpful:

  1. You can use L7 Transparency with clients and servers on the same subnet, but it will not behave transparently for those clients. As our Exchange Deployment Guide states: "clients located on the same subnet (and ONLY those clients) will be handled non-transparently, and may experience redundant re-authentication prompts." — if clients and servers are on the same subnet, true transparency would cause the server would return traffic directly to clients and since the client expects a response from LoadMaster, the server responses would fail.

  2. There is a potential issue when operating non-transparently with NTLM authentication. NTLM authentication may not work properly with some reverse proxies

  3. Absolutely! Starting in version 5.1, we support wildcard services which removes the need for static ports on your CAS servers.

  4. Correct, you would need to create a virtual service on your LoadMaster or SMTP on port 25. The Exchange Deployment Guide covers this on page 29.

Please be advised, if you operate this service transparently, the default gateway of your servers will need to point to LoadMaster. This will ensure that responses to off-subnet clients will return by way of LoadMaster. If you operate non-transparently, your server will be unable to restrict relay access by source IP since they will all appear to originate at the virtual service address.

I hope that helps

Avatar
0
John Smith

Great, thanks for the response. Still a bit confused on your answers for 1 and 2 though.

  1. When we are talking about clients and servers on the same subnet, I am referring to internal Outlook users using MAPI connecting to the CAS array on the same subnet. When we say transparency, I am referring to an uninterrupted connection for the Outlook client during a failover to a different CAS server behind the HLB.

So if I check the L7 Transparency box like Henrik's guide, this means what exactly? That during a CAS/DAG failover, my internal Outlook clients will get prompted again for authentication?

If so, how many times, just once? The only way to make that uninterrupted would be to setup a two-armed config?

  1. The article you linked seems to refer to RPC over HTTPS <Outlook Anywhere> clients. These clients would usually be outside the firewall, thus on a different subnet. If I checked the L7 transparency box, wouldn't they be considered "clients on a different subnet", meaning they should have complete transparency? Or is it because they are being NAt'ed at the firewall, it will look like the same subnet to the HLB?

Also, your last paragraph confuses me. IIRC, according to the Kemp Exchange Deployment Guide, I'm supposed to set my CAS servers gateway to the HLB. Why would I not want to do this?

Avatar
0
James Rago -- K360 Technical Product Manager

Here's a bit more clarification on those two points.

  1. You're clear on the clients and servers on the same subnet, but you don't have transparency clear. Transparency does not pertain to whether there is an "uninterrupted connection"; LoadMaster always* acts as a proxy. As a result, there are two separate connections: the connection from the client to the virtual service at LoadMaster and the connection from LoadMaster to the real server.

Transparency concerns that second connection from the LoadMaster to the real server. In transparent mode, the source address of this connection is the original client IP. In non-transparent mode, the source address is LoadMaster.

During a CAS failover, the connection to the virtual service will need to be closed. When Outlook reconnects, it will connect to an available server. Depending on the authentication method used, users may be prompted to reauthenticate because they are changing servers. This is not affected by whether it is one-armed or two-armed.

  1. You are correct, Outlook Anywhere would be considered 'clients on a different subnet' and would allow transparency as long as the CAS default gateway point to LoadMaster.

To address your last paragraph, while we do recommend changing the CAS servers' gateway to LoadMaster, it is not a requirement if you operate non-transparently. We do have customers who, for various reasons, do not wish to change the servers' gateway. This is fine, but it does restrict the configuration options available on LoadMaster.

Avatar
0
John Smith

"...Depending on the authentication method used, users may be prompted to reauthenticate because they are changing servers."

This exact scenario is what I am trying to avoid by installing the HLB. I understand the transparency feature a bit better now, thanks.

So during a CAS failover, how can I get the Outlook clients to reconnect to the other CAS server behind the HLB without the clients getting re-prompted to authenticate? Or is this not possible?

I thought the purpose of the HLB is to make the client side totally uninterrupted during a failover situation?

Avatar
0
James Rago -- K360 Technical Product Manager

Info that we have gathered so far through customers that have worked on this with MS is that Mapi Clients will be prompted for credentials when switching between CAS servers in an Array (only when using BASIC authentication) due to CAS Fail over. NTLM and Kerberos will re authenticate silently.

Other notes that we made are below

OWA forms based authentication needs to be prompted for credentials (MS Design), Just session on a server
Outlook MAPI Clients - needs to be prompted for credentials (MS Design)
Outlook Anywhere clients should not be prompted for credentials.

Basic authentication - always requires re-authentication
Integrated authentication - depends on if info is the same between Forests in AD

Avatar
0
John Smith

So just to be completely clear, for internal, domain joined users using Outlook connecting to the CAS array via MAPI, by default they are using NTLM correct?

If that is the case, then during CAS failover behind an HLB, I should expect that my MAPI based Outlook clients will not incur a user visible reauth prompt <meaning it will reauth silently without interruption>?

Avatar
0
James Rago -- K360 Technical Product Manager

Yes I believe this should be the case but not sure that this is always true and I've received different answers from different sources on this.
I have seen customers who get the re-authentication prompt even with NTLM. In several of these cases, they migrated to Kerberos (current MS recommendation) and then they were ok but because there are alot of variables this is really an MS question and I am not an Exchange expert.

Avatar
0
John Smith

Great, thanks for the info. I guess a re-auth prompt w/an HLB is still better than downtime during a CAS failover without an HLB!

Avatar
0
James Rago -- K360 Technical Product Manager

That's the idea. We try as much as possible to make transitions as smooth as possible. When that's not possible at least you are able to access your services.

Avatar
0
John Smith

Some more confusion. I just read this: viewtopic.php?f=4&t=10378

So my config will most likely be single arm, with CAS servers and clients on the same subnet, with transparency enabled <except for the internal clients on the same subnet>. The HLB will be in front of the CAS servers on the same subnet.

Inbound SMTP will go from the internet - firewall - spam filter - HLB - CAS servers.

According to the post linked above, will this work OK?

What about outbound SMTP? I would imagine that outbound SMTP would go through the HLB as well since the CAS servers gateways are pointing at the HLB? Does outbound SMTP then come from the HLB Virtual IP also?

Avatar
0
James Rago -- K360 Technical Product Manager

That should work alright, but your CAS server will need to set LoadMaster as their default gateway. If you don't want to se that, you can operate non-transparently, but then to IP of the client will be obscured. In version 6.0, we will be allowing per virtual service restrictions to prevent LoadMaster from becoming an open relay in this situation. Version 6.0 should be available later this week, keep any eye on the News forum for updates.

Avatar
0
John Smith

Cool, I'm glad I finally understand it a bit better. Thanks for your patience.

When you say transparency only affects inbound traffic, for my inbound SMTP from the internet, it's going to go through a spam filter device first <which is on the same subnet as the HLB/CAS>. So that means that inbound SMTP will be non-transparent.

But this shouldn't matter to the CAS because it won't care what device IP the e-mail came from, whether the spam filter's IP or the HLB VIP correct?

Avatar
0
James Rago -- K360 Technical Product Manager

Right, if you already have a device NATing connections, it doesn't really matter if LoadMaster is doing it a second time by operating non-transparently. The only time where operating non-transparently is a problem is when you want to log or restrict access by the source IP of the client. If your CAS doesn't care about the source IP, then there is no problem with operating non-transparently.