Microsoft Exchange 2010

Introduction

Microsoft Exchange version supported

The ALOHA load-balancer can be used with the following versions of Microsoft Exchange:

  • Microsoft exchange 2010
  • Microsoft exchange 2010 SP1
  • Microsoft exchange 2010 SP2
  • Microsoft exchange 2010 SP3

Disclaimer

The Exchange 2010 configuration tips provided in this guide are purely informational. For more information about Microsoft Exchange 2010 tools and how to use them, please refer to Microsoft web site which is fully and properly documented.

This guide does not provide information on how to install and setup an Exchange 2010 cluster.

Introduction to Microsoft Exchange 2010

Microsoft Exchange 2010 provides businesses with email, calendar and contacts on the PC, phone and web.

One of the most interesting point of Microsoft Exchange 2010 is that you can now dedicates roles to servers. This new way of working allows administrator to build redundant platforms, using a load-balancer to allow clients to get connected on the services.

Thanks to its new design, Microsoft Exchange 2010 is now scalable.

There are 5 server roles: Mailbox, Client Access, Hub Transport, Unified Messaging and Edge Transport Server.

Role Purpose
Client Access Frontend servers on which client will get connected to access their emails, contacts and agenda
Edge Transport Server handles the internet facing mail flow, with security features (anti-virus and anti-spam)
Hub Transport Exchange 2010 mail router, within the organization
Mailbox Servers hosting mails (in mailboxes) public folders
Unified Messaging Enables the ability to deliver fax and voicemail to Outlook 2010 clients

The ALOHA Load-balancer can balance services from Client Access, hub and Edge Transport Server.

Exchange 2010 architecture

The diagram below shows how the different roles are used in a typical Exchange 2010 platform:

../_images/exchange_2010_flow.png

Client Access Services

The diagram below shows the services hosted by the CAS servers and the interactions with both Active Directory and mailbox server.

It also shows the client type per service:

../_images/exchange_2010_cas_services.png

Basically, the ALOHA Load-Balancer stands between the clients and the Client Access Servers

SMTP load-balancing

  • Using DNS :

    SMTP load-balancing can be achieved by setting up two or more DNS MX (Mail eXchanger) entries, each one pointing to an Exchange HUB server. A SMTP client would use first the MX record with the lowest preference, then try the next higher preference.

  • Using a load-balancer :

    A load-balancer can be used to load-balance SMTP. You need a single MX entry, pointing to the load-balancer. The load-balancer would balance requests amongSMTP servers configured behind it.

Of course, you we can combine both solutions

Ports and protocols

The table below summarizes the different ports and protocol involved on the Client Access servers:

TCP port Protocol CAS Service
80 and 443 HTTP / HTTPs
  • Autodiscover (AS)
  • Exchange ActiveSync (EAS)
  • Exchange Control Panel (ECP)
  • Offline Address Book (OAB)
  • Outlook Anywhere (OA)
  • Outlook Web App (OWA)
110 and 995 POP3 / POP3s POP3
135 TCP RPC EndPoint Mapper (EPM)
143 and 993 IMAP / IMAPs IMAP4
60000 TCP Static port for RPC Client Access Service
60001 TCP Static port Address Book Service

The static ports for both RPC Client Access and Address Book service are chosen randomly by default.

Warning

Microsoft recommends that any port within the range 59531 to 60554 should be used, and that the same ports should be used on all Client Access Servers within the same AD site

Service affinity

Affinity depends on the service. The table below summarizes the affinity requirements per service:

Persistence required Persistence recommended No persistence required
Exchange Control Panel (ECP) Address Book Service (AB) AutoDiscover (AD)
Exchange Web Service (EWS) Exchange ActiveSync (EAS) Offline Address Book (OAB)
Outlook Web App (OWA) Outlook Anywhere (OA) POP3
RPC Client Access Service Remote PowerShell IMAP4

Why using a load-balancer in an Exchange 2010 platform

First of all, even if Exchange 2010 provides services arrays, to ensure high-availability, it does not provide any load balancing mechanism.

That mean we need a third party appliance to balance traffic across Client Access Servers and services.

The services that can be load-balanced are the ones hosted by the Client Access Servers as well as SMTP for Edge Transport Servers.

Using a load-balancer to load-balance Microsoft Exchange 2010 brings the following benefits:

  • Application aware health checking : A load-balancer provides application layer health check which provides the status of the service itself and are more efficient than a simple ping
  • Granular persistence methods : Depending on Exchange service, client software and architecture, different persistence methods must be applied
  • SSL offloading : A load-balancer can handle SSL connection for the CAS array servers. That way, CAS servers can focus on their jobs
  • Scale up : Building an architecture with a load-balancer allows scale up
  • Scale out : Splitting services on the load-balancer side, at the cost of more VIP and IP used, brings the ability to scale out the CAS array, dedicating some servers to services

Exchange 2010 configuration

In order to ensure your CAS array is compatible with a HLB, follow the instructions provided by Microsoft: http://technet.microsoft.com/en-us/library/ee332317.asp

Some excellent blog post also describes the procedure:

MAPI/RPC services

The configuration template below shows how to configure HAProxy for Microsft Exchange 2010 MAPI/RPC services.

The following parameters may have to be updated to match every environment:

  • peer directive statements: ALOHA appliance names and associated administrative IP
  • bind : the listening IP (usually an IP address configured over VRRP)
  • server : the server name and IP addresses

The configuration below is also available for download:

Note

The defaults XCHANGE2010_TCP, peers and backend sourceaddr sections can be used for other Exchange 2010 TCP based services. No need to duplicate it.

peers alohalb
  peer aloha1 10.0.0.1:1023
  peer aloha2 10.0.0.2:1023

# Persistence table
backend sourceaddr
  stick-table size 10k type ip peers alohalb

defaults XCHANGE2010_TCP
  mode tcp
  log global
  option tcplog
  balance leastconn
  option dontlognull
  option redispatch
  option contstats
  option socket-stats
  timeout server 600s
  timeout client 600s
  timeout connect 5s
  timeout queue 60s
  retries 3
  default-server inter 15s rise 2 fall 2
  backlog 10000

frontend ft_xchange2010_rpctcp
  bind 10.0.0.3:135 name epm tcp-ut 30s
  bind 10.0.0.3:60000 name mapi tcp-ut 30s
  bind 10.0.0.3:60001 name addressbook tcp-ut 30s
  default_backend bk_xchange2010_rpctcp

backend bk_xchange2010_rpctcp
  balance leastconn
  stick on src table sourceaddr
  option tcp-check
  tcp-check connect port 135
  tcp-check connect port 60000
  tcp-check connect port 60001
  default-server on-marked-down shutdown-sessions
  server CAS1 10.0.0.15 check
  server CAS2 10.0.0.16 check

POP3 service

POP3 protocol can work over two types of connection: in clear (called POP, default port 110) or over TLS (called POPs, default port 995). Because of this, many different type of deployment layout could be performed:

  • TCP forward on POP (TCP/110) only
  • TCP forward on POPs (TCP/995) only
  • SSL offload on POPs (TCP/995) only
  • TCP forward on both POP (TCP/110) and POPs (TCP/995)
  • TCP forward on POP (TCP/110) and SSL offload on POPs (TCP/995)

Note

SSL offload means HAProxy terminates the SSL/TLS connection and decipher the traffic. It is not compatible with STARTTLS where the connection start as clear and switch to TLS later.

To be compatible with STARTTLS, simply use the TCP forward configuration.

The configuration template below introduces HAProxy configuration for Microsft Exchange 2010 POP service in TCP forward on both POP (TCP/110) and POPs (TCP/995) layout.

The following parameters may have to be updated to match each environment:

  • bind : the listening IP (usually an IP address configured over VRRP)
  • server : the server name and IP addresses

The configuration below is also available for download:

Note

The defaults XCHANGE2010_TCP section can be used for other Exchange 2010 TCP based services. No need to duplicate it.

defaults XCHANGE2010_TCP
  mode tcp
  log global
  option tcplog
  balance leastconn
  option dontlognull
  option redispatch
  option contstats
  option socket-stats
  timeout server 600s
  timeout client 600s
  timeout connect 5s
  timeout queue 60s
  retries 3
  default-server inter 15s rise 2 fall 2
  backlog 10000

frontend ft_xchange2010_pop
  bind 10.0.0.3:110 name POP tcp-ut 30s
  bind 10.0.0.3:995 name POPs tcp-ut 30s
  default_backend bk_xchange2010_pop

backend bk_xchange2010_pop
  option tcp-check
  tcp-check connect port 110
  tcp-check expect string +OK
  tcp-check connect port 995 ssl
  tcp-check expect string +OK
  default-server on-marked-down shutdown-sessions
  server CAS1 10.0.0.15 check
  server CAS2 10.0.0.16 check

IMAP4 service

IMAP4 protocol can work over two types of connection: in clear (called IMAP, default port 143) or over TLS (called IMAPs, default port 993). Because of this, many different type of deployment layout could be performed:

  • TCP forward on IMAP (TCP/143) only
  • TCP forward on IMAPs (TCP/993) only
  • SSL offload on IMAPs (TCP/993) only
  • TCP forward on both IMAP (TCP/143) and IMAPs (TCP/993)
  • TCP forward on IMAP (TCP/143) and SSL offload on IMAPs (TCP/993)

Note

SSL offload means HAProxy terminates the SSL/TLS connection and decipher the traffic. It is not compatible with STARTTLS where the connection start as clear and switch to TLS later.

To be compatible with STARTTLS, simply use the TCP forward configuration.

The configuration template below introduces HAProxy configuration for Microsft Exchange 2010 IMAP service in TCP forward on both IMAP (TCP/143) and IMAPs (TCP/993) layout.

The following parameters may have to be updated to match each environment:

  • bind : the listening IP (usually an IP address configured over VRRP)
  • server : the server name and IP addresses

The configuration below is also available for download:

Note

The defaults XCHANGE2010_TCP section can be used for other Exchange 2010 TCP based services. No need to duplicate it.

defaults XCHANGE2010_TCP
  mode tcp
  log global
  option tcplog
  balance leastconn
  option dontlognull
  option redispatch
  option contstats
  option socket-stats
  timeout server 600s
  timeout client 600s
  timeout connect 5s
  timeout queue 60s
  retries 3
  default-server inter 15s rise 2 fall 2
  backlog 10000

frontend ft_xchange2010_imap
  bind 10.0.0.3:143 name IMAP tcp-ut 30s
  bind 10.0.0.3:993 name IMAPs tcp-ut 30s
  default_backend bk_xchange2010_imap

backend bk_xchange2010_imap
  option tcp-check
  tcp-check connect port 143
  tcp-check expect string *\ OK
  tcp-check connect port 993 ssl
  tcp-check expect string *\ OK
  default-server on-marked-down shutdown-sessions
  server CAS1 10.0.0.15 check
  server CAS2 10.0.0.16 check

:: dummy comment*

HTTP based services

Many Microsoft Exchange 2010 services run over the HTTP/HTTPs protocol. The table below introduce each service with their own settings:

Service name Shortname Default URL path Type of client Persistence
Autodiscover AS /autodiscover/ Outlook N/A
Exchange ActiveSync EAS /microsoft-server-activesync/ Mobile phones Authorization header
Exchange Control Panel ECP /ecp/ web browser LB cookie (shared with OWA)
Exchange Web Services EWS /ews/ third party applications N/A
Offline Address Book OAB /oab/ Outlook N/A
Outlook Anywhere OA /rpc/rpcproxy.dll Outlook Source IP
Outlook Web App OWA /owa/ web browser LB cookie (shared with ECP)

From a host name point of view, different politics can be applied:

  • one host name for all the services. IE: mail.domain.com
  • one host name per service. IE: autodiscover.domain.com, owa.domain.com, ews.domain.com, etc...
  • a mix of the above. IE: Outlook Anywhere over oa.domain.com and all other services over mail.domain.com

There are three main architectures layout possible for Exchange 2010 services running over HTTP/HTTPs:

  • HTTP reverse proxy on HTTP (TCP/80) and TCP forward on HTTPs (TCP/443)
  • HTTP reverse proxy on both HTTP and HTTPs, which means activating SSL offloading on HTTPs
  • SSL bridging (or re-encryption) to enable HTTP reverse proxy on both HTTP and HTTPs and get connected using HTTPs on the server side

Many configurations can be performed by mixing the information above. Whatever your choice is, the ALOHA Load-Balancer can match it.

For most deployments, a configuration in SSL offloading or in HTTPs forward mode is the simplest way to go.

For big deployments (2000+ users in SSL offloading or 1000+ users in SSL bridging), we recommend a mix of the above:

  • One hostname and one VRRP IP for Outlook Anywhere, configured in TCP forward mode for HTTPs
  • One hostname for all the other services, configured in SSL offloading or SSL bridging mode

Note

Don’t hesitate to contact your pre-sale engineer to know which ALOHA hardware and license match your requirements

HTTP SSL forward mode

The following parameters may have to be updated to match each environment:

  • peer directive statements: ALOHA appliance names and associated administrative IP
  • bind : the listening IP (usually an IP address configured over VRRP)
  • server : the server name and IP addresses

Note

The defaults XCHANGE2010_TCP, peers and backend sourceaddr sections can be used for other Exchange 2010 TCP based services. No need to duplicate it.

The configuration below is also available for download:

peers alohalb
  peer aloha1 10.0.0.1:1023
  peer aloha2 10.0.0.2:1023

# Persistence table
backend sourceaddr
  stick-table size 10k type ip peers alohalb

defaults XCHANGE2010_TCP
  mode tcp
  log global
  option tcplog
  balance leastconn
  option dontlognull
  option redispatch
  option contstats
  option socket-stats
  timeout server 600s
  timeout client 600s
  timeout connect 5s
  timeout queue 60s
  retries 3
  default-server inter 15s rise 2 fall 2
  backlog 10000

# Redirection to SSL frontend
frontend ft_xchange2010_http
  bind 10.0.0.3:80 name http tcp-ut 30s
  mode http
  option httplog
  timeout client 10s
  timeout http-request 10s
  http-request redirect scheme https

frontend ft_xchange2010_ssl_forward
  bind 10.0.0.3:443 name https tcp-ut 30s
  default_backend bk_xchange2010_ssl_forward

backend bk_xchange2010_ssl_forward
  stick on src table sourceaddr
  option tcp-check
  tcp-check connect port 43 ssl
  server CAS1 10.0.0.15:443 check
  server CAS2 10.0.0.16:443 check

HTTP SSL offload mode

The following parameters may have to be updated to match each environment:

  • peer directive statements: ALOHA appliance names and associated administrative IP
  • bind : the listening IP (usually an IP address configured over VRRP), the SSL certificate name
  • server : the server name and IP addresses
  • Replace every occurence of mail.domain.com by the hostname used to host your exchange 2010 services.

Note

The peers and backend sourceaddr sections can be used for other Exchange 2010 TCP based services. No need to duplicate it.

The configuration below is also available for download:

peers alohalb
  peer aloha1 10.0.0.1:1023
  peer aloha2 10.0.0.2:1023

# Persistence tables
backend sourceaddr
  stick-table size 10k type ip peers alohalb

backend hdr_authorization
  stick-table size 10k type string len 32 peers alohalb

defaults XCHANGE2010_HTTP
  mode http
  log global
  option httplog
  balance leastconn
  option dontlognull
  option redispatch
  option contstats
  option socket-stats
  timeout connect 5s
  timeout server 1000s
  timeout client 1000s
  timeout http-request 10s
  timeout http-keep-alive 1m
  timeout queue 60s
  option http-keep-alive
  option prefer-last-server
  retries 3
  default-server inter 15s rise 2 fall 2
  backlog 10000

# Redirection to SSL frontend
frontend ft_xchange2010_http
  bind 10.0.0.3:80 name http tcp-ut 30s
  mode http
  option httplog
  timeout client 10s
  timeout http-request 10s
  http-request redirect scheme https

# HTTPs frontend
frontend ft_xchange2010_http_ssl_offload
  bind 10.0.0.3:443 name https tcp-ut 30s ssl crt xchange2010.pem

  acl owa_redir path / /owa
  http-request redirect location /owa/  if owa_redir

  # concatenate the first URL folder to the string 'bk_'
  # to automatically route to the right backend
  use_backend bk_%[path,word(1,/),lower]

  # if no backend is found, then 503 is returned
  # one can setup a 'default_backend' statement

# activesync
backend bk_microsoft-server-activesync
  stick on hdr(Authorization) table hdr_authorization
  option httpchk GET /Microsoft-Server-ActiveSync/ HTTP/1.1\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# autodiscover
backend bk_autodiscover
  option httpchk GET /Autodiscover/Autodiscover.xml HTTP/1.1\r\nUser-Agent:\ Mozilla/5.0\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# Exchange Control Panel
backend bk_ecp
  cookie ALBWA insert indirect nocache
  option httpchk GET /ecp/ HTTP/1.1\r\nUser-Agent:\ Mozilla/5.0\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..)
  server CAS1 10.0.0.15:80 check cookie CAS1
  server CAS2 10.0.0.16:80 check cookie CAS2

# Exchange Web service
backend bk_ews
  option httpchk GET /ews/ HTTP/1.1\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# Offline Address book
backend bk_oab
  option httpchk GET /oab/ HTTP/1.1\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# outlookanywhere
backend bk_rpc
  stick on src table sourceaddr
  option httpchk RPC_IN_DATA /rpc/rpcproxy.dll?mail.xlc.local:6001 HTTP/1.1\r\nUser-Agent:\ MSRPC\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# Outlook Web Application
backend bk_owa
  cookie ALBWA insert indirect nocache
  option httpchk GET /owa/auth/logon.aspx?url=http://mail.domain.com/owa/&reason=0 HTTP/1.1\r\nUser-Agent:\ Mozilla/5.0\r\nHost:\ mail.domain.com
  server CAS1 10.0.0.15:80 check cookie CAS1
  server CAS2 10.0.0.16:80 check cookie CAS2

Note

to turn this configuration in SSL bridging mode, simply replace the ‘:80’ on each server line and replace it by ‘:443 ssl’.

SSL offload mode and Outlook Anywhere in HTTPs forward

In this mode, we need 2 VRRP IPs, one for each hostname, which points to a different type of deployment:

  • VIP1 for oa.domain.com : TCP forward mode for Outlook Anywhere
  • VIP2 for mail.domain.com : SSL offloading mode, for all other services

The following parameters may have to be updated to match each environment:

  • peer directive statements: ALOHA appliance names and associated administrative IP
  • bind : the listening IP (usually an IP address configured over VRRP), the SSL certificate name
  • server : the server name and IP addresses
  • Replace every occurence of mail.domain.com or oa.domain.com by the hostname used to host your exchange 2010 servicesi and outlook anywhere respectively.

Note

The defaults XCHANGE2010_TCP, peers and backend sourceaddr sections can be used for other Exchange 2010 TCP based services. No need to duplicate it.

The configuration below is also available for download:

peers alohalb
  peer aloha1 10.0.0.1:1023
  peer aloha2 10.0.0.2:1023

# Persistence tables
backend sourceaddr
  stick-table size 10k type ip peers alohalb

backend hdr_authorization
  stick-table size 10k type string len 32 peers alohalb

defaults XCHANGE2010_TCP
  mode tcp
  log global
  option tcplog
  balance leastconn
  option dontlognull
  option redispatch
  option contstats
  option socket-stats
  timeout server 600s
  timeout client 600s
  timeout connect 5s
  timeout queue 60s
  retries 3
  default-server inter 15s rise 2 fall 2
  backlog 10000

# outlook anywhere in SSL forward mode
frontend ft_xchange2010_ssl_forward
  bind 10.0.0.4:443 name https tcp-ut 30s
  default_backend bk_xchange2010_ssl_forward

# outlook anywhere in SSL forward mode
backend bk_xchange2010_ssl_forward
  stick on src table sourceaddr
  option httpchk RPC_IN_DATA /rpc/rpcproxy.dll?oa.domain.com:6001 HTTP/1.1\r\nUser-Agent:\ MSRPC\r\nHost:\ oa.domain.com
  http-check expect rstatus (2..|3..|401)
  tcp-check connect port 43 ssl
  server CAS1 10.0.0.15:443 check
  server CAS2 10.0.0.16:443 check

defaults XCHANGE2010_HTTP
  mode http
  log global
  option httplog
  balance leastconn
  option dontlognull
  option redispatch
  option contstats
  option socket-stats
  timeout connect 5s
  timeout server 1000s
  timeout client 1000s
  timeout http-request 10s
  timeout http-keep-alive 1m
  timeout queue 60s
  option http-keep-alive
  option prefer-last-server
  retries 3
  default-server inter 15s rise 2 fall 2
  backlog 10000

# Redirection to SSL frontends
frontend ft_xchange2010_http
  bind 10.0.0.3:80 name http tcp-ut 30s
  bind 10.0.0.4:80 name http-oa tcp-ut 30s
  mode http
  option httplog
  timeout client 10s
  timeout http-request 10s
  http-request redirect scheme https

# HTTPs frontend
frontend ft_xchange2010_http_ssl_offload
  bind 10.0.0.3:443 name https tcp-ut 30s ssl crt xchange2010.pem

  acl owa_redir path / /owa
  http-request redirect location /owa/  if owa_redir

  # concatenate the first URL folder to the string 'bk_'
  # to automatically route to the right backend
  use_backend bk_%[path,word(1,/),lower]

  # if no backend is found, then 503 is returned
  # one can setup a 'default_backend' statement

# activesync
backend bk_microsoft-server-activesync
  stick on hdr(Authorization) table hdr_authorization
  option httpchk GET /Microsoft-Server-ActiveSync/ HTTP/1.1\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# autodiscover
backend bk_autodiscover
  option httpchk GET /Autodiscover/Autodiscover.xml HTTP/1.1\r\nUser-Agent:\ Mozilla/5.0\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# Exchange Control Panel
backend bk_ecp
  cookie ALBWA insert indirect nocache
  option httpchk GET /ecp/ HTTP/1.1\r\nUser-Agent:\ Mozilla/5.0\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..)
  server CAS1 10.0.0.15:80 check cookie CAS1
  server CAS2 10.0.0.16:80 check cookie CAS2

# Exchange Web service
backend bk_ews
  option httpchk GET /ews/ HTTP/1.1\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# Offline Address book
backend bk_oab
  option httpchk GET /oab/ HTTP/1.1\r\nHost:\ mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# Outlook Web Application
backend bk_owa
  cookie ALBWA insert indirect nocache
  option httpchk GET /owa/auth/logon.aspx?url=http://mail.domain.com/owa/&reason=0 HTTP/1.1\r\nUser-Agent:\ Mozilla/5.0\r\nHost:\ mail.domain.com
  server CAS1 10.0.0.15:80 check cookie CAS1
  server CAS2 10.0.0.16:80 check cookie CAS2