Deployment GuideOct.-2015 rev. aAPV/vAPV Microsoft SharePoint 2013Deployment Guide

1 Introduction . 22 Prerequisites and Assumptions. 32.1 Microsoft SharePoint . 32.2 Array Networks APV Series Application Delivery Controllers . 33 APV Series Application Delivery Controller (ADC) Benefits . 44 Configuration Scenarios . 54.1 Deployment Considerations . 54.1.1 Configure APV/vAPV device with HTTP for SharePoint 2013. 54.1.2 Configure APV/vAPV device with HTTPS for SharePoint 2013. . 65 Configuring APV/vAPV for SharePoint Services . 75.1 Configuring APV/vAPV for Internal Users . 75.1.1 Create a SharePoint Health Check. 75.1.2 Create a Real Service . 85.1.3 Create a Service Group. 95.1.4 Create a Virtual Service .105.1.5 Validate the SharePoint Service .125.2 Configuring APV/vAPV Series for External Users .125.2.1 Create an HTTPS Virtual Service and Associate to the Real HTTPS Virtual ServiceConfiguration .135.2.2 Create SSL Virtual Hosts .145.2.3 Generate a CSR and Self-Signed Certificate.145.2.4(Optional) Import a SSL Certificate and/or Private Key .165.2.5 Start SSL.165.2.6 Validate the SharePoint Service .176 Optional Configuration . 186.1 HTTP Rewrite/Redirect .186.1.1 Create another HTTP Virtual Service .186.2 Enable HTTP Compression .186.3 Enable HTTP Caching .196.4 How to Insert a "Front-End-Https: On" Header.207 References . 221

1 IntroductionThis guide provides guidance on configuring the APV/vAPV Series application deliverycontrollers for Microsoft SharePoint 2013.Microsoft SharePoint is a browser-based collaboration and document management. It allowsgroups to set up a centralized, password-protected space for document sharing. Documentscan be stored, downloaded and edited, then uploaded for continued sharing.Array Networks APV Series application delivery controllers provide the availability, scalability,performance, security and control essential to keeping cloud services and enterpriseapplications running in their power band.2

2 Prerequisites and Assumptions2.1 Microsoft SharePointThis document is written with the assumption that you are familiar with Microsoft SharePointserver products. For more information on planning and deploying the Microsoft SharePointserver farm and Web applications, please reference the appropriate document 42376.aspxFor the examples in this deployment guide, the following configuration was used: Microsoft SharePoint Server farm is installed on Windows 2012 standard (64-bit) Microsoft SQL Server 2012 SP1 is installed as the Database ServerFigure 1: Microsoft Deployment Diagram2.2 Array Networks APV Series Application Delivery ControllersThe APV/vAPV appliance must be running version ArrayOS TM 8.x or later. For moreinformation on deploying the APV/vAPV appliance, please refer to the ArrayOS Web UI Guidethat is accessible through the product's Web User Interface. We assume that the APV Seriesappliance is already installed in the network with Management IP, interface IP, VLANs anddefault gateway configured.3

3 APV Series Application Delivery Controller (ADC) BenefitsThe Array Networks APV Series delivers all required functions for optimizing application deliveryfor SharePoint 2013 enterprise environments, such as Layer 4 server load balancing, highavailability, SSL acceleration and offloading, DDoS protection, TCP connection multiplexing, siteproximity and failover – all in a single, easy-to-manage appliance.Availability & ScalabilityThe APV Series' server load balancing ensures maximum uptimes for SharePoint. Customers canscale their SharePoint 2013 environment to meet capacity and performance needs with APV Seriesserver load balancers.SSL Offloading and SSL SecurityAPV Series provides industry-leading performance and cost per SSL TPS for 2048-bit SSL withadvanced client certificate handling for secure application support and easy application integration.SSL acceleration reduces the number of servers required for secure applications, improves serverefficiency and dramatically improves application performance. Offloading compute-intensive keyexchange and bulk encryption, and delivering industry-leading client-certificate performance, SSLacceleration is ideal for scaling SharePoint environments.Network and Server ProtectionThe APV appliance can protect SharePoint from malicious network and server attacks like DDoSattacks, SYN floods, TCP port scans, UDP floods and UDP port scans, etc. The advanced ratelimiting options can rate limit connections per user and advanced HTTP profiles can limit HTTPcommands and parameters for Web applications.Site ResilienceThe APV Series' global server load balancing directs traffic away from failed data centers andintelligently distributes services between sites based on proximity, language, capacity, load andresponse times for maximum performance and availability.TCP Connection MultiplexingThe APV appliance multiplexes several client TCP connections into fewer connections for the HTTPbased services. The APV appliance also reuses existing server connections to greatly reduce serverload for TCP processing.HTTP Dynamic Cache and CompressionThe APV appliance supports dynamic HTTP caching and compression and can serve frequentlyrequested content from the APV Series' cache, or force client-side caching, reducing the quantity ofdata transmitted for faster client response and reduced server load.4

4 Configuration ScenariosExternal UserInternetArrayNetworksAPV/vAPVLocal UserDomainContreollerSharePoint 2013 FE Web ServersSQL DBSharpoint Application ServerFigure 2: Typical Deployment4.1 Deployment ConsiderationsArray Networks APV/vAPV Series provides two scenarios for SharePoint 2013 deployment.4.1.1 Configure APV/vAPV device with HTTP for SharePoint 2013.This scenario is a basic SharePoint Server deployment that places the APV/vAPV in themiddle between users and the SharePoint 2013 Web servers for internal users.5

HTTPHTTPInternal UsersSharePoint 2013 Web ServersFigure 3: APV Series for Internal UsersVirtual ServiceReal HealthCheckSharePointHTTP80HTTP80HTTPTable 1: Settings for Internal Users4.1.2 Configure APV/vAPV device with HTTPS for SharePoint 2013.In this scenario, the APV/vAPV system is a reverse proxy. The system is placed in thenetwork between the clients and the servers. It provides security, scalability, availability,server offload, and much more, all completely transparent to the external users.HTTPSHTTPExternal UsersSharePoint 2013 Web ServersFigure 4: APV Series for External UsersVirtual ServiceReal HealthCheckSharePointHTTPS443HTTP80HTTPTable 2: Settings for External Users6

5 Configuring APV/vAPV for SharePoint Services5.1 Configuring APV/vAPV for Internal UsersThis section assumes internal users are using HTTP to access the SharePoint Portal.5.1.1 Create a SharePoint Health CheckMake certain you are in Config mode (see below) and have selected the feature RealServices from the sidebar. The configuration window will display two tabs, Real Servicesand Health Check Setting.For a better SharePoint application Health Check, a simple HTTP content health checkcan be better than a TCP/ICMP health check for service availability:1. Click on the “Health Check Setting” tab; a new window will display.2. In our example, we used Request Index: 0 for Request String “GET /HTTP/1.0\r\n\r\n” [see figure below].3. We used Response Index: 10 and Response String 401.We expect the SharePoint server to return HTTP code 401 since the NT LAN Manager(NTLM) authentication returns 401 when the APV health check issues a GET request.4. Finish the Health Check Setting by clicking “SAVE CHANGES”.7

5.1.2 Create a Real ServiceAdd two SharePoint Web servers in the Real Server Profile with associated healthchecks. Add each server with its name, IP/port and protocol information as an APV SLBReal Service using the following steps. Please ensure the server health check is up andgreen (in active status) after this configuration.1. From the WebUI, in Config mode, go to SERVER LOAD BALANCE - RealServices - Real Services, click “Add”. The configuration window will present anew screen for ADD REAL SERVICE ENTRY. Enter the following real serverinformation: Real Service Name: input “rs sp01” as the Real Service Name. Real Service Type: select HTTP Real Service IP: input the SharePoint Web Server IP “” Real Service Port: input port “80” Connection Limit: “1000”The last setting above is the maximum connections to the real service. This setting helpswith application stability without overloading the server or application. Increase thenumber if the server is capable of handling greater loads.2. Max Connections Per Second – leave default 0. If the Real Server applicationhas performance issue, the APV Series' SLB function will allow connection ratelimiting to the backend service.3. Health Check Type: select HTTP4. Request Index: select “0 GET / HTTP/1.0\r\n\r\n”5. Response Index: select “10 401”6. If you have additional SharePoint 2013 Web Servers in your environment, click“Save and add another” real service (SharePoint Web Server), following the8

same procedure as above. You can see the real service status when you finishthe creation of them.5.1.3 Create a Service GroupEnsure you are in the Config mode and select “Groups”. The configuration window willdisplay three tabs, Groups, Groups Setting and Group IP Pool.1. To add a new SLB Group, in the ADD GROUP menu, enter the followinginformation: Group Name: enter “g sp01” Group Method: select “Persistence” Session Type: select “ip” First Choice: select “Round Robin”2. Click “Add” to add the new g sp01 SLB Group. The g sp01 should appear inthe GROUP LIST.The SLB Group Method uses individual source IP persistency and the First Choice iswith Round Robin. This means for a new client (new IP address), the APV Series will9

select a server using the Round Robin method. For subsequent access for the sameclient (IP), the APV Series will route the request to the same server. This helpsdistribute load better among all SharePoint 2013 servers.For SharePoint 2013 with Distributed Cache Service, the user login token is in theDistributed Cache Service on all SharePoint 2013 servers in the cluster. Server affinity isnot required and the least connections can be used for the group method. However, thisdepends on a fully functional Distributed Cache Service.3. To add real service(s) into the SLB Group, click “s sp01” from the GROUPSLIST. Menu GROUP INFORMATION and GROUP MEMBERS for g sp01should appear.4. Under the GROUP MEMBERS menu click “Add” to access the ADD GROUPMEMBER menu5. Eligible Reals field: select each SharePoint 2013 server you wish to add to thegroup.Now Group g sp01 is complete.5.1.4 Create a Virtual ServiceThe next step is to create an APV Series SLB Virtual Service to allow clients to accessthese services. On the APV appliance, a Virtual Service is defined by a Virtual IP/Portand the protocol. External client requests will be terminated on it and the APV appliancewill load balance the requests to different Real Services. Below is the configuration forSharePoint Virtual Service.1. Navigate to Virtual Services – ADD VIRTUAL SERVICE menu10

Virtual Service Name: enter vs sp01 (or any name you prefer) Virtual Service Type: select HTTP Virtual Service IP: enter Virtual IP Note: the Virtual Service canbe on a different APV interface with a different IP subnet. Virtual Service Port: enter 80Use the check box to enable ARP. Set the maximum number of open connections pervirtual service. “0” means no limitation. Then click “Add” to add the APV SLB VirtualService. The vs sp01 will show on the VIRTUAL SERVICE LIST.Depending on which type of virtual service is specified, certain parameter fields willappear, change or disappear. Click on the desired action link to add a virtual service.Once a virtual service has been added, it will be displayed within the table. Select avirtual service in the table and double click on it or click on the action link “Edit” A newconfiguration window will present a new series of tabs for completing virtual servicesconfiguration.2. From VIRTUAL SERVICE LIST, click the Virtual Service vs sp01. Roll down themenu to ASSOCIATE GROUPS. Select the following: Eligible Groups: select “g sp01” Eligible Policies: select “default”3. Click the “Add” button to save this Virtual Service-SLB Group association. Theg sp01 will be shown in the ASSOCIATE GROUPS list.5-611

Note: The APV Series' SLB capability supports various virtual service settings. If youwould like to use settings beyond those discussed in this deployment guide, consultArray Support services.5.1.5 Validate the SharePoint ServiceInput the appropriate URL to access SharePoint 2013 and make sure you can accessevery resource from SharePoint 2013.You also can monitor the real service statistics from the APV's Web interface5.2 Configuring APV/vAPV Series for External UsersThis section guides you in configuring the APV/vAPV device to load balance SharePoint inHTTPS for secured communication with external users.If host-named site collections are used with Office 365 with SSL offloading by the APV SeriesADC, please see the following link for additional information, and see section 6.4 for how toinsert a "Front-End-Https:On" /cc424952.aspx#section2gTo configure the APV/vAPV device to load balance SharePoint HTTPS service, we can use thesame Real Service we created in 5.1.2 and service group in 5.1.3. We need only add a newAPV Virtual Service with HTTPS, associate an SSL certificate/private key and set the defaultpolicy to route the requests to the SharePoint 2013 group.12

5.2.1 Create an HTTPS Virtual Service and Associate to the Real HTTPS VirtualService Configuration1. Navigate to Virtual Services – ADD VIRTUAL SERVICE menu, double click toselect vs sp01 from VIRTUAL SERVICE LIST. Menu VIRTUAL SERVICEINFORMATION will appear.2. To reuse the HTTP Virtual Service for the HTTPS Virtual Service: Virtual Service Type: change to HTTPS (from HTTP) Virtual Service Port: automatically changes to 4433. Click Save4. Roll down the menu to ASSOCIATE GROUPS. Select the following: Eligible Groups: select “g sp01” Eligible Policies: select “default”5. Click the “Add” button to save this Virtual Service-SLB Group association. Theg sp01 will be shown in the ASSOCIATE GROUPS list.To enable SLB HTTPS/TCPS/FTPS Virtual Service on the APV Series, a SSLCertificate/Private Key need be associated to the SLB Virtual Service. To do so, theAPV Series needs to associate a SSL Virtual Host to the SLB Virtual Service. Each SSLVirtual Host needs to have its own SSL Certificate and Private Key assigned.Note: One SSL Virtual Host can associate multiple SLB Virtual Services, HTTPS, TCPSand FTPS.13

5.2.2 Create SSL Virtual HostsSSL Virtual Host is the SSL engine used to process traffic with the associated certificateand private key. SSL Virtual Host can associate multiple SLB Virtual Services anddifferent application types which need SSL support, such as HTTPS, FTPS or TCPS.To create the SSL Virtual Host, go to the WebUI Mode: Config.1. Navigate to SSL - Virtual Hosts, click “Add” to access the SSL VIRTUALHOST menu.2. Under the SSL VIRTUAL HOST menu, enter: Virtual Host Name: enter ssl sp as in the following exampleSLB Virtual Service: select “vs sp01”.3. Click “Save” to store the information.Once a new SSL Virtual Host is created, a Certificate/Private Key needs to be assignedin order to operate. There are two options to assign a Certificate/Private Key:1. Generate a Certificate Signing Request (CSR), along with a self-signedcertificate and private key. Send the CSR/Certificate to a public CertificateAuthority (CA) to sign off. Then import the signed certificate to the APV Seriesappliance later.2. Import a SSL Certificate/Private Key.5.2.3 Generate a CSR and Self-Signed CertificateTo generate the CSR, go to the WebUI Mode: Config.1. Navigate to SSL - Virtual Hosts; click the SSL Virtual Host ssl sp you justcreated.2. Under Virtual Host CSR/Cert/Key - CSR/Key menu, fill in the information andclick “Apply”.14

Note: The Common Name needs to be the same as the host name(resolved by DNS) to access the SLB Virtual Service.Note: For a SSL Virtual Host with an existing Certificate/Private Keyassociated, the APV Series will show the EXISTING CSR and SSLEXPORTABLE KEY. You may remove the existing CSR (and PrivateKey) and re-generate a new CSR/Self-Signed Certificate.Once you click Apply, a new CSR will be generated, along with the Private Keyand Self-Signed Certificate for the SSL Virtual Host. All are available in PEM form,which allows cut and paste to export.15

Note: You can cut and paste the CSR text (in PEM format, as shown) andemail it to a CA, such as Symantec, Comodo SSL, or GoDaddy, and pay thefee to have it sign off the certificate. Before you have the official SSLcertificate, a self-signed SSL certificate is generated with the private key byAPV and can be used for testing. However, as the issuer (CA) is not knownto the client, a security warning will be shown.5.2.4(Optional) Import a SSL Certificate and/or Private KeyTo import an existing SSL key and certificate for a SSL Virtual Host:1. Go to the Mode: Config. Navigate to SSL - Virtual Hosts and click theSSL Virtual Host ssl sp for which you would like to import a Certificateand/or Key.2. Click the “Import Cert/Key” tab.3. In SSL KEY, the key can be imported by Local File, TFTP, or Manual Input.The following example is using a local disk file “tcps-101.pfx” which ispassword protected.4. In SSL CERTIFICATE, a certificate can be imported by Local File, TFTP orManual Input. The following example is using Manual Input (cut and paste)of the certificate text in PEM format.5.2.5 Start SSLOnce the certificate and private key are assigned to the SSL Virtual Host, you canenable it to process SSL traffic. To enable it, go to the WebUI Mode: Config.1. Navigate to SSL - Virtual Hosts and click on the SSL Virtual Host ssl sp,you would like to start run SSL.2. Select the Virtual Host Settings tab and check the Enable SSL box.3. Click SAVE CHANGES16

5.2.6 Validate the SharePoint ServiceInput the appropriate “HTTPS” URL to access SharePoint 2013 and make sure you canaccess every resource from SharePoint 201317

6 Optional Configuration6.1 HTTP Rewrite/RedirectA user may accidentally type “http://.” (unsecured) instead of https://. (secured), or type justthe domain name to access a secured SharePoint Virtual Service, which would normally causeSharePoint to wait until timeout without serving any content. To make this more user friendly,the APV appliance can be configured to automatically redirect http requests to https.6.1.1 Create another HTTP Virtual ServiceCreate another HTTP virtual service and point it to the same IP as your HTTPS IP.Double click the HTTP Virtual Service IP and enable “Redirect ALL HTTP Requests toHTTPS”. Click SAVE CHANGES to store the configuration.6.2 Enable HTTP CompressionThe APV appliance compresses in-line and delivers packet dynamic/static contents over LANand WAN networks.18

Navigate to Compression - Compression Setting to enable http compression.6.3 Enable HTTP CachingThe APV appliance can serve frequently requested contents from the APV Series' own memorycache for increased performance and scaling the capacity of the SharePoint Serverenvironment. In addition, cache rules can be used to force client browser caching to furtheraccelerate content delivery and lower the server load.In the typical SharePoint access is by an individual log-in, the main content is usually dynamic,i.e. specific to the individual, and thus not shareable. Therefore, SharePoint will use HTTPcache control to make the content non-cacheable. However, there are objects, such as smallimages (gif, jpg, png, etc.) for Web rendering, which are the same among all users. To takeadvantage of the APV Series' cache, a cache filter can be used to force caching of thoseshareable objects to reduce server load and accelerate application delivery.To configure the APV Series cache filter:1. Under PROXY; Caching Proxy - Cache Setting - Cache Filter2. You can enable/disable the Cache Filter.19

3. Enter Cache Filter Rules: Host Name: enter “”, this for the lab example. Regular Expression: enter a regular expression, for example, for all gifsenter “.*\.gif” Cache: select yes4. Click Add.Note: “.*” is the Array regular expression for "any". Please refer to the CLI Handbook forthe complete list of regular expressions.6.4 How to Insert a "Front-End-Https: On" HeaderFor SSL offloading, the APV appliance changes the connection type between the Client andSharePoint from HTTPS to HTTP or vice versa. In this scenario, the APV appliance must insertan additional HTTP header in the client request when it forwards the request to SharePoint. Thisadditional HTTP header indicates to SharePoint 2013 the type of connection the client initiated,allowing SharePoint 2013 to render URLs appropriately in its response. The HTTP header nameis "Front-End-Https: On" (not case-sensitive). To insert the custom header on the APV Series:Login to WebUI, Mode: Config.1. Select Virtual Services from the sidebar; and double click the “vs sp01” VirtualService to select it.2. Enter “Front-End-Https: On” for the “Additional HTTP Request Headers:”3. Click SAVE CHANGES.20


7 03789323.aspx22

About Array NetworksArray Networks is a global leader in application delivery networking with over 5000worldwide customer deployments. Powered by award-winning SpeedCore software, Arrayapplication delivery, WAN optimization and secure access solutions are recognized byleading enterprise, service provider and public sector organizations for unmatchedperformance and total value of ownership. Array is headquartered in Silicon Valley, isbacked by over 400 employees worldwide and is a profitable company with strong investors,management and revenue growth. Poised to capitalize on explosive growth in the areas ofmobile and cloud computing, analysts and thought leaders including Deloitte, IDC and Frost& Sullivan have recognized Array Networks for its technical innovation, operationalexcellence and market s.com408-240-87001 866 32 2 [email protected] [email protected] 91-080-41329296France and North [email protected] 33 6 07 511 [email protected] 81-45-664-6116To purchaseArray NetworksSolutions, pleasecontact yourArray Networksrepresentative at1-866-MY-ARRAY(692-7729) orauthorized resellerOct. 2015 rev. a 2015 Array Networks, Inc. All rights reserved. Array Networks and the Array Networks logo are trademarks of Array Networks, Inc. inthe United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are theproperty of their respective owners. Array Networks assumes no responsibility for any inaccuracies in this document. Array Networksreserves the right to change, modify, transfer, or otherwise revise this publication without notice.23

The APV Series' server load balancing ensures maximum uptimes for SharePoint. Customers can scale their SharePoint 2013 environment to meet capacity and performance needs with APV Series server load balancers. SSL Offloading and SSL Security . APV Series provides industry-leading performance and cost per SSL TPS for 2048-bit SSL with