mopdf.com

Exchange Server Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2511. Appliance Configuration – Using Layer 7 SNAT Mode (with SSL Offload) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Load Balancer Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Load Balancer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Configure VIP1 – Mailbox Server Role HTTPS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Configure VIP2 – Mailbox Server Role IMAP4/POP3 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configure VIP3 – Mailbox Server Role SMTP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configuring Firewall Rules to Lockdown SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Additional Settings if using Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Finalizing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Exchange Server Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Configure IIS logging to Capture XFF Header IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3212. Appliance Configuration – Using Layer 4 DR Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Load Balancer Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Load Balancer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configure VIP1 – Mailbox Server Role HTTPS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configure VIP2 – Mailbox Server Role IMAP4/POP3 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configure VIP3 – Mailbox Server Role SMTP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Exchange Server Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3713. Testing & Verification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Useful Exchange 2019 & Other Microsoft Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Testing Server Health-checks using Set-ServerComponentState . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Testing Mailflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Testing SMTP Mail flow using Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Microsoft Exchange Testing Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Useful Appliance based Tools & Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Using System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Layer 4 Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Layer 7 Statistics Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4114. Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4115. Further Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4216. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4217. Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Configuring Firewall Rules to Lockdown SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Enabling Layer 7 Transparency using TProxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Using a Layer 4 Virtual Service for SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Layer 4 DR Mode - Solving the ARP Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Configuring an HTTP to HTTPS redirect for OWA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Configuring HA - Adding a Secondary Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Solving the ARP Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Windows Server 2012, 2016 & 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Update the Network Adapter Priority Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5218. Document Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

1. About this GuideThis guide details the steps required to configure a load balanced Microsoft Exchange 2019 environment utilizingLoadbalancer.org appliances. It covers the configuration of the load balancers and also any Microsoft Exchange2019 configuration changes that are required to enable load balancing.For more information about initial appliance deployment, network configuration and using the Web User Interface(WebUI), please also refer to the Administration Manual.2. Loadbalancer.org Appliances SupportedAll our products can be used with Exchange 2019. For full specifications of available models please refer to:https://www.loadbalancer.org/productsSome features may not be supported in all cloud platforms due to platform specific limitations. Please check withLoadbalancer.org support for details.3. Loadbalancer.org Software Versions Supported V8.3.8 and later4. Microsoft Exchange Software Versions Supported Microsoft Exchange 2019 – all versions5. Exchange Server 2019Exchange 2019 is Microsoft’s latest enterprise level messaging and collaboration server. Exchange 2019 has beendesigned for simplicity of scale, hardware utilization, and failure isolation. This has greatly simplified both thedeployment process and the implementation of a load balancer. The architecture of Exchange 2019 is very similarto Exchange 2016. Exchange 2019 adds new client features, security updates, improved archive and retentionpolicies, as well as various performance & scalability improvements.6. Exchange 2019 Server RolesAs with Exchange 2016, In Exchange 2019 there are 2 server roles: the Mailbox Server and the Edge TransportServer.RolePurposeMailbox ServerMailbox servers contain the transport services that areused to route mail, the mailbox databases that process,render, and store data and the Client Access servicesthat accept client connections for all protocols. Thesefrontend services are responsible for routing or proxyingconnections to the corresponding backend services ona Mailbox server.Edge Transport ServerThis optional role handles all external mail flow for theExchange organization. Edge Transport servers aretypically installed in the perimeter network, and aresubscribed to the internal Exchange organization.44

Outlook Client Protocols MAPI over HTTPS - Outlook 2013 SP1 minimum RPC over HTTPS - aka Outlook AnywhereMail FlowIn Exchange Server 2019, mail flow occurs through the transport pipeline. The transport pipeline is a collection ofservices, connections, components, and queues that work together to route all messages to the categorizer in theTransport service on an Exchange 2019 Mailbox server. For more information please refer to the followingMicrosoft link: w/mail-flow?redirectedfrom MSDN&view exchserver-20197. Load Balancing Exchange 2019NoteIt’s highly recommended that you have a working Exchange 2019 environment first beforeimplementing the load balancer.Load Balancing & HA RequirementsLoad balancing requirements for Exchange 2019 are the same as those for Exchange 2016. There is a singlebuilding block that provides the client access services and the high availability architecture necessary for anyenterprise messaging environment. High availability is provided by implementing multiple Mailbox Servers,configuring a Database Availability Group (DAG) and deploying a load balancer.Database Availability Group (DAG)A DAG is a group of up to 16 Mailbox Servers with 100 active and passive databases. It provides automaticdatabase-level recovery from failures that affect individual servers or databases.NoteDAGs utilize Microsoft Clustering Services which cannot be enabled on the same server asMicrosoft Network Load Balancing (NLB). Therefore, using Microsoft NLB is not an option in thiscase. Using a Loadbalancer.org hardware or virtual appliance provides an ideal solution.Persistence (aka Server Affinity)As with Exchange 2016, Exchange 2019 does not require session affinity at the load balancing layer.Port RequirementsThe following table shows the port list that must be load balanced. Some services such as IMAP4 or POP3 may notbe required in your environment.TCP PortRoleUses25MBOXInbound SMTP110MBOXPOP3 clients143MBOXIMAP4 clients5

TCP PortRoleUses443MBOXHTTPS (Outlook on the Web,AutoDiscovery, Web Services,ActiveSync, MAPI over HTTP, RPCover HTTP – a.k.a. OutlookAnywhere, Offline Address Book,Exchange Administration Center)993MBOXSecure IMAP4 clients995MBOXSecure POP3 clientsSSL TerminationWe generally recommend that SSL is terminated on the Exchange servers for scalability and effective load sharing.However, if you’re load balancing Exchange using layer 7 SNAT mode, by default, the client IP address will be lostand replaced by the load balancer’s own IP and therefore audit logs will contain the load balancer’s IP address andnot the clients. If this is an issue for your environment, X-Forwarded-For headers can be inserted by the loadbalancer which enable IIS on each Exchange server to be configured to log the client address from the XFF headeras described in this Microsoft article. In this case, SSL must be terminated on the load balancer to allow the headerto be inserted. Once inserted, traffic can be re-encypted from the load balancer to the Exchange servers. For moredetails on configuring layer 7 SNAT mode with SSL offload, please refer to Appliance Configuration – Using Layer 7SNAT Mode (with SSL Offload).HTTPS Namespaces & IP addressesThe following examples show 2 different approaches to HTTPS namespace configuration and the related loadbalancing considerations for each.Example 1 – simple namespace look on the Web, ActiveSync, MAPI over HTTP, RPCover HTTP, Offline Address Book, Exchange WebServicesautodiscover.lbtestdom.comAuto DiscoverNotes: In this case a single VIP is used for all HTTPS namespaces/services Both DNS entries should then point at the same VIP This method is simple to setup, but only permits a single Exchange URL to be health checked. However, asuccessful full HTTPS service check on the OWA virtual directory is a good indication that the other VirtualDirectories & applications are also functioning correctlyExample 2 – expanded namespace ook on the Web66

NamespacePurposeoutlook.lbtestdom.comOutlook Anywhereews.lbtestdom.comExchange Web line Address BookNotes: In this case multiple VIPs are used – one for each HTTPS namespace/service Each related DNS entry should then point at the corresponding VIP This method is more complex to setup, but does enable more granular health checks to be configured This guide uses the config of example 1 above, i.e. a single IP address for all services.Health-ChecksIn this guide, the health check for HTTPS services accesses owa/healthcheck.htm on each server and checks for a'200 OK' response. A different virtual directory (e.g. ECP, EWS etc.) can be chosen if preferred or more appropriate.Note that healthcheck.htm is generated in-memory based on the component state of the protocol in question anddoes not physically exist on disk.Load Balancer Deployment ConceptExchange 2019 can be deployed in various ways, in this example two servers are used. Each server hosts theMailbox role in a DAG configuration. This provides high availability and uses a minimum number of ExchangeServers.Clients then connect to the Virtual Services (VIPs) on the load balancer rather than connecting directly to one of theExchange servers. These connections are then load balanced across the Exchange servers to distribute the loadaccording to the load balancing algorithm selected.VIP Virtual IP Addresses7

NoteThe load balancer can be deployed as a single unit, although Loadbalancer.org recommends aclustered pair for resilience & high availability. Please refer to Configuring HA - Adding aSecondary Appliance for more details on configuring a clustered pair.Virtual Service (VIP) RequirementsTo provide load balancing and HA for Exchange 2019, the following VIPs are required: HTTPS (for all HTTPS based services) SMTPOptionally, additional VIPs may be required as follows: HTTP (for redirecting to HTTPS, please refer to Using a Layer 4 Virtual Service for SMTP for more details) IMAP4 POP3NoteIMAP4 and POP3 are not typically used. Therefore these VIPs are not generally required.Load Balancer Deployment ModesThe load balancer can be deployed in 4 fundamental ways: Layer 4 DR mode, Layer 4 NAT mode, Layer 4 SNATmode and Layer 7 SNAT mode.For Exchange 2019, either layer 7 SNAT mode or layer 4 DR are normally used. These modes are described belowand are used for the configurations presented in this guide.Layer 7 SNAT ModeLayer 7 SNAT mode uses a proxy (HAProxy) at the application layer. Inbound requests are terminated on the loadbalancer, and HAProxy generates a new request to the chosen Real Server. As a result, Layer 7 is a slowertechnique than DR or NAT mode at Layer 4. Layer 7 is typically chosen when either enhanced options such as SSLtermination, cookie based persistence, URL rewriting, header insertion/deletion etc. are required, or when thenetwork topology prohibits the use of the layer 4 methods.This mode can be deployed in a one-arm or two-arm configuration and does not require any changes to the RealServers. However, since the load balancer is acting as a full proxy it doesn’t have the same raw throughput as thelayer 4 methods.The load balancer proxies the application traffic to the servers so that the source of all traffic becomes the loadbalancer.88

Layer 7 SNAT mode is a full proxy and therefore load balanced Real Servers do not need to be changed in anyway.Because layer 7 SNAT mode is a full proxy any server in the cluster can be on any accessible subnet includingacross the Internet or WAN.Layer 7 SNAT mode is not transparent by default, i.e. the Real Servers will not see the source IP address of theclient, they will see the load balancer’s own IP address by default, or any other local appliance IP address ifpreferred (e.g. the VIP address). This can be configured per layer 7 VIP. If required, the load balancer can beconfigured to provide the actual client IP address to the Real Servers in 2 ways. Either by inserting a headerthat contains the client’s source IP address, or by modifying the Source Address field of the IP packets andreplacing the IP address of the load balancer with the IP address of the client. For more information on thesemethods please refer to Transparency at Layer 7.Layer 7 SNAT mode can be deployed using either a 1-arm or 2-arm configuration.You should not use the same RIP:PORT combination for layer 7 SNAT mode VIPs and layer 4 SNAT mode VIPsbecause the required firewall rules conflict.Layer 4 DR ModeOne-arm direct routing (DR) mode is a very high performance solution that requires little change to your existinginfrastructure.NoteKemp, Brocade, Barracuda & A10 Networks call this Direct Server Return and F5 call it N-Path.9

DR mode works by changing the destination MAC address of the incoming packet to match the selected RealServer on the fly which is very fast.When the packet reaches the Real Server it expects the Real Server to own the Virtual Services IP address(VIP). This means that you need to ensure that the Real Server (and the load balanced application) respond toboth the Real Server’s own IP address and the VIP.The Real Servers should not respond to ARP requests for the VIP. Only the load balancer should do this.Configuring the Real Servers in this way is referred to as Solving the ARP Problem. For more informationplease refer to DR Mode Considerations.On average, DR mode is 8 times quicker than NAT for HTTP, 50 times quicker for Terminal Services and much,much faster for streaming media or FTP.The load balancer must have an Interface in the same subnet as the Real Servers to ensure layer 2connectivity required for DR mode to work.The VIP can be brought up on the same subnet as the Real Servers, or on a different subnet provided that theload balancer has an interface in that subnet. Port translation is not possible in DR mode i.e. having a different RIP port than the VIP port. DR mode is transparent, i.e. the Real Server will see the source IP address of the client.Our RecommendationFor simplicity we recommend using layer 7 SNAT mode. This mode requires no changes to the Exchange Serversand enables the Exchange Servers to be located on any route-able network.Is SSL Offloading Required?We generally recommend that SSL is terminated on the Exchange servers for scalability and effective load sharing.However, when using layer 7 SNAT mode, by default the client IP address is lost and is replaced by the loadbalancer’s own IP address. Therefore, Exchange audit logs contain the load balancer’s IP address and not theclients.If this is an issue for your environment, X-Forwarded-For headers can be inserted by the load balancer which thenenables IIS on each Exchange server to be configured to log the client address – for more information, please referto this Microsoft article. To allow the header to be inserted, SSL must be terminated on the load balancer. Onceinserted, traffic is re-encypted from the load balancer to the Exchange Servers.1010

To configure the appliance using Layer 7 SNAT mode without SSL termination, refer to ApplianceConfiguration – Using Layer 7 SNAT Mode (without SSL Offload).For configuring appliance using Layer 7 SNAT mode with SSL termination, refer to Appliance Configuration –Using Layer 7 SNAT Mode (with SSL Offload).System Administrators typically want to lock down a receive connector to accept SMTPconnections only from a controlled set of devices such as external smart mail hosts, printers,networked photocopiers etc. However, when using layer 7 SNAT mode - which is not transparent,this is not possible. Instead, we recommend using the load balancer’s built in firewall to configureSMTP lockdown as described in Configuring Firewall Rules to Lockdown SMTP.Other Options:Note1 - Configure a layer 4 VIP for SMTP rather than a layer 7 based VIP. Layer 4 is transparent bydefault so the source IP address is maintained. This is covered in Using

to Exchange 2016. Exchange 2019 adds new client features, security updates, improved archive and retention policies, as well as various performance & scalability improvements. 6. Exchange 2019 Server Roles As with Exchange 2016, In Exchange 2019 there are 2 server roles: the M