SSL - KEMP Technologies

Report
Load Balancing
Exchange 2010 in the real
world
Mahmoud Magdy
Senior Technical Architect
Exchange Server MVP
Alexander Sebestian
Pre-Sales & System
Engineering EMEA
KEMP Technologies
• Ireland: +353 61 260 101 • Germany: +49 511 367393 – 0
Introduction
• Mahmoud Magdy
Senior Technical Architect
Exchange Server MVP
• Alexander Sebestian
Pre-Sales & System Engineering EMEA at
KEMP Technologies
Agenda
•
•
•
•
•
•
Load Balancing Fundamentals Roundup
Load Balancing Exchange 2010: Overview
Network Topology
Load Balancing Exchange 2010: Per-Service Details
Site Resilience
Sizing: Choosing the right LoadMaster (Hardware /
Virtual)
Introducing KEMP
• Established in year 2000
– Global HQ in New York
– EMEA HQ Ireland
– Local representation in many countries
• Pioneered Affordable Load Balancing & ADC
– Price 50% below other higher-end vendors (at same
performance)
– Named „Value Leader“ in Q4/2011 EMA analyst report
• Thousands of customers in EMEA
– Installation from 100s up to multiple 10,000s of mailboxes
• US & EMEA based Tech Support, Available 7 X 24
What is “Server Load Balancing”
and why do we need It?
Problem: Availability
Er ror!
Single Server
Solution: Server Load Balancing
Ser vice ok!
Virtual
Service
Problem: Performance
Overload!
Single Server
Solution: Server Load Balancing
Ser vice ok!
Virtual
Service
Server Load Balancing
• Client/Server Applications (TCP or UDP)
• „Whenever one Server is not enough.“
– Performance / Capacity
– Robustness / Availability
• Idea: Put a dispatcher in front of the Servers
– (In reality, you want two for it‘s own redundancy)
Core Tasks
• Scheduling: Define how much each Server
gets used
– Maybe we want even usage, maybe not
– Different strategies to determine the current
usage
Scheduling
Internet
Scheduling &
Balancing Methods
• Round Robin
• Weighted Round Robin
• Least Connection
• Weighted Least Connection
• Weighted Least Response Time
• Fixed Weighted
• Adaptive
Server 1
Server 2
Core Tasks
• Session Persistence: Send Returning Client to
same Server
– A.k.a. “Session Affinity”
– Based on suitable criteria - Cookies, Source IP, RDP
token, Header, …
• Drawbacks of “Source IP” persistence
– Uneven distribution
– Lost sessions (Exchange: Re-Authentication)
Core Tasks
• Health Checking: Do not use faulty Servers
– As reliable as possible - Application Level /
Scriptable
Server Health Checking
• Real Server Check Parameters:
– ICMP
• Verify that the Server is contactable from the LoadMaster
– TCP Connection Only
• Verify that the LoadMaster can connect to the Real Server on the specified port
– HTTP/HTTPS
• Waits for a valid response from the Webserver, i.e. 200 OK
• Regex Check
• Specific URL possible
– Mail (SMTP)/IMAP/POP3
• Waits for a valid response from the Mail Server, i.e. 220 SMTP Service Ready
• Should the Health Check fail, the server will be taken out of service
-> Once the service is available again the server will be put back in
service
Load Balancing Exchange 2010:
Overview
Need for Server Load Balanced
Microsoft NLB?
• WNLB can't be used on Exchange servers where mailbox DAGs
are also being used (...)
• Due to performance issues, we don't recommend putting more
than eight Client Access servers in an array that's load balanced
by WNLB.
• WNLB doesn't detect service outages (...)
• WNLB configuration can result in port flooding, which can
overwhelm networks.
• Because WNLB only performs client affinity using the source IP
address, it's not an effective solution when the source IP pool is
small (...)
http://technet.microsoft.com/en-us/library/ff625247.aspx#options
Microsoft On Persistence („Affinity“)
Protocols That Require Client to Client Access
Server Affinity
• Outlook Web App and the Exchange Control Panel
• Exchange Web Services
• Only a subset of Exchange Web Services requires affinity. Availability Service requests don't
require affinity, but subscriptions do.
• Outlook RPC over TCP on the Intranet
http://technet.microsoft.com/en-us/library/ff625248.aspx
Microsoft On Persistence („Affinity“)
Exchange Protocols That Benefit From Client to
Client Access Server Affinity
• Outlook Anywhere
• When there's no affinity between these two types of connections, Outlook Anywhere tries to
correlate the connections by coordinating with other members of the Client Access server array.
This increases traffic between Client Access servers by about 50% for a two-server array and up to
100% for an array with a large number of servers.
• Exchange ActiveSync
• Exchange Address Book service
• Remote PowerShell
Without affinity, users will need to reauthenticate if a connection is interrupted.
http://technet.microsoft.com/en-us/library/ff625248.aspx
Microsoft On Persistence („Affinity“)
Exchange Protocols That Don't Require Affinity
•
•
•
•
Offline address book
Autodiscover service
POP3
IMAP4
Not covered in this TechNet article:
• SMTP (Hub and Edge Transport)
http://technet.microsoft.com/en-us/library/ff625248.aspx
KEMP LoadMaster Deployment Guide
KEMP LoadMaster
Deployment Guide
for Exchange 2010
&
Exchange 2010 Templates
kemptechnologies.com/documentation/
LoadMaster Deployment Guide
• Part of Microsoft‘s Certification for all KEMP
LoadMasters
• Covers Basics, Specifics, and multiple
scenarios
– Choose what‘s best for you!
• Even more detailed than this Webinar
Financially, you will impress your boss!
The normal setup requires 4 servers
(2 HUB/CAS , 2 Mailbox).
The standard server from HP (DL 360 1 CPU 16 GB) starts at
1,900 USD approx. - thus TCO will be around 3,800 USD.
The standard VM appliance from KEMP starts at 2.230 USD
(incl 1st year of support!)
Expected saving (Not mentioning management, monitoring,
patching, power..etc).
Microsoft discontinuing TMG and 4 other
Forefront-products
Microsoft informed about changes to the roadmaps of some of
the security solutions made available under the Forefront
brand- now they announced discontinuing any further
releases of the Forefront-branded solutions.
„Forefront TMG :( it will be a hugde effort to replace
that*sigh*.“
„We are looking for a replacement of TMG. Background:
secured access to the Intranet (Sharepoint). Does anyone know
about alternatives?“
Microsoft TMG Scenario
X
KEMP ESP (Edge Security Pack)
KEMP ESP key features
•
•
•
•
•
End Point Authentication for Pre-Auth
Persistent Logging and Reporting for User Logging
Single Sign On across Virtual Services
LDAP authentication from the LoadMaster to the Active Directory
NTLM and Basic authentication communication from a Client to
the LoadMaster
• ESP Roll Out expected for June 2013
• Existing LoadMaster customers will be eligible for an upgrade
(for details, please contact KEMP Technologies; )
• VLM customers will be provided with a software upgrade
Topologies & Transparency
One-Armed Setup
Two-Armed Setup
Advanced Options
Transparency
• General requirement:
Real Server's response must flow back through the
LoadMaster
– Technical exception: "DSR" setups – see manual - not
recommended
• This can be tricky if the Real Server knows a
different Route
(e.g. default gateway) back to the Client!
• But would the Real Server know
the Client's actual IP in the first place???
Transparency
• Transparency
LoadMaster will pass along the original source IP address of
the Client
• Non-Transparency
LoadMaster will NAT the address so the source IP address
appears to be the LoadMaster
Transparency can only work if
• The Real Server's default gateway points to the LoadMaster
AND
• The default gateway is actually used, i.e. no Clients reside in
the Real Server's local IP subnet
Disabling Transparency
• Transparency can be set per Virtual Service
• Can only be disabled for L7 services

Some Services must be L7 – e.g. if SSL Accelerated – thus no „Force“
• Not available with „SSL Re-Encryption“ (see below)
HTTP/S Services
SSL Tunneling
Internet
CAS Responsibilities
HTTPS://
• Key Exchange
• Setup/Teardown SSL
-> TPS
• Bulk Encrypt/Decrypt
• Manage Multiple SSL Certificates
• Serve Web Content
• SSL on servers is expensive
Server 1
Server 2
SSL = Performance Hit
SSL Offloading
Internet
Offload and Accelerate
• Key Exchange
HTTPS://
• Setup/Teardown SSL
• Bulk Encrypt/Decrypt
SSL ASIC
• Manage Single SSL Certificates
HTTP://
L7 Persistence
• Enables L7 Persist. with SSL
100 – 10,000 SSL TPS
Important:
Web Server must not send clients to HTTP:// !!!
Server 1
Server 2
SSL Re-Encryption
Internet
HTTPS://
Re-Encryption
SSL ASIC
HTTP://
HTTPS://
Server 1
Server 2
•
LoadMaster has Access to L7
•
Separate SSL connection to the CAS
•
Security
•
CAS works on HTTPS (=default)
SSL
Summary:
Encrypted Traffic can be load balanced („tunneled“)
• Or… can be decrypted on the LoadMaster
– Performance boost through SSL Acceleration Hardware,
saves CPU on the servers (even more on 2048/4096 bit!)
– Access to Application Level -> Quality Load Balancing
– Single point of maintenance (Certificate renewal, …)
• HTTPS and all other TCP (POP3, IMAP4, ...)
• Optional Re-Encryption between LoadMaster and Server
HTTP/S handling options
Option
Pro
Con
SSL Tunneling
+ Simple Setup
+ No SSL Load on LoadMaster
- Affinity Issues
(only „Source IP“ possible)
- No Layer 7 features
SSL Offloading
+ Quality Load Balancing
+ Acceleration
- CAS Changes Needed
- SSL Load on LoadMaster
SSL Re-Encryption
+ Quality Load Balancing
+ Zero CAS Changes
- More SSL Load on LoadMaster
- Only Non-Transparent
SSL Details
• Key Size? Min. 2048 Bit recommended
• Remember: Multiple concurrent connections
per client!
• „UCC / SAN“ certificates for multiple domains
in one service
Multiple or Consolidated?
• You can setup one LoadMaster Service per
HTTPS CAS Service
• Or you can use one LoadMaster for everything
– This is common practice.
Consolidated HTTPS Service Setup
• Choose SSL Acceleration
– With or without Re-Encryption
• Choose „Super HTTP“ Persistence
– Some Clients (Outlook Anywhere!) do not support
Cookie Persistance
– Long Persistence Timeout recommended
• For Health Check URL, enter „/owa“
MAPI / RPC
MAPI
• MAPI can be changed to use a static TCP port,
but a dynamic port range is the default.
– Both work ok, no opinion here
– In the Webinar, we assume the default behavior (i.e. port
range)
• Set Port to „*“
• „Force L7“ is important!
• Choose Source IP Persistence
– Long Persistence Timeout recommended
• Idle Connection Timeout = 86400 (i.e. one day)
• Real Server Check = „TCP Connection Only“, Port 135
POP3 / IMAP4 / SMTP
POP3 / IMAP4
• SSL (=TLS) Acceleration available for POP3 /
IMAP4
– But: Service cannot be used without SSL (TLS)
– Makes sense if you need extra performance
– Turn off TLS on the CAS (see Deployment Guide for
details)
• No Persistence needed
• Idle Connection Timeout = 3600 (i.e. one hour)
• Standard TCP Ports (110/143)
– Will automatically enable Application Level Health
Checking
SMTP (Transport Services)
• SSL (=TLS) Acceleration available for SMTP
– Opportunistic („STARTTLS if requested“)
– Turn off TLS on the CAS (see Deployment Guide
for details)
• No Persistence needed
• Idle Connection Timeout = 120
• Standard TCP Port (25)
– Will automatically enable Application Level Health
Checking
SMTP vs. Transparency
Need to see Source IP for Relaying Control?
• Set up for Transparency (see above)
• Use DSR (not recommended)
• Or: Move the Control on the LoadMaster
by using per-Virtual Service Access Control Lists
(ACLs)
Global Settings
Drop Connections on RS failure
• Drop Connections on RS failure
S-NAT
• Disable „S-NAT“ (for outbound traffic)!
Drain Stopping
• You may want to increase this, too
Connection Scaling
• For >64k (with Non-Transparency), enable
multiple Source IPs
KEMP Multi-Site Scenarios
Two Locations, one Pair of LoadMaster
• Requires Ethernet Connection!
GEO Loadmaster
But what if you want
- independent
- distributed
- more than two data centers???
• GLM - The GEO LoadMaster
–
–
–
–
Site Failover
Load Distribution among Data Centers
Customer direction to specific servers (i.e. content)
Location Awareness
“Location Based” Policy
GEO LoadMaster
• Works as an "rule-based DNS"
• Multiple Rule Sets
– Round Robin
– Weighted Round Robin
– Failover ("Fixed Weighted")
– Real Server Load (requires on-premise
LoadMasters)
– Location Based
– Regional
GEO LoadMaster
GEO LoadMaster
• Be careful with full automation for Exchange
– Especially for fail-back – possible data corruption!
– Details available from Microsoft
– GEO LoadMaster supports configurable Recovery
Behavior
Sizing:
Choosing the right LoadMaster
(Hardware / Virtual)
LoadMaster Models
• KEMP Server Load Balancers come in two flavors:
– Hardware Load Balancers
– Virtual Appliances (Identical Product!) for VMware
and Hyper-V
• All have the same Feature Set
– Fully enabled, no extra licensing
• Free trial available!
– kemptechnologies.com/try
– Evaluation Hardware available, too
LoadMaster Model Matrix
No extra licensing: All models have the full featureset (different in Performance and Ports)
For Active/Hot-Standby configuration, order quantity 2 (two), HA License at No Extra Cost
Sizing Guide
• Sizing: Needs experience
• Simple Rule-Of-Thumbs:
– Hundreds of mailboxes -> LM-2200
– Really few thousand mailboxes -> LM-2600
– Higher: Need closer look
– Typical bottlenecks are Throughput or SSL TPS
• Sizing Guide for Exchange 2010:
kemptechnologies.com/sizing-exchange2010/
KEMP Wins Q4/2011 Analyst Report
www.enterprisemanagement.com/research/asset.php/2108/Free-Summary:-EMA-Radar-for-Application-Delivery-Controllers-and-Load-Balancers:-Q4-2011
Thank you!
• Questions?
• Thank you very much for attending!
• Contact
– www.kemptechnologies.com/contact-support/
– Email: emeasupport@kemptechnologies.com
• Resources
–
–
–
–
–
www.kemptechnologies.com/documentation/
www.kemptechnologies.com/try/ - VLM Download
forums.kemptechnologies.com - Community Forums
www.loadbalancerblog.com (and .de) – Blogsite
www.kemptechnologies.com/sizing-exchange2010/ Exchange Sizing Tool

similar documents