SSL - KEMP Technologies

Load Balancing
Exchange 2010 in the real
Mahmoud Magdy
Senior Technical Architect
Exchange Server MVP
Alexander Sebestian
Pre-Sales & System
Engineering EMEA
KEMP Technologies
• Ireland: +353 61 260 101 • Germany: +49 511 367393 – 0
• Mahmoud Magdy
Senior Technical Architect
Exchange Server MVP
• Alexander Sebestian
Pre-Sales & System Engineering EMEA at
KEMP Technologies
Load Balancing Fundamentals Roundup
Load Balancing Exchange 2010: Overview
Network Topology
Load Balancing Exchange 2010: Per-Service Details
Site Resilience
Sizing: Choosing the right LoadMaster (Hardware /
Introducing KEMP
• Established in year 2000
– Global HQ in New York
– EMEA HQ Ireland
– Local representation in many countries
• Pioneered Affordable Load Balancing & ADC
– Price 50% below other higher-end vendors (at same
– Named „Value Leader“ in Q4/2011 EMA analyst report
• Thousands of customers in EMEA
– Installation from 100s up to multiple 10,000s of mailboxes
• US & EMEA based Tech Support, Available 7 X 24
What is “Server Load Balancing”
and why do we need It?
Problem: Availability
Er ror!
Single Server
Solution: Server Load Balancing
Ser vice ok!
Problem: Performance
Single Server
Solution: Server Load Balancing
Ser vice ok!
Server Load Balancing
• Client/Server Applications (TCP or UDP)
• „Whenever one Server is not enough.“
– Performance / Capacity
– Robustness / Availability
• Idea: Put a dispatcher in front of the Servers
– (In reality, you want two for it‘s own redundancy)
Core Tasks
• Scheduling: Define how much each Server
gets used
– Maybe we want even usage, maybe not
– Different strategies to determine the current
Scheduling &
Balancing Methods
• Round Robin
• Weighted Round Robin
• Least Connection
• Weighted Least Connection
• Weighted Least Response Time
• Fixed Weighted
• Adaptive
Server 1
Server 2
Core Tasks
• Session Persistence: Send Returning Client to
same Server
– A.k.a. “Session Affinity”
– Based on suitable criteria - Cookies, Source IP, RDP
token, Header, …
• Drawbacks of “Source IP” persistence
– Uneven distribution
– Lost sessions (Exchange: Re-Authentication)
Core Tasks
• Health Checking: Do not use faulty Servers
– As reliable as possible - Application Level /
Server Health Checking
• Real Server Check Parameters:
• Verify that the Server is contactable from the LoadMaster
– TCP Connection Only
• Verify that the LoadMaster can connect to the Real Server on the specified port
• Waits for a valid response from the Webserver, i.e. 200 OK
• Regex Check
• Specific URL possible
• Waits for a valid response from the Mail Server, i.e. 220 SMTP Service Ready
• Should the Health Check fail, the server will be taken out of service
-> Once the service is available again the server will be put back in
Load Balancing Exchange 2010:
Need for Server Load Balanced
Microsoft NLB?
• WNLB can't be used on Exchange servers where mailbox DAGs
are also being used (...)
• Due to performance issues, we don't recommend putting more
than eight Client Access servers in an array that's load balanced
by WNLB.
• WNLB doesn't detect service outages (...)
• WNLB configuration can result in port flooding, which can
overwhelm networks.
• Because WNLB only performs client affinity using the source IP
address, it's not an effective solution when the source IP pool is
small (...)
Microsoft On Persistence („Affinity“)
Protocols That Require Client to Client Access
Server Affinity
• Outlook Web App and the Exchange Control Panel
• Exchange Web Services
• Only a subset of Exchange Web Services requires affinity. Availability Service requests don't
require affinity, but subscriptions do.
• Outlook RPC over TCP on the Intranet
Microsoft On Persistence („Affinity“)
Exchange Protocols That Benefit From Client to
Client Access Server Affinity
• Outlook Anywhere
• When there's no affinity between these two types of connections, Outlook Anywhere tries to
correlate the connections by coordinating with other members of the Client Access server array.
This increases traffic between Client Access servers by about 50% for a two-server array and up to
100% for an array with a large number of servers.
• Exchange ActiveSync
• Exchange Address Book service
• Remote PowerShell
Without affinity, users will need to reauthenticate if a connection is interrupted.
Microsoft On Persistence („Affinity“)
Exchange Protocols That Don't Require Affinity
Offline address book
Autodiscover service
Not covered in this TechNet article:
• SMTP (Hub and Edge Transport)
KEMP LoadMaster Deployment Guide
KEMP LoadMaster
Deployment Guide
for Exchange 2010
Exchange 2010 Templates
LoadMaster Deployment Guide
• Part of Microsoft‘s Certification for all KEMP
• Covers Basics, Specifics, and multiple
– Choose what‘s best for you!
• Even more detailed than this Webinar
Financially, you will impress your boss!
The normal setup requires 4 servers
(2 HUB/CAS , 2 Mailbox).
The standard server from HP (DL 360 1 CPU 16 GB) starts at
1,900 USD approx. - thus TCO will be around 3,800 USD.
The standard VM appliance from KEMP starts at 2.230 USD
(incl 1st year of support!)
Expected saving (Not mentioning management, monitoring,
patching, power..etc).
Microsoft discontinuing TMG and 4 other
Microsoft informed about changes to the roadmaps of some of
the security solutions made available under the Forefront
brand- now they announced discontinuing any further
releases of the Forefront-branded solutions.
„Forefront TMG :( it will be a hugde effort to replace
„We are looking for a replacement of TMG. Background:
secured access to the Intranet (Sharepoint). Does anyone know
about alternatives?“
Microsoft TMG Scenario
KEMP ESP (Edge Security Pack)
KEMP ESP key features
End Point Authentication for Pre-Auth
Persistent Logging and Reporting for User Logging
Single Sign On across Virtual Services
LDAP authentication from the LoadMaster to the Active Directory
NTLM and Basic authentication communication from a Client to
the LoadMaster
• ESP Roll Out expected for June 2013
• Existing LoadMaster customers will be eligible for an upgrade
(for details, please contact KEMP Technologies; )
• VLM customers will be provided with a software upgrade
Topologies & Transparency
One-Armed Setup
Two-Armed Setup
Advanced Options
• General requirement:
Real Server's response must flow back through the
– Technical exception: "DSR" setups – see manual - not
• This can be tricky if the Real Server knows a
different Route
(e.g. default gateway) back to the Client!
• But would the Real Server know
the Client's actual IP in the first place???
• Transparency
LoadMaster will pass along the original source IP address of
the Client
• Non-Transparency
LoadMaster will NAT the address so the source IP address
appears to be the LoadMaster
Transparency can only work if
• The Real Server's default gateway points to the LoadMaster
• The default gateway is actually used, i.e. no Clients reside in
the Real Server's local IP subnet
Disabling Transparency
• Transparency can be set per Virtual Service
• Can only be disabled for L7 services
Some Services must be L7 – e.g. if SSL Accelerated – thus no „Force“
• Not available with „SSL Re-Encryption“ (see below)
HTTP/S Services
SSL Tunneling
CAS Responsibilities
• Key Exchange
• Setup/Teardown SSL
-> TPS
• Bulk Encrypt/Decrypt
• Manage Multiple SSL Certificates
• Serve Web Content
• SSL on servers is expensive
Server 1
Server 2
SSL = Performance Hit
SSL Offloading
Offload and Accelerate
• Key Exchange
• Setup/Teardown SSL
• Bulk Encrypt/Decrypt
• Manage Single SSL Certificates
L7 Persistence
• Enables L7 Persist. with SSL
100 – 10,000 SSL TPS
Web Server must not send clients to HTTP:// !!!
Server 1
Server 2
SSL Re-Encryption
Server 1
Server 2
LoadMaster has Access to L7
Separate SSL connection to the CAS
CAS works on HTTPS (=default)
Encrypted Traffic can be load balanced („tunneled“)
• Or… can be decrypted on the LoadMaster
– Performance boost through SSL Acceleration Hardware,
saves CPU on the servers (even more on 2048/4096 bit!)
– Access to Application Level -> Quality Load Balancing
– Single point of maintenance (Certificate renewal, …)
• HTTPS and all other TCP (POP3, IMAP4, ...)
• Optional Re-Encryption between LoadMaster and Server
HTTP/S handling options
SSL Tunneling
+ Simple Setup
+ No SSL Load on LoadMaster
- Affinity Issues
(only „Source IP“ possible)
- No Layer 7 features
SSL Offloading
+ Quality Load Balancing
+ Acceleration
- CAS Changes Needed
- SSL Load on LoadMaster
SSL Re-Encryption
+ Quality Load Balancing
+ Zero CAS Changes
- More SSL Load on LoadMaster
- Only Non-Transparent
SSL Details
• Key Size? Min. 2048 Bit recommended
• Remember: Multiple concurrent connections
per client!
• „UCC / SAN“ certificates for multiple domains
in one service
Multiple or Consolidated?
• You can setup one LoadMaster Service per
• Or you can use one LoadMaster for everything
– This is common practice.
Consolidated HTTPS Service Setup
• Choose SSL Acceleration
– With or without Re-Encryption
• Choose „Super HTTP“ Persistence
– Some Clients (Outlook Anywhere!) do not support
Cookie Persistance
– Long Persistence Timeout recommended
• For Health Check URL, enter „/owa“
• MAPI can be changed to use a static TCP port,
but a dynamic port range is the default.
– Both work ok, no opinion here
– In the Webinar, we assume the default behavior (i.e. port
• Set Port to „*“
• „Force L7“ is important!
• Choose Source IP Persistence
– Long Persistence Timeout recommended
• Idle Connection Timeout = 86400 (i.e. one day)
• Real Server Check = „TCP Connection Only“, Port 135
• SSL (=TLS) Acceleration available for POP3 /
– But: Service cannot be used without SSL (TLS)
– Makes sense if you need extra performance
– Turn off TLS on the CAS (see Deployment Guide for
• No Persistence needed
• Idle Connection Timeout = 3600 (i.e. one hour)
• Standard TCP Ports (110/143)
– Will automatically enable Application Level Health
SMTP (Transport Services)
• SSL (=TLS) Acceleration available for SMTP
– Opportunistic („STARTTLS if requested“)
– Turn off TLS on the CAS (see Deployment Guide
for details)
• No Persistence needed
• Idle Connection Timeout = 120
• Standard TCP Port (25)
– Will automatically enable Application Level Health
SMTP vs. Transparency
Need to see Source IP for Relaying Control?
• Set up for Transparency (see above)
• Use DSR (not recommended)
• Or: Move the Control on the LoadMaster
by using per-Virtual Service Access Control Lists
Global Settings
Drop Connections on RS failure
• Drop Connections on RS failure
• Disable „S-NAT“ (for outbound traffic)!
Drain Stopping
• You may want to increase this, too
Connection Scaling
• For >64k (with Non-Transparency), enable
multiple Source IPs
KEMP Multi-Site Scenarios
Two Locations, one Pair of LoadMaster
• Requires Ethernet Connection!
GEO Loadmaster
But what if you want
- independent
- distributed
- more than two data centers???
• GLM - The GEO LoadMaster
Site Failover
Load Distribution among Data Centers
Customer direction to specific servers (i.e. content)
Location Awareness
“Location Based” Policy
GEO LoadMaster
• Works as an "rule-based DNS"
• Multiple Rule Sets
– Round Robin
– Weighted Round Robin
– Failover ("Fixed Weighted")
– Real Server Load (requires on-premise
– Location Based
– Regional
GEO LoadMaster
GEO LoadMaster
• Be careful with full automation for Exchange
– Especially for fail-back – possible data corruption!
– Details available from Microsoft
– GEO LoadMaster supports configurable Recovery
Choosing the right LoadMaster
(Hardware / Virtual)
LoadMaster Models
• KEMP Server Load Balancers come in two flavors:
– Hardware Load Balancers
– Virtual Appliances (Identical Product!) for VMware
and Hyper-V
• All have the same Feature Set
– Fully enabled, no extra licensing
• Free trial available!
– Evaluation Hardware available, too
LoadMaster Model Matrix
No extra licensing: All models have the full featureset (different in Performance and Ports)
For Active/Hot-Standby configuration, order quantity 2 (two), HA License at No Extra Cost
Sizing Guide
• Sizing: Needs experience
• Simple Rule-Of-Thumbs:
– Hundreds of mailboxes -> LM-2200
– Really few thousand mailboxes -> LM-2600
– Higher: Need closer look
– Typical bottlenecks are Throughput or SSL TPS
• Sizing Guide for Exchange 2010:
KEMP Wins Q4/2011 Analyst Report
Thank you!
• Questions?
• Thank you very much for attending!
• Contact
– Email: [email protected]
• Resources
– - VLM Download - Community Forums (and .de) – Blogsite Exchange Sizing Tool

similar documents