1 / 68

• Ireland: +353 61 260 101 • Germany: +49 511 367393 – 0

Load Balancing Exchange 2010 in the real world. Mahmoud Magdy Senior Technical Architect Exchange Server MVP. Alexander Sebestian Pre-Sales & System Engineering EMEA KEMP Technologies. • Ireland: +353 61 260 101 • Germany: +49 511 367393 – 0 . Introduction.

judd
Download Presentation

• Ireland: +353 61 260 101 • Germany: +49 511 367393 – 0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Load Balancing Exchange 2010 in the real world Mahmoud Magdy Senior Technical Architect Exchange Server MVP Alexander Sebestian Pre-Sales & System Engineering EMEA KEMP Technologies • Ireland: +353 61 260 101 • Germany: +49 511 367393 – 0

  2. Introduction • Mahmoud MagdySenior Technical ArchitectExchange Server MVP • Alexander SebestianPre-Sales & System Engineering EMEA at KEMP Technologies

  3. Agenda • LoadBalancingFundamentals Roundup • LoadBalancing Exchange 2010: Overview • Network Topology • LoadBalancing Exchange 2010: Per-Service Details • Site Resilience • Sizing: Choosingtheright LoadMaster (Hardware / Virtual)

  4. Introducing KEMP • Established in year 2000 • Global HQ in New York • EMEA HQ Ireland • Localrepresentation in many countries • PioneeredAffordableLoadBalancing & ADC • Price 50% belowotherhigher-end vendors (at same performance) • Named „Value Leader“ in Q4/2011 EMA analystreport • Thousandsofcustomers in EMEA • Installation from 100s upto multiple 10,000s ofmailboxes • US & EMEA based Tech Support, Available 7 X 24

  5. What is “Server Load Balancing”and why do we need It?

  6. Problem: Availability

  7. Solution: Server LoadBalancing

  8. Problem: Performance

  9. Solution: Server LoadBalancing

  10. Server LoadBalancing • Client/Server Applications (TCP or UDP) • „Wheneverone Server is not enough.“ • Performance / Capacity • Robustness / Availability • Idea: Put a dispatcher in front ofthe Servers • (In reality, youwanttwoforit‘sownredundancy)

  11. Core Tasks • Scheduling: Define how much each Server gets used • Maybe we want even usage, maybe not • Different strategies to determine the current usage

  12. Scheduling Internet Scheduling & Balancing Methods • Round Robin • Weighted Round Robin • Least Connection • Weighted Least Connection • Weighted Least Response Time • Fixed Weighted • Adaptive Server 1 Server 2

  13. Core Tasks • Session Persistence: Send Returning Client to same Server • A.k.a. “Session Affinity” • Based on suitable criteria - Cookies, Source IP, RDP token, Header, … • Drawbacks of “Source IP” persistence • Uneven distribution • Lost sessions (Exchange: Re-Authentication)

  14. Core Tasks • Health Checking: Do not use faulty Servers • As reliable as possible - Application Level / Scriptable

  15. Server HealthChecking • Real Server Check Parameters: • ICMP • Verify that the Server is contactable from the LoadMaster • TCP Connection Only • Verify that the LoadMaster can connect to the Real Server on the specified port • HTTP/HTTPS • Waits for a valid response from the Webserver, i.e. 200 OK • Regex Check • Specific URL possible • Mail (SMTP)/IMAP/POP3 • Waits for a valid response from the Mail Server, i.e. 220 SMTP Service Ready • Should the Health Check fail, the server will be taken out of service-> Once the service is available again the server will be put back in service

  16. LoadBalancing Exchange 2010: Overview

  17. Need for Server LoadBalanced

  18. Microsoft NLB? • WNLB can'tbeused on Exchange serverswheremailboxDAGsare also beingused(...) • Due toperformanceissues, wedon'trecommendputtingmorethaneight Client Access servers in an arraythat'sloadbalancedby WNLB. • WNLB doesn'tdetectserviceoutages(...) • WNLB configurationcanresult in portflooding, whichcanoverwhelmnetworks. • Because WNLB onlyperformsclientaffinityusingthesource IP address, it's not an effectivesolutionwhenthesource IP poolissmall (...) http://technet.microsoft.com/en-us/library/ff625247.aspx#options

  19. Microsoft On Persistence („Affinity“) ProtocolsThatRequire Client to Client Access Server Affinity • Outlook Web App andthe Exchange ControlPanel • Exchange Web Services • Onlya subsetof Exchange Web Services requiresaffinity. Availability Service requestsdon'trequireaffinity, but subscriptionsdo. • Outlook RPC over TCP on the Intranet http://technet.microsoft.com/en-us/library/ff625248.aspx

  20. Microsoft On Persistence („Affinity“) Exchange ProtocolsThatBenefitFrom Client to Client Access Server Affinity • Outlook Anywhere • Whenthere'snoaffinitybetweenthesetwotypesofconnections, Outlook Anywhere triestocorrelatetheconnectionsbycoordinatingwithothermembersofthe Client Access serverarray. This increasestrafficbetween Client Access serversbyabout 50% for a two-server arrayandupto 100% for an arraywith a large numberofservers. • Exchange ActiveSync • Exchange Address Book service • Remote PowerShell Withoutaffinity, users will needtoreauthenticateif a connectionisinterrupted. http://technet.microsoft.com/en-us/library/ff625248.aspx

  21. Microsoft On Persistence („Affinity“) Exchange ProtocolsThatDon'tRequireAffinity • Offline addressbook • Autodiscoverservice • POP3 • IMAP4 Not covered in this TechNet article: • SMTP (Hub and Edge Transport) http://technet.microsoft.com/en-us/library/ff625248.aspx

  22. KEMP LoadMasterDeploymentGuide KEMP LoadMaster Deployment Guide for Exchange 2010 & Exchange 2010 Templates kemptechnologies.com/documentation/

  23. LoadMaster Deployment Guide • Part ofMicrosoft‘sCertificationfor all KEMP LoadMasters • Covers Basics, Specifics, and multiple scenarios • Choosewhat‘sbestforyou! • Even moredetailedthanthisWebinar

  24. Financially, you will impress your boss! The normal setup requires 4 servers (2 HUB/CAS , 2 Mailbox). The standard server from HP (DL 360 1 CPU 16 GB) starts at1,900 USD approx. - thusTCO will be around3,800 USD. The standard VM appliance from KEMP starts at 2.230 USD (incl 1st yearofsupport!) Expectedsaving (Not mentioningmanagement, monitoring, patching, power..etc).

  25. Microsoft discontinuing TMG and 4 other Forefront-products Microsoft informed about changes to the roadmaps of some of the security solutions made available under the Forefront brand- now they announced discontinuingany further releases of the Forefront-branded solutions. „Forefront TMG :( it will be a hugdeefforttoreplacethat*sigh*.“ „Wearelookingfor a replacementof TMG. Background: securedaccesstothe Intranet (Sharepoint). Doesanyoneknowabout alternatives?“

  26. Microsoft TMG Scenario X

  27. KEMP ESP (Edge Security Pack)

  28. KEMP ESP key features • End Point Authentication for Pre-Auth • Persistent Loggingand Reporting for User Logging • Single Sign On across Virtual Services • LDAP authentication from the LoadMaster to the Active Directory • NTLM and Basic authentication communication from a Client to the LoadMaster • ESP Roll Out expected for June 2013 • Existing LoadMaster customers will be eligible for an upgrade(fordetails, pleasecontact KEMP Technologies; ) • VLM customers will be provided with a software upgrade

  29. Topologies & Transparency

  30. One-Armed Setup

  31. Two-Armed Setup

  32. Advanced Options

  33. Transparency • General requirement:Real Server'sresponsemust flow back through the LoadMaster • Technical exception: "DSR" setups – see manual - not recommended • This can be tricky if the Real Server knows a different Route(e.g. default gateway) back to the Client! • But would the Real Server knowthe Client's actual IP in the first place???

  34. Transparency • TransparencyLoadMasterwill pass along the original source IP address of the Client • Non-TransparencyLoadMasterwill NAT the address so the source IP address appears to be the LoadMaster Transparency can only work if • The Real Server's default gateway points to the LoadMasterAND • The default gateway is actually used, i.e. no Clients reside in the Real Server's local IP subnet

  35. DisablingTransparency • Transparencycanbeset per Virtual Service • Can onlybedisabledfor L7 services • Some Services must be L7 – e.g. if SSL Accelerated – thusno „Force“ • Not availablewith „SSL Re-Encryption“ (seebelow)

  36. HTTP/S Services

  37. SSL Tunneling Internet CAS Responsibilities • Key Exchange • Setup/Teardown SSL • Bulk Encrypt/Decrypt • Manage Multiple SSL Certificates • Serve Web Content • SSL on servers is expensive HTTPS:// -> TPS Server 1 Server 2 SSL = Performance Hit

  38. SSL Offloading Internet Offload and Accelerate • Key Exchange • Setup/Teardown SSL • Bulk Encrypt/Decrypt • Manage Single SSL Certificates • Enables L7 Persist. with SSL HTTPS:// SSL ASIC HTTP:// L7 Persistence 100 – 10,000 SSL TPS Important: Web Server must not send clientsto HTTP:// !!! Server 1 Server 2

  39. SSL Re-Encryption Internet Re-Encryption • LoadMaster has Access to L7 • Separate SSL connection to the CAS • Security • CAS works on HTTPS (=default) HTTPS:// SSL ASIC HTTP:// HTTPS:// Server 1 Server 2

  40. SSL Summary: EncryptedTraffic canbeloadbalanced („tunneled“) • Or… canbedecrypted on the LoadMaster • Performance boostthrough SSL Acceleration Hardware,saves CPU on theservers (evenmore on 2048/4096 bit!) • Access toApplication Level -> Quality Load Balancing • Single pointofmaintenance (Certificaterenewal, …) • HTTPS and all other TCP (POP3, IMAP4, ...) • Optional Re-Encryption between LoadMaster and Server

  41. HTTP/Shandlingoptions

  42. SSL Details • Key Size? Min. 2048 Bit recommended • Remember: Multiple concurrentconnections per client! • „UCC / SAN“ certificatesfor multiple domains in oneservice

  43. Multiple orConsolidated? • YoucansetuponeLoadMaster Service per HTTPS CAS Service • OryoucanuseoneLoadMaster foreverything • This iscommonpractice.

  44. Consolidated HTTPS Service Setup • Choose SSL Acceleration • Withorwithout Re-Encryption • Choose „Super HTTP“ Persistence • Some Clients (Outlook Anywhere!) do not support Cookie Persistance • Long Persistence Timeout recommended • ForHealth Check URL, enter „/owa“

  45. MAPI / RPC

  46. MAPI • MAPI canbechangedtouse a static TCP port,but a dynamicportrangeisthedefault. • Bothwork ok, noopinionhere • In theWebinar, weassumethedefaultbehavior (i.e. portrange) • Set Port to „*“ • „Force L7“ isimportant! • Choose Source IP Persistence • Long PersistenceTimeout recommended • Idle Connection Timeout = 86400(i.e. oneday) • Real Server Check = „TCP Connection Only“, Port 135

  47. POP3 / IMAP4 / SMTP

  48. POP3 / IMAP4 • SSL (=TLS) Accelerationavailablefor POP3 / IMAP4 • But: Service cannotbeusedwithout SSL (TLS) • Makes sense ifyouneed extra performance • Turn off TLS on the CAS (seeDeployment Guide fordetails) • NoPersistenceneeded • IdleConnection Timeout = 3600 (i.e. onehour) • Standard TCP Ports (110/143) • Will automaticallyenableApplication Level HealthChecking

  49. SMTP (Transport Services) • SSL (=TLS) AccelerationavailableforSMTP • Opportunistic („STARTTLS ifrequested“) • Turn off TLS on the CAS (seeDeployment Guide fordetails) • NoPersistenceneeded • Idle Connection Timeout = 120 • Standard TCP Port (25) • Will automaticallyenableApplication Level HealthChecking

  50. SMTP vs. Transparency Need tosee Source IP forRelayingControl? • Set upforTransparency (seeabove) • Use DSR (not recommended) • Or: Move theControl on theLoadMasterbyusing per-Virtual Service Access Control Lists (ACLs)

More Related