Load balancing Exchange 2010 (part II)

In my previous post I discussed Exchange 2010 load balancing principles briefly (I need to leave some additional stuff for my MEC presentation) and how to setup a Kemp LoadMaster in a single-arm configuration. In this 2nd (and final) blog post I’ll show you how to configure Virtual Services for OWA 2010 and MAPI (Outlook clients).

Create a new Virtual Service for OWA

To create a new Virtual Service expand the Virtual Services and click Add New to open the wizard and fill in the necessary options like the IP Address of the new virtual service, the accompanying port number and give the service a nickname. In the Use Template option you can select a predefined template for the service. The advantage of using a template is of course that all options are filled in by Kemp, optimized specifically for the LoadMaster. Since we’re creating an OWA service select the Exchange HTTPS Offloaded template and click the Add this Virtual Service button.

In this example the Client Access Servers are configured with SSL offloading. The clients connect to the LoadMaster using SSL, the LoadMaster in turn connects just on port 80. For more information on how to configure SSL offloading in Exchange Server 2010 please check this blog post: http://www.jaapwesselius.com/2012/06/10/ssl-offloading-with-powershell/


Figure 1. Select a preconfigured template to use when creating a new Virtual Service.

That’s all it takes to create the Virtual Service. Since all parameters like distribution and persistence are preconfigured by the template the only thing that needs to be done is adding the SSL certificate (needed for SSL offloading) and adding the Real Servers (i.e. the actual Exchange servers).

Configuring an SSL certificate is a three step process in the LoadMaster. In step one, expand Certificates in the main menu and click SSL Certificates. In the Manage Certificates window enter a name in the FileName field and click Import Certificate.


Figure 2 Create the new SSL certificate on the Load Master

Step two, in the Install Certificate ExchangeCert window enter the file location of the (exported) certificate, enter the Pass Phrase used during the certificate export and click Store. This will import the certificate into the certificate store of the LoadMaster.


Figure 3. Import the actual SSL certificate in the certificate store of the LoadMaster

The last step is to actually bind the SSL certificate to the Virtual Service. In the Manage Certificate Window in the VS to Add dropdown box select the Virtual Service you are creating and click on Add VS.


Figure 4. Bind the SSL certificate to the Virtual Service.

The last step in configuring the LoadMaster is to add the Real Servers (the actual Exchange 2010 Client Access Servers). In the Virtual Services menu click on View/Modify Services and Modify the newly created Virtual Service. Scroll down and expand the Real Servers option.

In the upper section of the Real Servers option the parameters are configured for the actual service check (a hardware load balancer is service aware which means the load balancer is actually checking if the OWA service is still running on the Exchange 2010 Client Access Servers). Since SSL is offloaded on the LoadMaster it is checked on port 80, and it is checking the /OWA Virtual Directory.


Figure 5. Configure the Real Servers in the Virtual Service.

To add the Exchange servers to the Virtual Service click Add New and enter the IP address of the Client Access Server. Accept the default values and click Add this Real Server. Repeat this step for the remaining Client Access Servers.


Figure 6. The Virtual Service is up and running with three Client Access Servers in use!

When finished expand the Virtual Services once again and click View/Modify Services. You’ll see the new Virtual Service and when configured correctly the status box should be green and saying Up. You will also thee the Real Servers.

Using Outlook Web App

To test the new Virtual Service connect to OWA using a browser and login. If all is well you should see your regular mailbox. To see which Client Access Server you’re actually logged on to click on the little question mark in the upper right corner of OWA and click on About:


Figure 7. Click on the little question mark and click About.

A new window pops up with all information regarding the OWA session. You will see the URL being used to connect to the Virtual Service (i.e. webmail.exchangelabs.nl/owa) and the actual Client Access Server that’s servicing the request:


Figure 8. Information regarding the session with OWA. Clearly visible the URL and the actual CAS server.

If you setup another session from another computer or another browser you’ll see other session information. The FQDN will be the same, but you should be connected to another CAS Server:


Figure 9. Another browser sets up a new connection to another CAS server.

It is possible to check the statistics on the LoadMaster, just click on Statistics in the main menu. In the center pane you can check statistics per Virtual Service or per Real Server.


Figure 10. Statistics of the Load Master. A quick test shows connections on the first and the second Exchange server.

The third server in this example didn’t process any request because I just didn’t test. In a normal production environment you should see the connections be evenly distributed across all Exchange servers.

Create a new Virtual Service for MAPI

When you have Outlook clients (most likely you do) you want to create another Virtual Service to have the MAPI connections distributed across all three Exchange servers as well. The steps are almost the same as creating an OWA Virtual Service, but this time enter a new IP Address, for the port number enter * and select the Exchange MAPI template.


Figure 11. Create a new Virtual Service for Outlook clients. Select the Exchange MAPI template

There’s not much to configure, most information is preconfigured in the template. Distribution will be round robin and persistence will be on Source IP. No other options are available for persistence, since this is an RPC connection there are no headers to work with. The only thing you have to do is add the three Client Access Servers as Real Servers.

Note. This setup uses the dynamic port configuration of MAPI.


Figure 12. The only thing you have to do is add the Real Servers

When finished you can see the new Virtual Service using the View/Modiy Services option in the main menu. It should be up-and-running, showing the green Up status.


Figure 13. Both Virtual Services are now up and running.


Instead of using Windows NLB Microsoft recommends to use a hardware load balancer for Exchange Server 2010. A hardware load balancer offers a good performance, it has a dedicated processor for SSL offloading and typically has much more options for distributing client requests and for persistence options.

With the LM2200 and LM2600 Kemp Technologies offer a no nonsense hardware load balancer that’s certified for Exchange Server 2010 that’s easy to use, offers a good performance and can be configured in a high available configuration with a hot stand-by configuration and it has a great price/performance ratio.

Just like other MVP’s I have to say I’m not sponsored by Kemp but I do happen to have a LoadMaster 2600 and a VLM in my production and lab environment. This makes blogging (and researching!) much easier 😉

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s