Load Balancing Exchange 2010 with F5 LTM

In a earlier blogpost on load balancing Exchange 2010 I explained how to achieve this with a Kemp Loadmaster. In this blogpost I’d like to demonstrate how to configure this with an F5 Local Traffic Manager (LTM). This is actually part I of what I’ve demo’ d in the MEC 2012.

The configuration looks like this. There are two multi-role servers configured with a Database Availability Group (DAG). There’s a File Share Witness (FSW) configured on server FS01. The F5 itself is installed in a two arm configuration, so the VIP for the clients is on a different subnet then the Exchange Server.


The first step is to configure both Exchange server with the IP address of the F5 as their default gateway so all traffic will be routed through the F5 (not a requirement though).

It is possible to create the VIP manually, but then you have to create the monitors (responsible for monitoring the server health), nodes, pools and virtual server yourself. And you have to configure all options for distribution and persistence yourself. Although this is doable (I know people actually doing this) I always recommend to use an F5 iApp. This is a predefined template with all settings regarding load balancing an Exchange 2010 environment. There are iApps on the F5 but it’s a best practice to download the latest iApp from the F5 website and install this on the load balancer.

In the F5 Configuration Utility select the iApp option, select the Application Services option and click the plus symbol to start the wizard. Give the new iApp a name and select the template that was downloaded earlier. The template will be read and shown in the console.


All that needs to be done is scrolling down the template and fill in the necessary options.

The first question is the load balancer will be deployed. In this case it will be “LTM will load balance and optimize CAS traffic”. There are multiple options, but this fits the need of our scenario. Another question is if the APM module (for pre-authentication) will be deployed. Right now I will select “No” but return to this option in a future blog post.

A set of important questions on how the client traffic arrives at the load balancer. This will be encrypted. The URL will be https://webmail.exchange14.nl/owa (for OWA) so the Exchange14 SSL certificate has to be uploaded in advance. Once uploaded it can be selected in the wizard. The traffic from the load balancer to the CAS servers will be unencrypted using port 80. Do not forget to enable SSL offloading on the Exchange 2010 CAS servers! For more information check my blog post SSL Offloading with Powershell.

Remaining questions are if the VIP is on a different subnet than the Exchange 2010 servers (yes, they are here) and if the Exchange servers use the load balancer as their default gateway (again yes).


Next set of questions is what services are actually being deployed. First enter the IP address of the VIP ( in our scenario, this should be on the ‘outside’ network of the load balancer) and select the various services that you want to deploy like OWA/ECP, ActiveSync, Autodiscover, Outlook Anywhere and RPC Client Access (for MAPI clients).

At the end of this section you have to enter the IP address of the Exchange 2010 servers.


The last section is about how to configuring service monitoring which is the F5 actually checking if the various services on the Exchange 2010 are still fully operational. If you select Use simple monitors the service monitoring will be straight forward, the only thing that needs to be configured is how often the servers need to be checked (30 seconds is default) and the FQDN that’s being used (webmail.exchange14.nl) for accessing the HTTPS based services.


If Use advanced monitors is selected the F5 will actually use mailboxes in the Exchange environment to do monitoring, like monitoring the autodiscover service by logging in to this particular mailbox.

Once everything is configured click Finished and the F5 will be configured with the data that was just entered and if all goes well the new configuration will be shown:


In the menu on the left hand side you can browse through all the options that were created using the wizard, like the monitors, nodes, pools, iRules and the Virtual Server. You’ll quickly discover that it is possible to do this manually, but it will take a tremendous amount of time to do. When pools is selected, you’ll see that pools are created for Autodiscover (ad), ActiveSync (as), Outlook Anywhere (OA) and OWA:


The iRules section for example contains special rules and the iApp template comes with a predefined set of rules for persistence. If you select this iRule you can browse through the code that make up the actual persistence option. This is one of the neat features of the F5, you can write your own iRule for every feature you need in your load balancing scenario. Ok, you have to be almost a diehard programmer to achieve this, but it is possible!

The predefined iRule contain the following settings for persistence:

  • OWA & ECP: Cookie
  • EWS: Source IP
  • ActiveSync: Source IP
  • Outlook Anywhere: Source IP
  • Autodiscover: Source IP


The F5 LTM is now configured for use with Exchange 2010 and when using a browser to navigate to the CAS server you’ll see that it works:


The SERVER01 is shown by modifying the logon.aspx page on the CAS servers. Check out Jeff Guillet’s blog on how to do this. When you want to check what server you’re actually logged on to just click the question mark in the upper right corner and select about.

A new window will appear with all the variables being used in this particular session:


For other testing the normal testing tools can be used, like the Remote Connectivity Analyzer (RCA) on http://www.testexchangeconnectivity.com and the Test E-mail Autoconfiguration option in Outlook.

In my next blog I will discuss the APM (Access Policy Manager) module which can do pre-authentication in your Exchange 2010 environment.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s