Now that Microsoft TMG2010 no longer is available it’s time to look for other alternatives. Reverse proxy solutions is not a problem, there are various solutions for this. Microsoft itself has the ARR (Application Request Routing) on top of IIS available. This can perform reverse proxy, but for load balancing you still have to rely on NLB. Another drawback is that ARR does not do pre-authentication.

With the new software version for the Kemp LoadMaster series (V7) it is now possible to do reverse proxy and pre-authentication out of the box. The new module is called ESP or Edge Security Pack. The idea is the same as before, clients hit the Kemp LoadMasters and the requests are distributed across multiple Exchange Client Access Servers. But before the requests are sent to the Client Access Servers they are authenticated. Kemp uses an authentication provider for this, in a normal scenario this would an Active Directory Domain Controller.

The advantage of pre-authentication is evident. In case of a (brute force) attack the CAS servers are only bothered with normal authentication traffic, the attacks are handled by the Kemp and these never reach the CAS servers. ESP is specifically designed to handle this kind of traffic. With ESP the CAS servers only handle normal user authentication.

In my lab environment I have two multi-role Exchange 2013 CU1 servers and a Kemp Loadmaster (VLM). One NIC is connected to the Internet (behind a Juniper firewall) and one NIC is connected to the internal network so this is a dual-arm setup. Initially the Load Master is configured with a VIP for webmail.exchange15.nl so when we try to access OWA the following login page is displayed (as expected):

Note: The server name is shown on the logon page. Check my blogpost on how to brand OWA in Exchange 2013: http://www.jaapwesselius.com/2012/10/06/how-to-brand-owa-in-exchange-2013/

The Kemp LoadMaster software version 7 needs a different approach when it comes to load balancing in combination with pre-authentication. Instead of one Virtual Server on the load balancer 7 Sub Virtual Servers are used, one for every service (OWA, ECP, EWS, OAB, RPC, Autodiscover and ActiveSync). These seven services are still using one IP address and content matching rules are used to differentiate between the services based on the virtual directory part in the URL request.

For Exchange 2013 Microsoft recommends using a layer-4 load balancer (where Exchange 2010 would use a layer-7 load balancer). A layer-4 load balancer is a relatively ‘dumb’ device, it only forwards (SSL) requests to the pool of load balancers. A layer-7 load balancer is a ‘smart load balancer’. The SSL connection is terminated at the load balancer and the load balancer can perform all kinds of routing logic, changes header information etc. A layer-7 load balancer can also separate traffic based on virtual directories for example, so the load balancer is aware of traffic destined to OWA, ECP, RPC or ActiveSync virtual directories, monitor on the various services and take appropriate action when only one service fails. An L4 load balancer only knows source and destination and that’s it. For more information regarding L4 load balancer I would recommend an earlier blogpost on this topic: http://www.jaapwesselius.com/2012/12/17/load-balancing-in-exchange-2013-2/

Kemp’s ESP is using layer-7 loadbalancing to perform the actions needed for pre-authenction based on the individual services. To achieve layer-7 load balancing the SSL certificate needs to be imported on the LoadMaster:

The first step is to create a Single Sign-On (SSO) domain. This is where the ESP module is connected to the Active Directory Domain Controller.

Step 2 is to create content matching rules. These rules will be used by the virtual service (VIP) to identify the virtual directories in a URL the client is trying to access, for example /OWA, /ECP, /RPC etc. Use the following settings to create all content matching rules:

Name	Match Type	Options	Pattern
Auth_Proxy	RegEx	Ignore Case	^/lm_auth_proxy*
ActiveSync	RegEx	Ignore Case	^/Microsoft-Server-ActiveSync*
Autodiscover	RegEx	Ignore Case	^/autodiscover*
ECP	RegEx	Ignore Case	^/Ecp*
EWS	RegEx	Ignore Case	^/Ews*
OAB	RegEx	Ignore Case	^/OAB*
OWA	RegEx	Ignore Case	^/Owa*
RPC	RegEx	Ignore Case	^/rpc*

When configured the Content Rules in the LoadMaster should look something like this:

Since the new Virtual Service than my existing one I deleted this one and recreated a new one. When creating a new Virtual Service give it a name and make sure that the enable layer-7 is checked and that the Transparency option is unchecked:

In the SSL Properties section enable SSL acceleration and assign the certificate we imported earlier to the virtual service. Since Exchange 2013 does not support SSL offloading make sure to check the Reencrypt option.

Before enabling the ESP option we are going to create multiple Sub Virtual Servers (under Real Servers), one for every Exchange service. Under Real Servers click Add SubVS. A new SubVS is created automatically, click Modify to add values to the new SubVS.

The first SubVS is for OWA, so enter OWA as the name of the SubVS and enable the ESP options. In the SSO Domain drop down box select the SSO domain that was created in the first step. Enter the allowed virtual hosts (multiple entries are possible, space delimited), enter the allowed virtual directories according to table 2 and enter the pre-authorization excluded directories. The latter one is in the format of “/owa/<exchangeGUID>*”

The Exchange GUID is unique for every Exchange deployment and can be retrieved using the Exchange Management Shell:

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “OrganizationCapabilityClientExtensions”} | fl exchangeGuid, primarySMTPAddress

Which will return the ExchangeGUID and the Primary SMTP Address:

ExchangeGuid : 87e01e08-081d-4539-84fd-f9b52776fe75
PrimarySmtpAddress : SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@contoso.com

So the string needed for the pre-authorization excluded directories can be constructed for this:

/owa/87e01e08-081d-4539-84fd-f9b52776fe75*

For the Client Authentication Mode select Form Based from the drop-down box and the server authentication mode should be set to Basic Authentication. On the Exchange 2013 Client Access Servers set the authentication for the OWA virtual directory to Basic Authentication as well.

In the Real Server Check Parameters section enter /owa/healthcheck.htm in the URL field and for the HTTP method select GET in the drop-down box.

Repeat these steps for the remaining six SubVS’s according to the table below. For all SubVS’s the the same SSO domain and the same Allowed Virtual Hosts can be used for now. If needed an additional host autodiscover.contoso.com can be entered in the Allowed Virtual Hosts for the Autodiscover SubVS.

SubVS Name	Allowed Vdir	Pre-authorization excluded directories	Client Authentication	Server Authentication
OWA	/owa* /lm_auth_proxy*	/owa/guid*	Form Based	Basic Authentication
ECP	/ecp*		Form Based	Basic Authentication
EWS	/ews*		None	None
OAB	/oab*		None	None
RPC	/rpc*		None	None
Autodiscover	/autodiscover*		None	None
ActiveSync	/Microsoft-Server-ActiveSync		Basic Authentication	Basic Authentication

Now that everything is configured the Content Switching can be enabled. Open the Virtual Service and under the Advanced Properties click on the Enable button next to Content Switching. Next to all SubVS’s a new column of Rules buttons will appear. For every SubVS select the accompanying Content Switching Rule except for OWA where both the OWA and the Auth_Proxy rule need to be added.

When finished the Virtual Service in the LoadMaster GUI should look something like this:

This is all it takes to configure the pre-authentication module in the new Kemp LoadMaster. When OWA is accessed in a browser we’ll see the following logon screen:

Enter the credentials and you’re logged on to OWA.

For more information regarding the new Kemp V7 firmware please visit the Kemp Technologies website at http://www.kemptechnologies.com/en/loadmaster-documentation#c7.0