In an earlier blog post I explained how to install and configure Office Web Apps 2013 in combination with Exchange Server 2013. This blog post only explained how to create an Office Web Apps farm on a single server. This blog post will explain how to create additional servers and use a load balancer in front of multiple Office Web Apps 2013 servers using SSL Offloading
Microsoft recommends using SSL Offloading when configuring a load balancer in front of an Office Web Apps farm so we need to configure this first.
My original blogpost was about a WebApps server that had a dedicated Internet connection. This is now changed to a WebApps server that is only connected to the internal network. The Internet connections will enter the load balancer and the WebApps server is configured as a real server in the load balancer’s VIP.
Continue reading Load Balancing Office Web Apps 2013
Now that Microsoft TMG2010 no longer is available it’s time to look for other alternatives. Reverse proxy solutions is not a problem, there are various solutions for this. Microsoft itself has the ARR (Application Request Routing) on top of IIS available. This can perform reverse proxy, but for load balancing you still have to rely on NLB. Another drawback is that ARR does not do pre-authentication.
With the new software version for the Kemp LoadMaster series (V7) it is now possible to do reverse proxy and pre-authentication out of the box. The new module is called ESP or Edge Security Pack. The idea is the same as before, clients hit the Kemp LoadMasters and the requests are distributed across multiple Exchange Client Access Servers. But before the requests are sent to the Client Access Servers they are authenticated. Kemp uses an authentication provider for this, in a normal scenario this would an Active Directory Domain Controller.
The advantage of pre-authentication is evident. In case of a (brute force) attack the CAS servers are only bothered with normal authentication traffic, the attacks are handled by the Kemp and these never reach the CAS servers. ESP is specifically designed to handle this kind of traffic. With ESP the CAS servers only handle normal user authentication.
Continue reading Kemp Edge Security Pack for Exchange 2013
In my previous post I discussed Exchange 2010 load balancing principles briefly (I need to leave some additional stuff for my MEC presentation) and how to setup a Kemp LoadMaster in a single-arm configuration. In this 2nd (and final) blog post I’ll show you how to configure Virtual Services for OWA 2010 and MAPI (Outlook clients).
Create a new Virtual Service for OWA
To create a new Virtual Service expand the Virtual Services and click Add New to open the wizard and fill in the necessary options like the IP Address of the new virtual service, the accompanying port number and give the service a nickname. In the Use Template option you can select a predefined template for the service. The advantage of using a template is of course that all options are filled in by Kemp, optimized specifically for the LoadMaster. Since we’re creating an OWA service select the Exchange HTTPS Offloaded template and click the Add this Virtual Service button.
In this example the Client Access Servers are configured with SSL offloading. The clients connect to the LoadMaster using SSL, the LoadMaster in turn connects just on port 80. For more information on how to configure SSL offloading in Exchange Server 2010 please check this blog post: http://www.jaapwesselius.com/2012/06/10/ssl-offloading-with-powershell/
Figure 1. Select a preconfigured template to use when creating a new Virtual Service.
Continue reading Load balancing Exchange 2010 (part II)
During TechEd 2010 in Berlin Ross Smith IV from Microsoft suddenly announced that Microsoft recommends using a hardware load balancer for Exchange Server 2010 instead of using Windows Network Load Balancing. You can check the presentation online on Channel9: http://channel9.msdn.com/Events/TechEd/Europe/2010/UNC311.
NLB has some known issues when it comes to Exchange Server 2010 like scalability issues, lack of service awareness, a full reconnect of all clients when adding or removing a new NLB member and only the option of Source IP for persistence.
Continue reading Load balancing Exchange 2010 (Part I)