Jesse Boehm - Information Technology Consultant

If you are looking for Techstur.com we are currently closed for Interface Work.

Please contact Jesse for IT Consulting, Web Design, Online Marketing and Graphic Design.

This site is currently serves as Jesse's Resume & Article site

Load Balancing Microsoft Exchange 2013 On Citrix NetScaler 10.5 – Part 1

by – Jesse Boehm

v1.1.0

INTRODUCTION

Load Balancing Microsoft Exchange 2013 on Citrix NetScaler 10.5

I have read a lot of information on the internet about Load Balancing Exchange 2013 on Citrix NetScaler including the document from Citrix on how to Load Balance Exchange on NetScaler, which doesn’t work at all. Now there is a world of information out there and if you search you may compile many web pages that will help you each step of the way till you configure Exchange 2013 on NetScaler. I think I used 30+ sources some totally unrelated NetScaler or Exchange 2013 to compile my information and put this Article together.

So my idea with this article is to create a single source point of reference on how to do this setup from start to finish.

I caveat that there is many ways to do things. I am not an Exchange 2013 Expert. But I learned a lot through this process.

I found this method with NetScaler was the best approach. I did not find the Content Switching Method used in Exchange 2010 with NetScaler Valid. This was also the way the Citrix eDocs suggested this to be done. I could find absolutely no value in this method so I did not use it. Almost everything in Exchange runs on port 443 so to separate the Services like the Citrix eDocs seemed not required. That being said, this document is an absolute work in progress and I welcome any feedback to improve this document. So if the GURUs in the world have suggestions for Addendums to this Article I welcome the feedback.

There are many articles out there for Exchange 2010 with NetScaler. Replacing TMG 2010 with NetScaler. All of which I find do not really apply with Exchange 2013.

My goal in this document is to do the following

  • Configure the Exchange Components so they are ready for the NetScaler Load Balancing
  • Add Exchange Servers to the NetScaler for Load Balancing
  • Create and SSL_BRIDGE Service Group
  • Load Balance all SSL Traffic, including OWA through an SSL Load Balanced VIP
  • Redirect HTTP to HTTPS
  • Create a Managed Availability Monitor for Exchange SSL Traffic
  • Pass the Microsoft Exchange ActiveSync Connectivity Tests
  • Test our setup with Auto Config of Outlook with and Exchange Account

This will take us through Outlook Anywhere for Exchange 2013 and Part 1 of my Exchange 2013 Deployment Guide for NetScaler

I plan to be covering all mail protocols in this series not just Outlook Anywhere. I will be looking at Load Balancing SMTP, POP and IMAP but non-secure and secure in this series and creating a total guide to document this procedure for NetScaler Load Balancing all of these Services for Exchange 2013.

This is my attempt at creating a document that the entire world can use for one source of information to setup Microsoft Exchange 2013 on NetScaler10.5 for Load Balancing with a Step by Step Guide.

Additional Protocols covered in Part 2 of this series will be:

  • SMTP (25/465)
  • POP (110/995)
  • IMAP (143/993)

I hope you find this article useful and helpful with deploying NetScaler as your Frontend Load Balancer for Exchange 2013. A lot of research and a lot of hours went into creating this document. This is by far the largest Article I have written and the biggest Lab Environment I have setup.





If you would like to buy the 170 Page PDF copy of the full article that includes IMAP, SMTP & POP the cost is $10.00 USD and will include any future updates.

Section 2
DHCP High Availability

Configure the Exchange Components so they are ready for the NetScaler Load Balancing

Task 1: IIS (Internet Information Services) Settings

I want to remove the /OWA dependency from the URL.

Click on the “Default Web Site” then HTTP Redirect.

Check: Redirect requests to this destination

I am setting my URL to: https://mail.jesseboehmlabs.com/owa

Note: mail.jesseboehmlabs.com is the certificate I will show you in Section 2 – SSL Certificate that I am using with my Exchange 2013 System.

Check: Only redirect requests to content in this directory (not sub directories)

Found (302) is the correct settings

Click Apply

Now that Applies the Settings to all Sub Directories. So now we need to remove those settings from all Sub Directories except OWA including the following Sub Directories

Autodiscover, ecp, EWS, mapi, Microsoft-Server-ActiveSync, OAB, PowerShell & RPC

Click Autodiscover > then HTTP Redirect > Uncheck Redirect requests to this destination > Click Apply

Repeat this step for ecp, EWS, mapi, Microsoft-Server-ActiveSync, OAB, PowerShell & RPC

Now the next Step is we want to remove the SSL Dependency on the entire Default Web Site. This will come into play with Auto Discover Later and Passing the Microsoft Exchange ActiveSync Connectivity Tests later when we test our environment and autodiscovery of our Outlook Email Setup for Exchange. We are going to allow AutoDiscover to run on port 80 but use the NetScaler to redirect its traffic to HTTPS/443.

Click on Default Web Site > SSL Settings

Uncheck: Require SSL

Now we did this on the Root Site so we need to Enabled this for ecp, EWS, mapi, Microsoft-Server-ActiveSync, OAB, OWA, and PowerShell & RPC. We are not enabling this for Autodiscover.

Task 2: SSL Certificate

You will be installing the same SSL Certificate on all your Exchange Servers. In this case I am using the SSL Certificate “mail.jesseboehmlabs.com”.

While I am in IIS I am going to do a few more things.

I have 2 more things two more things to do in IIS which are

  • Bind SSL Certificate to Default Website using Server IP using Host Header mail.jesseboehmlabs.com
  • Bind SSL Certificate to Default Website using Server IP without Host Header.

The reason for Host Header is to Secure Traffic SSL Browsing to OWA to say https://mail.jesseboehmlabs.com or https://mail.jessebooehmlabs.com/owa or https://mail.jesseboehmlabs.com/ecp.

The reason to bind the Secure Traffic to the SSL with the Host Header and just to the IP is for the Monitor I am going to create later on the NetScaler for Load Balancing to Monitor SSL Traffic for System Health to Exchange 2013 Servers when Distributing Load when selecting servers to send Mail Users to on Port 443.

So I will do these steps as needed later in the order I need them done.

Right now I am not going to do the binding of SSL Certificate as it will just cause me issues using the Exchange Management Console on the local server.

So that completes my Initial IIS Settings.

—-

Task 3: Exchange Virtual Directory Settings

Navigate to Servers > Virtual Directories

Here we want to set the External URL for each Virtual Directory. Click on a Virtual Directory, Choose Edit and then set the URL to example: mail.jesseboehmlabs.com

Do this for all Virtual Directories.

In this example we are setting the external URL for “ecp” to https://mail.jesseboehmlabs.com/ecp. Do this for all Virtual Directories. EWS, Microsoft-Server-ActiveSync, OAB, OWA, PowerShell.

When you are done with this I am going to go into OWA Virtual Directory and Edit the Settings> Auth Change the Authentication Settings to User principal name (UPN) as I want my MAIL users logging in with their Email Address. Click Save.

You will get this Message about running an iisreset /noforce. In my experience this always fails. So I just open PowerShell and run an “iisreset”. You can do either. Close the Exchange Management Console first and once you reset IIS it will become unusable.

Now Exchange 2013 is ready for being connected to Exchange 2013 except for the SSL Certificate being bound in IIS. So let’s do that.

Task 4: BIND SSL Certificate in IIS

Open IIS > Click on Default Web Site > Bindings

First we are going to create a binding for

SSL Cert: mail.jesseboehmlabs.com to Host Name: mail.jesseboehmlabs.com IP: 10.11.45.244

Next we are going to create a binding for

SSL Cert: mail.jesseboehmlabs.com to Host Name: (Leave Blank) IP: 10.11.45.244

The reason we are creating this entry is for our Monitor that we will create later. If we don’t have the IP Bound to 443 the Monitor won’t allow the SSL Group to come up. This has come from Trial and Error when doing Managed Availability of Exchange 2013 on Port 443 using Exchange Health Check Monitor looking for a “200 OK” Response.

Task 5: Host Header and Exchange Admin Center

Now we did this, but if you try and open Exchange Admin Center you get errors or you may not. The easiest way to handle this is to open up the hosts file at: C:WindowsSystem32\drivers\etc and add an entry in my case. Then you can call the Exchange Admin Center by URL

https://mail.jesseboehmlabs.com/ecp

Section 2
Create NetScaler Service Group & Load Balancer VIP

  • Add Exchange Servers to the NetScaler for Load Balancing
  • Create and SSL_BRIDGE Service Group
  • Load Balance all SSL Traffic, including OWA through an SSL Load Balanced VIP
  • Redirect HTTP to HTTPS

Configure the Exchange Components so they are ready for the NetScaler Load Balancing

Task 1: Create Service Group

For this environment we are going to have 3 Exchange Servers that we will be Load Balancing:

LABMAIL1, LABMAIL2 & LABMAIL3 (Background I have a DAG Setup for these Servers each have a Mailbox and Client Access Role)

Navigate to: Traffic Management > Load Balancing > Servers > Add

You will Add each Exchange Server that will be in your Server Group

After you are complete you should see all 3 server with a State of Enabled/Green

Task 1 Complete.

—-

Task 2: Create SSL_BRIDGE Service Group

Navigate to: Traffic Management > Load Balancing > Service Groups > Add

I am Naming my Service Group: LB_EXCHANGE_SSL_BRIDGE

Protocol: SSL_BRIDGE

Cache Type: SERVER

Click OK

Under Advanced, Click Members

Change Type to: Server Based and Click to select

Select the 3 Servers we setup in Task 1 then Click OK

Set the Port to 443 and then click Create and then Done

When you come back out to the main Service Groups screen the Effective State may show as Down/Red. Refresh.

And it should show Green/Up

We have now Created our SSL_BRIDGE Service Group

—-

Task 3: Create Load Balanced SSL_BRIDGE VIP

Navigate to: Traffic Management> Load Balancing> Virtual Servers> Add

I am Naming my VIP: LB_VIP_EXCHANGE_SSL_BRIDGE

Protocol: SSL_BRIDGE

IP Address: 10.11.45.100

Click OK

Now we need to Add our Load Balanced Virtual Server Service Group we created in Task 2.

Select: Click to select

You should see our Service Group: LB_EXCHANGE_SSL_BRIDGE

Select it and click OK, then Bind and then OK and then Done

When you come out our Virtual Server: LB_VIP_EXCHANGE_SSL_BRIDGE

Will show in a Down/Red State.

Refresh

Everything should be Up/Green. Which it is

We have now created a Load Balanced Virtual Server for SSL Traffic for Exchange 2013

We can test this by open our browser and going to https://mail.jesseboehmlabs.com

And it works as it should

We have completed Task 3

—-

Task 4: Redirect HTTP Traffic to HTTPS

Now we have https://mail.jesseboehmlabs.com but if anyone goes to http://mail.jesseboehmlabs.com they get this page.

So to fix this we need to create an HTTP to HTTPS Redirect.

Navigate to: Traffic Management> Load Balancing> Virtual Servers> Add

Name: httptohttps10.11.45.100

Protocol: HTTP

IP Address: 10.11.45.100

Port: 80

Click OK

Back at the main screen click OK, we are not adding any members to this VIP

Now Select Protection

In the Redirect URL set the URL as: https://mail.jesseboehmlabs.com

Click OK, then Done

The new VIP should show in a Down State and it will remain Down permanently.

Now to Test your Redirect.

Success

Task 4 is Complete

We now have a full functioning Load Balanced VIP for SSL Traffic and OWA is up and running through the NetScaler. HTTP traffic is redirecting to HTTPS.

You will also notice we did not install an SSL Certificate on the NetScaler. Since we are using SSL_BRIDGE we are passing the traffic straight through to the Exchange Servers.

That completes our first 4 Tasks. Up next we will create Monitors for Managed Availability and Health Checks and managed AutoDiscover.

—-

Section 3
Create a Managed Availability Monitor for Exchange 2013

Task 1

Traffic Management > Load Balancing > Monitors > Add

Monitor Name: LB_VIP_ExchangeSSL_MON

Type: HTTP-ECV

Destination Port: 443

Scroll Down

Check: Secure

Check: LRTM (Least Response Time using Monitoring)

Scroll back up and click on Special Parameters Tab

Set the Send String to: GET /owa/healthcheck.htm

Receiver String to: 200 OK

Then click Create

Now we can see our new Custom Monitor: LB_VIP_ExchangeSSL_MON

In the Monitors List

Task 2

Traffic Management > Load Balancing > Service Groups

Select our Service Group: LB_EXCHANGE_SSL_BRIDGE and select Edit

Add Monitor

Click to Select

Choose our Custom Monitor: LB_VIP_ExchangeSSL_MON

Then Click Bind, then Done

Now back out at the Service Groups screen everything should be Up and Green.

Follow-up to Section 1 Exchange Readiness Task This brings us back to Section 1 where we created the Blank Host Header bound to Port 443 with the SSL Certificate. I found through Testing and Troubleshooting that my Effective State could be unstable without that IIS Binding. That is why I included that step.

We now have Managed Availability of Exchange 2013 on our Load Balancer. So not only are we Load Balancing Exchange we are checking for Exchange Server Health when connecting. If we don’t receiver that 200 OK Response back then the NetScaler will bypass that Exchange Server.

You can see that response in a browser by going to:

https://mail.jesseboehmlabs.com/owa/healthcheck.htm

Section 4
Microsoft Remote Connectivity Analyzer

Task 1

We are going to use the Microsoft Tools located at

https://testconnectivity.microsoft.com/

I want to perform the Exchange ActiveSync Autodiscover test on everything we just did and get my results.

Select: Exchange ActiveSync Autodiscover

Next

Step 2

Enter the credentials of the email user you are going to test with

Perform Test

Step 3

You will get a loader that says your test is being performed

Step 4

In our case we received a result of: Connectivity Test Successful with Warnings.

Which I would expect, specifically with various Autodiscover URLs that are not valid.

Step 5

So let’s look at the Errors/Warnings, click Expand All

First Error

URL https://jesseboehmlabs.com:443/Autodiscover/Autodiscover.xml URL Failed.

That is correct, this URL does not Exists

Second Error

The SSL Certificate is not valid. https://jesseboehmlabs.com does not have and SSL Certificate.

So both Errors/Warnings are correct and can be ignored.

Third Error

Attempting to test potential Autodiscover URL https://autodiscover.jesseboehmlabs.com/Autodiscover/Autodiscover.xml URL Failed

That is correct, we do not have an SSL Certificate setup for this URL. We have Autodiscover.jesseboehmlabs.com hitting the NetScaler on Port 80 and then being Redirected to HTTPS on mail.jesseboehmlabs.com.

So this is a valid Error/Warning

Fourth Error

SSL Certificate failed one or more validation checks. I bought a really cheap SSL Certificate for this LAB Setup. So I am not concerned about this error at all. I spent $9.95 on an SSL Certificate instead $59.95 ?

So I consider this a total success! With some warnings, which are valid but not actually errors.

—-

Section 5
Create a HTTP to HTTPS Redirect for AutoDiscover

This step is Optional. I did this for Outlook.

Do this at your own discretion

Task 1

I have Autodiscover running on a separate IP Address and I am going to use an HTTPtoHTTPS Redirect on the NetScaler to port traffic coming from autodiscover.jesseboehmlabs.com to mail.jesseboehm.com. This way I can handle HTTP and HTTPS traffic and let the NetScaler redirect that.

Traffic Management > Load Balancing > Virtual Servers > Add

Name: httptohttps10.11.45.101

Protocol: HTTP

IP: 10.11.45.101

Port: 80

Click OK, then OK again

Then click Protection

Set the Redirect URL to: https://mail.jesseboehmlabs.com

Then click OK, then Done

Then back on the Virtual Servers screen you should see our new Load Balancer VIP for “httptohttps10.11.45.101” in a Down State. That is correct.

You should now be able to go to your browser at http://autodiscover.jesseboehmlabs.com and be redirected to https://mail.jesseboehmlabs.com

—-

Section 6
Outlook 2013 – Auto Configuration

The Final Test

For me this is my final test. I have set everything up. Now my ultimate goal is to have Outlook use the Autodiscover Functionality to setup the Exchange Account and have my new Mail Profile setup and ready to user.

So setting up my profile

This is exactly what I configured in Section 5, so this is correct.

I have nothing to change.

That is what I call Success!

So Outlook 2013 is setup with automatic exchange account creation full automated through NetScaler handling all the Load Balancing.

Part 2 will cover IMAP, SMTP and POP.

Hope this helps you setup Exchange 2013 with NetScaler 10.5

Jesse Boehm

jesse@jesseboehmconsulting.com

logo image
RSS
Follow by Email
Facebook
Facebook
Twitter
Visit Us
SHARE
PINTEREST
PINTEREST
LinkedIn
Instagram