Jesse Boehm - Information Technology Consultant

If you are looking for we are currently closed for Interface Work.

Please contact Jesse for IT Consulting, Web Design, Online Marketing and Graphic Design.

This site is currently serves as Jesse's Resume & Article site

Load Balancing Microsoft Exchange 2016 On Citrix NetScaler 11– Part 1

by – Jesse Boehm


Load Balancing Microsoft Exchange 2016 on Citrix NetScaler 11

This article takes a look at setting up Outlook Web App, ActiveSync and Autodiscover.

I didn’t use any External Sources for this Document having set this up for Exchange 2013 there were some things I knew going in which I will show in this Preface.

So my idea with this article is to create a single source point of how to do this from start to finish.

I caveat that by there is many ways to do things.

I am no Exchange Expert, but I found this method with NetScaler was the best approach as I DO NOT WANT TO USE CONTENT SWITCHTCHING on the NetScaler. Almost everything in Exchange runs on port 443 so to separate the Services like the Citrix eDocs seemed pointless. Also if you set it up that way it does not work at least the way the document from Citrix tells you to do it.

There are many articles out there for Exchange 2010 with NetScaler. Replacing TMG 2010 with NetScaler. All of which I find do not really apply with Exchange 2016.

My goal in this document is to do the following

  • Configure the Exchange Components so they are ready for the NetScaler Load Balancing
  • Add Exchange Servers to the NetScaler for Load Balancing
  • Create and SSL_BRIDGE Service Group
  • Load Balance all SSL Traffic, including OWA through an SSL Load Balanced VIP
  • Redirect HTTP to HTTPS
  • Create a Managed Availability Monitor for Exchange SSL Traffic
  • Create an HTTP to HTTPS Redirect for Autodiscover
  • Pass the Microsoft Exchange ActiveSync Connectivity Tests
  • Test our setup with Auto Config of Outlook with and Exchange Account

This will take us through Outlook Anywhere for Exchange 2016 and Part 1 of my Exchange 2016 Deployment Guide for NetScaler 11

I plan to be covering all mail protocols in this series not just Outlook Anywhere. I will be looking at Load Balancing SMTP, POP and IMAP but non-secure and secure in this series and creating a total guide to document this procedure for NetScaler 11 Load Balancing all of these Services for Exchange 2016.

This is my attempt at creating a document that the entire world can use for one source of information to setup Microsoft Exchange 2016 on NetScaler 11 for Load Balancing with a Step by Step Guide.

Additional Protocols covered in Part 2 of this series will be:

  • SMTP (25/465)
  • POP (110/995)
  • IMAP (143/993)

I hope you find this article useful and helpful with deploying NetScaler 11 as your Frontend Load Balancer for Exchange 2016.

This article is available in PDF Format for $5.00. Please use the button below.

Things to Note:

You need DNS Records Setup. This is what mine look like.

Autodiscover SVR Record

Exchange Settings:

IIS Virtual Directory

Exchange URLS







Section 1
Microsoft Exchange 2016 Readiness for Citrix NetScaler 11 Load Balancing

Task 1: IIS (Internet Information Services) Settings

I want to remove the /OWA dependency from the URL.

Click on the “Default Web Site” than HTTP Redirect.

Check: Redirect requests to this destination

I am setting my URL to:

Check: Only redirect requests to content in this directory (not sub directories)

Found (302) is the correct settings

Click Apply

Now that Applies the Settings to all Sub Directories. So now we need to remove those settings from all Sub Directories except OWA including the following Sub Directories

Autodiscover, ecp, EWS, mapi, Microsoft-Server-ActiveSync, OAB, PowerShell & RPC

Click Autodiscover > then HTTP Redirect > Uncheck Redirect requests to this destination > Click Apply

Repeat this step for ecp, EWS, mapi, Microsoft-Server-ActiveSync, OAB, PowerShell & RPC

Now the next Step is we want to remove the SSL Dependency on the entire Default Web Site. This will come into play with Auto Discover Later and Passing the Microsoft Exchange ActiveSync Connectivity Tests later when we test our environment and autodiscovery of our Outlook Email Setup for Exchange. We are going to allow AutoDiscover to run on port 80 but use the NetScaler to redirect its traffic to HTTPS/443.

Click on Default Web Site > SSL Settings

Uncheck: Require SSL

Now we did this on the Root Site so we need to Enabled this for ecp, EWS, mapi, Microsoft-Server-ActiveSync, OAB, OWA, and PowerShell & RPC. We are not enabling this for Autodiscover.

While I am in IIS I am going to do a few more things.

I have 2 more things two more things to do in IIS which are

  • Bind SSL Certificate to Default Website using Server IP using Host Header
  • Bind SSL Certificate to Default Website using Server IP without Host Header.

The reason for Host Header is to Secure Traffic SSL Browsing to OWA to say or or

The reason to bind the Secure Traffic to the SSL with the Host Header and just to the IP is for the Monitor I am going to create later on the NetScaler for Load Balancing to Monitor SSL Traffic for System Health to Exchange 2016 Servers when Distributing Load when selecting servers to send Mail Users to on Port 443.

So I will do these steps as needed later in the order I need them done.

Right now I am not going to do the binding of SSL Certificate as it will just cause me issues using the Exchange Management Console on the local server.

So that completes my Initial IIS Settings.

Section 2
Create NetScaler Service Group & Load Balancer VIP

  • Add Exchange Servers to the NetScaler for Load Balancing
  • Load Balance all SSL Traffic, including OWA through an SSL Load Balanced VIP
  • Redirect HTTP to HTTPS

Configure the Exchange Components so they are ready for the NetScaler Load Balancing

Task 1: Create Service Group

For this environment we are going to have 3 Exchange Servers that we will be Load Balancing:

JBLEX1, JBLEX2 & JBLEX3 (Background I have a DAG Setup for these Servers each have a Mailbox and Client Access Role)

Navigate to: Traffic Management > Load Balancing > Servers > Add

You will Add each Exchange Server that will be in your Server Group

After you are complete you should see all 3 server with a State of Enabled/Green

Task 1 Complete.

Task 2: Create SSL_BRIDGE Service Group

Navigate to: Traffic Management > Load Balancing > Service Groups > Add

I am Naming my Service Group: LB_EXCHANGE_SSL_BRIDGE

Protocol: SSL_BRIDGE

Cache Type: SERVER

Click No Service Group Members

Change Type to: Server Based and Click to select

Select the 3 Servers we setup in Task 1 then Click OK

Set the Port to 443 and then click Create and then Done

When you come back out to the main Service Groups screen the Effective State may show as Down/Red. Refresh.

And it should show Green/Up

We have now Created our SSL_BRIDGE Service Group

Task 3: Create Load Balanced SSL_BRIDGE VIP

Navigate to: Traffic Management> Load Balancing> Virtual Servers> Add


Protocol: SSL_BRIDGE

IP Address:

Click OK

Now we need to Add our Load Balanced Virtual Server Service Group we created in Task 2.

Select: Click to select

You should see our Service Group: LB_EXCHANGE_SSL_BRIDGE

Select it and click OK, then Bind and then OK and then Done

When you come out our Virtual Server: LB_VIP_EXCHANGE_SSL_BRIDGE

Will show in a Down/Red State.


Everything should be Up/Green. Which it is

We have now created a Load Balanced Virtual Server for SSL Traffic for Exchange 2016

We can test this by open our browser and going to

And it works as it should

We have completed Task 3

Task 4: Redirect HTTP Traffic to HTTPS

Now we have but if anyone goes to they get this page.

So to fix this we need to create an HTTP to HTTPS Redirect.

Navigate to: Traffic Management> Load Balancing> Virtual Servers> Add

Name: httptohttps10.11.45.144

Protocol: HTTP

IP Address:

Port: 80

Click Continue

Back at the main screen click OK, we are not adding any members to this VIP

Now Select Protection

In the Redirect URL set the URL as:

Click OK, then Done

The new VIP should show in a Down State and it will remain Down permanently.

Now to Test your Redirect.


Task 4 is Complete

We now have a full functioning Load Balanced VIP for SSL Traffic and OWA is up and running through the NetScaler. HTTP traffic is redirecting to HTTPS.

You will also notice we did not install an SSL Certificate on the NetScaler. Since we are using SSL_BRIDGE we are passing the traffic straight through to the Exchange Servers.

That completes our first 4 Tasks. Up next we will create Monitors for Managed Availability and Health Checks and managed AutoDiscover.

Section 3
Create a Managed Availability Monitor for Exchange 2016

Task 1

Traffic Management > Load Balancing > Monitors > Add

Monitor Name: LB_VIP_ExchangeSSL_MON


Destination Port: 443

Scroll Down

Check: Secure

Check: LRTM (Least Response Time using Monitoring)

Scroll back up and click on Special Parameters Tab

Set the Send String to: GET /owa/healthcheck.htm

Receiver String to: 200 OK

Then click Create

Now we can see our new Custom Monitor: LB_VIP_ExchangeSSL_MON

In the Monitors List

Task 2
Traffic Management > Load Balancing > Service Groups

Select our Service Group: LB_EXCHANGE_SSL_BRIDGE and select Edit

Add Monitor

Click to Select

Choose our Custom Monitor: LB_VIP_ExchangeSSL_MON

Then Click Bind, then Done

Now back out at the Service Groups screen everything should be Up and Green.

Follow-up to Section 1 Exchange Readiness Task This brings us back to Section 1 where we created the Blank Host Header bound to Port 443 with the SSL Certificate. I found through Testing and Troubleshooting that my Effective State could be unstable without that IIS Binding. That is why I included that step.

We now have Managed Availability of Exchange 2013 on our Load Balancer. So not only are we Load Balancing Exchange we are checking for Exchange Server Health when connecting. If we don’t receiver that 200 OK Response back then the NetScaler will bypass that Exchange Server.

You can see that response in a browser by going to:

Section 4
Microsoft Remote Connectivity Analyzer

Task 1

We are going to use the Microsoft Tools located at

I want to perform the Exchange ActiveSync Autodiscover test on everything we just did and get my results.

Select: Exchange ActiveSync Autodiscover


Step 2

Enter the credentials of the email user you are going to test with

Perform Test

Step 3

You will get a loader that says your test is being performed

Step 4

In our case we received a result of: Connectivity Test Successful with Warnings.

Which I would expect, specifically with various Autodiscover URLs that are not valid.

Test Auto Config of Outlook 2016

Test Outlook App on iOS 9.1 on iPhone 6S Pro Plus

That is what I call Success!

So Outlook 2016 is setup with automatic exchange account creation full automated through NetScaler handling all the Load Balancing.

Part 2 will cover IMAP, SMTP and POP.

Hope this helps you setup Exchange 2016 with NetScaler 11

Jesse Boehm

logo image
Follow by Email
Visit Us