Plan, Install, Configure and

Manage Client Access: Implement Load Balancing

Implement load balancing

This objective may include but is not limited to:

– Configure namespace load balancing

– Configure Session Initiation Protocol (SIP) load balancing

– Plan for differences between layer seven and layer four load balancing methods

– Configure Windows Network Load Balancing (WNLB)

•The Company:

•From A to Z Eventaganza

•Problem:

•They have HA of their Mailbox servers but not their CAS

•Goal:

•Review options to provide solid load balancing and availability

Scenario: Event Planners

Load balancing with 2010 was a real pain and was costly

Distributing MAPI traffic across an RPC CAS array was painful and the need for Layer 7 load balancers that included all these awesome features like SSL offloading, service level monitoring and so forth, was expensive

And that expense has to be considered in pairs because you need TWO load balancers per implementation if you wish to have redundancy of your balancers too

Client Access arrays and Exchange 2013: Not required

Looking Backwards at 2010

The CAS role has been altered to be stateless and act as a proxy with no rendering done on the CAS

It authenticates a user and proxies the request back to the Mailbox server where the users mailbox resides where all the rendering is done

All client interaction is now done through HTTPS with Outlook Anywhere (even internal clients) so MAPI or RPC client access is not longer used for client interaction

The CAS role is now the entry point for UM. UM connects by sending a SIP request to the UM call router in the CAS which answers the request and sends a SIP redirection to the caller who can connect to the MB server through SIP and RTP directly

Improvements to Exchange 2013 Client Access

Affinity

Load Balancers

Client Access Server Mailbox Server

Outlook or OWA

End-User

Mailbox Server

Mailbox Server

Client Access Server

Client Access DAG

There are some great improvements in the architecture of Exchange 2013 that make for a better load balancing/high availability implementation

For example, the use of only one protocol in HTTPS, a new method of handling HTTP cookies during forms based authentication, etc…

The new authentication method where rendering is handled on the Mailbox side means (if all Client Access servers have the same SSL cert) the session can go through either CAS

These adjustments make it possible for Layer 4 load balancers to be used now

Load Balancing Improvements

For starters, to have higher availability or load balancing you need more than one Client Access server

To achieve both high availability and load balancing you can use:

– DNS round robin (no real load balancing)

– Network Load Balancing

– Hardware/Virtual load balancing

CAS High Availability and Load Balancing

Not the best option nor is it typically recommended over a hardware-based (or virtual) load balancer or even NLB

The failover takes place at the client level as it reaches out for a DNS record for your Client Access servers and is provided one of the options you have configured

Logically you need multiple CAS to make this work and you have to configure multiple A records for IP addresses of your CAS servers

Remember there is no true load balancing or automatic failover with round-robin

DNS Round Robin

NLB is built right into Windows Server OS and it allows you to distribute the load between your Client Access servers

You assign a virtual IP along with the typical IP address for each member of the NLB cluster

Because the client uses the VIP to connect, if a CAS is unavailable the NLB will connect the client to a different CAS

NLB is fine for labs and small environments where the expense of a hardware load balancer is an issue

Windows Network Load Balancing

NLB cannot be used with Exchange if the CAS is located on a Mailbox server part of a DAG (NLB is not compatible with Windows clustering)

NLB doesn’t detect service outages (only outages by IP)

NLB can result in port flooding

Not a good solution for small IP pools because it only does client affinity using the source IP

WNLB Limitations

Also uses a virtual IP (VIP) but is much more sophisticated than NLB

Performance is better with a real load balancing solution

Hardware-based (virtual) Load Balancing

As mentioned a bit earlier the new architectural changes with regard to the Client Access server makes it so that you don’t need all the expensive Layer 7 intelligence and a Layer 4 load balancer is typically all you need

Layer 4 load balancers (in a basic form) can also determine if a server is in a failure state or check for specific services (like OWA) and ensure it is up and running

Layer 4 load balancers cannot do is determine amongst multiple services if a single service is down and reroute just that service (that requires Layer 7)

Layer 4 vs. Layer 7

Namespace Options with Load Balancing

Load Balancers

Client Access Server

Outlook or OWA

End-User

Client Access Server

Client Access

OWA/ECP/OA/EWS

OWA/ECP/OA/EWS

OWA/ECP/OA/EWS

externalurl.domain.com

Layer 4 and Layer 7 with single namespace

Namespace Options with Load Balancing

Load Balancers

Client Access Server

Outlook or OWA

End-User

Client Access Server

Client Access

ECP

OA

owa.domain.com

Layer 4 with multiple namespaces

OWA

EWS

OAB

ecp.domain.com

oa.domain.com

ews.domain.com

oas.domain.com

ECP

OA

OWA

EWS

OAB

The namespace model within Exchange 2013 has been simplified and this benefits us with load balancing with regard to number of namespaces needed to make it happen

Here is what we needed with 2010: – Primary and secondary datacenter Internet protocol namespaces (2)

– Primary and secondary datacenter OWA failback namespaces (2)

– Primary and secondary datacenter RPC Client Access namespaces (2)

– Autodiscover namespace (1)

– Legacy namespace (1)

– Transport namespace (depending on if you were doing ad-hoc or partner-to-partner encryption) (1)

There are still a lot of namespaces needed in a site resilient design but 2 are no longer needed

Namespaces and Site Resiliency

After reviewing all the options it appears they have decided to go with two Kemp load balancers using Layer 7 (for the added functionalities over Layer 4)

They will make sure all CAS servers use the same

SSL certificate

They are also looking at providing site resilience in the future and appreciate that fewer namespaces will need to be considered

Scenario: From A to Z Eventaganza

Additional Research

•Load Balancing (TechNet) • http://technet.microsoft.com/en-us/library/jj898588(v=exchg.150).aspx

•Introducing Load Balancing in Exchange 2013 with Steve Goodman (Part 1)

• http://www.msexchange.org/articles-tutorials/exchange-server-2013/high-availability-recovery/introducing-load-balancing-exchange-server-2013-part1.html

•Introducing Load Balancing in Exchange 2013 with Steve Goodman (Part 2)

• http://www.msexchange.org/articles-tutorials/exchange-server-2013/high-availability-recovery/introducing-load-balancing-exchange-server-2013-part2.html