Load balancing Exchange 2010 CAS using ZenLoadBalancer – Part 1

 

Hello World,

In a previous post, we have introduced the open source Zen Load balancer software.  We have described how to perform a standard installation of the product. We also described a basic configuration where web servers where load balanced through the Zen Load Balancer Software.

In this 2 part post series, I want to describe how you can use the Zen Load Balancer in order to setup an Exchange 2010 infrastructure based on 2 Exchange Servers and achieve high availability.

I.Background info about HA & Exchange 2010  

 If you have some experience with Exchange 2010, you know that you can achieve high availability of the server roles through different mechanism.  The mailbox server roles can be configured in cluster through the Database Availability Group (DAG).  The Client Access Servers (CAS) can be grouped in a CAS Array and load balancing software can provide high availability has well.

If you want to use the free Network Load Balancing (NLB) component available within Windows Server operating system, you will need to install a minimum of 4 Exchange servers:

  • 2 Exchange servers hosting CAS/HT Role to create the CAS Array infrastructure
  • 2 Exchange Server configured as Mailbox servers with DAG Technology enabled.

This is because you cannot have NLB component running on a machine using failover Clustering technology.

However, you can achieve high availability for mailbox roles, Hub transport roles and Client Access roles using 2 Exchange Servers by using a third party load balancer solution.  In this post, we will see if the Zen load balancer can be used within an Exchange infrastructure and thus providing a free alternative to other solutions available on the market.

Note :

  • You can download some load balancer virtual appliance for free but they generally come with a 30 day trial limitation. (Barracuda Networks, Kemps technologies, Citrix Netscaler)
  • We are providing here a really simple and basic configuration installation scenario. This post is for demonstration purposes only. Zen load balancer might not have all the features (such as reverse ssl) you might expect. 

II.Prepare the Exchange infrastructure

In order to perform this setup, we assume that an Exchange Organization is already in place.  We assume that a domain Controller with Global catalog role is installed in the AD site where the exchange is installed.  We assume that 2 Exchange servers hosting the Client Access/Hub Transport/mailbox Role are available and already installed. We assume that you have the correct credentials in order to perform the following setup.

The following screenshot describes the Exchange infrastructure that will be used to perform this demonstration. So, we will have only 2 exchange Servers configured will CAS/HT/MBX roles.  We will also have our Zen load balancer (virtual) appliance running within the infrastructure.

Click on image for better resolution

When creating a CAS Array, you will need to perform some additional actions after completing the setup of the Exchange Server.  You will need to

  • Create a DNS Entry for the CAS Array
  • Configured Static Ports for MAPI connection and Address book service
  • Create the CAS Array object
  • Configure mailbox servers to use the CAS Array information

Let’s do this right now !

Step 1 – DNS Entry

In our example, we want to create a cas array called CASARRAY.  The IP Address associated to this Array will be set to 192.168.1.200.  So, you will simply open your DNS  console and create a new Host record.

Step 2 – Configure Static ports for the CAS Array

By default, the CAS Array (or RPC Client Access Service) will be communicating through the port TCP/135 and the dynamic RPC Port range between 6005 and 59530 for outgoing connections when an outlook clients contact the CAS server.

We strongly recommend you to fix MAPI ports.  This will limit the number of ports that you will need to enable on your load balancer solution.  This will make easier also troubleshooting process given that you know exactly which port you will need to check for mail traffic

In Exchange 2010 SP1, you can fix MAPI ports through the Registry, you will need to block ports for the

  • Address Book Service
  • MAPI Connections

When fixing MAPI ports, Microsoft recommends you set this to a unique value between 59531 and 60554 and use the same value on all CAS.

Step 2a – Configure Static Port for the Address Book Service

To configure static ports for the Address Book service, perform the following actions on each cas servers

Configure Static Ports for the Address Book Service
Open registry editor (regedit.exe) and browse to the following registry key :

  • HKLM\System\CurrentControlSet\Services\MSEXCHANGEAB
  • At this level, you have to create the Parameters key (if not present).
  • Then, create a REG_SZ registry value  called RpcTcpPort
  • Finally assign a port number (between 59531 and 60554). In our example, we have used the value 60001
  • Restart Address book service to have changes applied

Note :

Prior Exchange 2010 SP1, to fix the port you would edit the file  Microsoft.exchange.addressbook.service.exe.config located in: “C:\Program Files\Microsoft\Exchange Server\V14\Bin” and set the selected value next to the RcpTcpPort key. 

 

Step 2b – Configure Static Port MAPI Ports

To configure static ports for MAPI connections on each CAS servers, perform the following actions

Configure Static Ports for MAPI Port
Open registry editor (regedit.exe) and browse to the following registry key

  • HKLM\System\CurrentControlSet\Services\MSEXCHANGERPC
  • At this level, you have to create the ParametersSystem key (if not present).
  • Then, create a REG_DWORD registry value  called Tcp/IP Port
  • Finally assign a port number (between 59531 and 60554). In our example, we have used the value 60000
  • It’s required to restart the Microsoft Exchange RPC Client Access service in order for the changes to be applied.

 

Step 3 –  Creating the CAS Array

It’s time to create the CAS Array AD object within our Exchange environment.  After the creation of the CAS Array, you might need to perform some additional configuration settings based on whether or not you have a mailbox database already present within your Exchange infrastructure.

Step 3a – Create the CAS array Object

To create an Exchange CAS Array, perform the following actions :
  • Open your Exchange management shell and issue the following command

New-ClientAccessArray [-Name <String>] -Fqdn <Fqdn> -Site <AdSiteIdParameter>

Click on image for better resolution

Step 3b-  Checking CAS ARRAY Configuration

After creating the casarray, you should check that this one has been created successfully by issuing the command Get-ClientAccessArray (or Get-ClientAccessArray | fl for more details)

 Click on image for better resolution

Step 3c – Set CAS ARRAY value to any existing mailbox database

If a mailbox database existed before the creation of the CAS Array, this mailbox database would use the first CAS Server installed as RPC client Access Server.  You will need to change the RpcClientAccessServer attribute on the existing mailbox database within the Active Directory to point to the newly created CAS Array

To set this, you can perform the following actions from the Exchange Management Shell

Get-MailboxDatabase -Server MBX1 | Set-MailboxDatabase -RpcClientAccessServer casarray.c-nergy.lab

III. Final Words

This conclude the first part of this post.  At this stage, your exchange 2010 infrastructure should be ready and configured with 2 CAS servers that are configured as a CAS Array.  However, no load balancing will occur yet. We will need to configure our Zen load balancer to provide this functionality.

We have avoided (on purpose) to speak about the mailbox server role.  Indeed, to test the load balancing functionality, you do not really need to have a fully configured DAG Mailbox server role.  If you have only one Mailbox server at this stage, you should be able to validate your Zen load balancer setup. The second part of the post will be looking at how you can configure (a basic configuration) the Zen load balancer software.

We have assumed that the reader has a good working knowledge of Exchange 2010. That’s why we have provided summary information about configuration of the Exchange infrastructure.  At a later stage (and enough people ask for it) I might write a more detailed post about how to configure a HA Exchange infrastructure.

Till then….

See ya

Note : if people request so, I might publish on how to for DAG Setup as well

Sources:

Copyright- Griffon 2012 – C-Nergy.be

18 thoughts on “Load balancing Exchange 2010 CAS using ZenLoadBalancer – Part 1

  1. Good post, very interesting and very usefu!
    I’m very impatient for read how is solved this load balancing with Zen.
    Remember that Zen can balance at the moment only one port by farm.

    Regards!

  2. Hello Sam,

    No, I have not got time to publish an article on how to setup a DAG…. Note however, that you do not load balance DAG. DAG is specifically used by Exchange Mailbox Role Server to “replicate” mailboxes between multiple servers (so no load balancing here).

    This means that you can use this article as a base to setup your exchange infrastructure with 2 Exchange server hosting mailbox/Client Access/Hub transport role, create your DAG, Create you CAS Array and load balance it through the Zen load balancer.

    If I have some free time, I’ll try to publish a small step by step guide on how to setup the DAG

    Hope this answer your question

    Till next time

    See ya

  3. Excellent post. Is it necessary to load balance a CAS Array. if i just want CAS availability and I do not care if all connections occur on one of the CAS servers. will it be enough to create just a CAS array?
    thanks

  4. Hello Danisa,

    Quick answer is no ! CASArray does not provide any load balancing feature or redundancy. The CASArray is used internally by exchange. It is used to set the value of the RPCServerAccess attribute on databases

    Longer answer : imagine the following scenario
    if you have 2 exchange servers hosting Client Access Role /Hub Transport /mailbox role in the same Active directory site
    You create the CASArray before creating your databases
    you create a db on one server (Server1) and you create a db on the other server(Server2). In this case, the rpcClientAccess server attribute will be set to server 1 for the database on server 1 and server 2 for database located on server 2. If you loose the Server 1, users who are connected to this server will get disconnected -> no availability

    If you have the CAS role located on different machine that the mailbox, the value of the rpcclientAccess will select a random Client Access Server.
    If the random choice ends up with a situation where the rpcCleintAccess server attribute is different for both database, if one of the server goes down, users on this server will have no access

    IF the random choice configure both database to use the same CAS server, if one goes down, (the one not used), no problem but if it’s the one in use all your users will be disconnected.

    In this scenarios, you will need to manually update the rpclcientAccess attribute or possibly, you could use a script to monitor the status of the CAS servers within the array, if one fails, the script will update automatically the attribute

    So, the load balancer is indeed needed to ensure availability because the load balancer will reconnect automatically your client to the correct/available CAS Server

    Hope this answer your questions

    See ya around

  5. FYI,

    In Step 2a, the Parameter key for the Address Book Service should be Parameters.

    Thanks
    Tony

  6. Hello,
    Great article but i have a few questions. MY(future) cas array will be internet facing since i dont have a Edge Server. Currently right now i had a single all in one exchange server with port forward on 25 and 443 to my exchange server. When i create the farm i was under the impression i would only need port 25 and 443 for email? Can you clarify?

    Thanks

  7. Hello Joel;

    If you have an internet facing CAS Array, you should use Outlook Anywhere or OWA to grant access to your users.

    OWA will use port 443 as you probably now
    Outlook Anywhere will wrap all the rpc connection into the HTTPS connetion you will be performing. Outlook Anywhere was formely known as RPC over HTTPS

    I do not know your network configuration but I’m assuming internet traffic will go through a firewall. The firewall could hold the Public ip address you wanna use. Then, the firewall can redirect the traffic to you CAS Array VIP

    PORT 443 should be enough if you just want you users to access their mailbox. The HUB Transport role inside your network will deal with the mail delivery (and thus port 25 and I’m assuming you already have a firewall rule in place for that :-))

    Hope this help

    Till Next Time

  8. Hi Griffon,
    Thanks for the quick reply. I was just currious as to why i would need to open the address book service and mapi ports. Yes i intend to use outlook anywhere and owa. Right now i have 1 public ip and attached to my router/firewall were i do natting and point tcp ports 25 and 443 to my current all in one exchange server. Once i get the CAS Array running, i will point both 25 and 443 to my virtual ip of the CAS.

  9. Griffon,
    I got everything up and running with your help but once thing i noticed is my outlook at times keeps disconnecting and connecting right away. I read on forum people saying it might be a load balancer issue and timeout settings. Do you know how to fix this?

    Thanks

  10. Hello Joel,

    Sorry for the late answer but I’m really busy with a lot of stuff right now…..
    If you thing that this is related to timeout issue, you should go on your Zen Load balancer and check the timeout settings defined for the “back end server”. I think the default value is 5 sec, you could try to increase this value and see if this fix your problem… (In the Zen Load balancer, you have to edit Global Settings Parameters if I remember correctly)

    You might wanna check also the persistance algorithm you are using

    Hope this help
    Till next time
    See ya

  11. Hi Griffon,
    I made the changes to the the “Max Simultaneous COnnections” and that seems to have fixed the issue. I was recommended by another forum member. Now i have another issue. For some reason my external (owa and iphones) users get disconnected every couple of hours. What i have to do is restart my router which is very weird. The Algorithm im using is Priority by following the guide in this website for exchange 2010 and disabled “Enable Client ip address persistence through memory” for my smtp farm. all othe farms have it checked. Could this be the issue as to why i need to restart my router every few hours? I used this guide.
    http://exchange.sembee.info/2010/install/loadbalancing2.asp?v=desktop

    THanks and no worries on getting back to me late. I understand

  12. His there a document to prepare redundant for Zen load balancer for exchange CASarray.

    The reason is if in case for some reason 1st Zen load balancer breaks 2nd can take over.

    Thanks in Advance

  13. HEllo There,

    You can create Zen Load Balancer cLuster. This is built-in in Zen Load balancer and not to complex to setup
    You can have a look at the following links. These might help you in building up your cluster

    http://www.talking-it.com/zlb/zlb-clustering/
    http://www.youtube.com/watch?v=bleU7B8hAJQ
    http://www.zenloadbalancer.org/web/index.php?page=zen-load-balancer-administration-guide#section5_8

    Hope this help
    See ya

    http://www.talking-it.com/zlb/zlb-clustering/

  14. Hi,

    Strange question here. But we have a Zen Loadbalancer in place with an Exchange 2010 DAG.

    We have enabled Account Lockout upon 10 x Account Login Failure, which is working well. However it seems that the common accounts: sales, account, admin etc are being locked out due to brute force attempts.

    I would like to see the Client IP Addresses Logged within the Windows Event Log under Audit Failure.

    However, the Client IP for all of these is the Load Balancer IP Address.

    Is there a setting, that allows Exchange to see the actual client IP Address ?

    Cheers, Scott

  15. @Scott,

    It’s a long time I didn’t look into the Zen Load balancer …but you could try the following ….
    You have to look for the setting called something like X-Forwarded-For header.. This settings is for HTTP Profile
    If you are looking for connection made using http connection, you can also have a look in the iis log files..

    Hope this help
    Till next time

    See ya

Leave a Reply