Microsoft Exchange Server 2016 is an email server solution, with a calendar and contact manager, which supports different clients such as Outlook, web browser, and mobile devices.
Exchange Server Solution Benefits
Avi Load Balancer solution provides the following benefits for Exchange deployment:
Horizontal scale: You do not have to be caught off guard by a sudden traffic surge. Avi Load Balancer can adjust the capacity of the load balancer infrastructure dynamically by scaling out and scaling in its data plane engines called Service Engine (SE).
Analytics and visibility: Analytics and visibility play a key role in troubleshooting issues and evaluating risks that can affect end-user experience. Unlike other ADC vendors, Avi Load Balancer provides an end-to-end timing chart, pinpointing latency distribution across segments of a client, the ADC, and servers. Avi Load Balancer understands the resource utilization of servers, combines it with observed performance, and presents the result as a health score. By looking at the health score, you can judge the current end-user experience and risk coming from resource utilization.
SSL offload and management with ease of use: Simply select Avi Load Balancer's SSL Everywhere and import a certificate. The rest will be taken care of by Avi Load Balancer. You do not have to convert a certificate and configure multiple things to make Exchange secure. Other significant advantages include SSL compute-offload and HTTP visibility. In particular, the SSL compute-offload allows the reduction of the number of CAS units and related license cost. By terminating SSL on Avi Load Balancer, you can experience the innovative analytics and visibility engine in it's full potential.
Cloud-optimized deployment and high availability: The Avi Load Balancer Controller automatically discovers available resources, such as networks and servers in the virtual infrastructure. This allows IT admins to be less vulnerable to human errors. In addition, the Avi Load Balancer Controller detects a problem when its SE or a hypervisor has a problem; it automatically looks for a best available hypervisor and launches an SE to recover. Unlike other ADC solutions, this approach does not require a redundant device.
Deployment Architecture
Exchange Server 2016 has two roles for servers, the Client Access server (CAS) and the Mailbox server, which comprise CAS Array and DAG (Database Access Group) respectively for high availability and increased performance. The CAS provides client protocols, SMTP, and a Unified Messaging Call Router. The client protocols include HTTP/HTTPS and POP3/IMAP4. The UM Call Router redirects SIP traffic to a Mailbox server.
An external load balancer is required to build a CAS array. Unlike CAS array, DAG does NOT require an external load balancer. A server can take both roles of the Client Access and the Mailbox.
CAS provides the following services that require load balancing:
Outlook Anywhere |
It enables an Outlook client to connect to the Exchange server. It uses RPC over HTTP(S). |
Outlook Web Access |
It enables any Web browser to connect to the Exchange server, offering Outlook-client like experience on the browser. |
Exchange Web Service |
It enables client applications to communicate with the Exchange server. EWS provides access to much of the same data that is made available through Microsoft Outlook. |
Exchange Administration Center |
It provides a web-based management console for the Exchange server. |
Exchange Management Shell |
It enables a remote admin over HTTP(S) to perform every task that can be performed by the Exchange Administration Center. |
ActiveSync |
It enables mobile devices, such as iPhone and Android devices, to synchronize mail, calendar, contact, and tasks with the Exchange server. |
AutoDiscover |
It enables a client application, for example, ActiveSync app or Outlook, to configure itself with minimal user information. With the AutoDiscover service, a user's email address and password are enough to find out the rest of the configuration information. |
Offline Address Book |
It enables an Outlook client in Cached Exchange Mode to lookup addresses when offline. |
POP3/IMAP4 |
It enables 3rd party email clients to download email from the Exchange server. SMTP is used for outgoing email. |
SMTP |
It enables 3rd-party email clients to use the Exchange server as an outgoing email server. POP3/IMAP4 is used for incoming email. |
MAPI |
It enables client programs to become (email) messaging-enabled, aware, or based by calling MAPI subsystem routines that interface with certain messaging servers. |
Setting Up Exchange for Load Balancing
The Exchange 2016 System Requirements Microsoft Technet article specifies requirements for setting up Exchange Server 2016.
In this case, a Windows 2012 Server (using a 2012 iso) was launched on a VM with an 8-core CPU, 8 GB of RAM, and 100 GB of disk capacity. (Ideally, the disk must be partitioned into four drives for OS, Logs, Exchange Install Directory, and Databases).
An Exchange server in 2016 then needs to be installed on the Windows 2012 server. An Exchange server license can be obtained free of cost for 180 days using Outlook credentials (personal). The license can be obtained from here: Microsoft Exchange Server 2016 product page, Microsoft Exchange Server 2016 download page.
With an Exchange 2016 server, it's a prerequisite that the server has a static IP.
Before Exchange 2016 can be installed, it's necessary that the prerequisites are installed, else the setup.exe file for 2016 fails with multiple errors. The same can be installed using Windows PowerShell from the 2012 server VM that was created. Once installed, the server needs to be rebooted. .NET 4.5 support (Ideally, you need 4.5.2, but the same would be upgraded to 4.5.2 automatically once the setup.exe is run.) Desktop Experience Internet Information Service (IIS) Windows Failover Clustering.
After the reboot, install Unified Communications Managed API (UCMA) 4.0 Runtime: download page
In case the server chosen is 2012 RTM, Windows Management Framework 4.0 needs to be installed as well: download page
Install the Active Directory Remote Server Administration Tools plug-in on the Exchange server using PowerShell.
Install Active Directory as per the steps outlined in Setting up an Active Directory Lab (Part 1)
An important step to note is that the DNS Resolver under System Settings in Avi Load Balancer must point to the local DNS server set-up during Active Directory install. In this case, AD, Exchange 2016, DNS, and IIS were installed on one single server.
From the link above we need to make sure that we have a client machine that can be a part of the domain we create (avitest.com in this case) and the user that we create in Active Directory can log in to the same. For test purposes, a Win7 test machine was chosen as the client machine (the virtual machine spawned out of a Windows 7 iso) which was made a part of the domain avitest.com and with credentials configured in AD for the said test user from the client machine.
Once the client machine is a part of the domain, switch to the 2012 server PowerShell prompt wherein the 2016 setup file resides and then configure Active Directory to receive Exchange 2016. The Exchange Schema version must be on 15317. Verify this using ADSI edit.
The setup.exe for 2016 can now be executed and we need to set it up for the Mailbox rule.
Once set up, ECP can be browsed using https://servername/ecp (in our case the server name is lab-dc01).
Since this is a lab-only environment, we need to skip the namespace part of Split DNS for external and internal access. In this case, the internal and external hostname was kept as same for being lab-dc01.avitest.com for all the Exchange services. (The same needs to be done from the ECP login as done above.)
MAPI and auto-discover services cannot be configured through ECP in the browser and need to be configured through Exchange Management Shell.
Log in to the Exchange Admin Center and create a self-signed certificate for the server. Export the same to the desktop, as the same would be used for importing in the VS that we create.
The self-signed certificate needs to be assigned to the IIS service.
Create two mailbox users using EAC so that emails can be sent from two accounts.
An Exchange client could be on Outlook 2016 or Outlook 2013. For tests, we used the OWA access through a normal Chrome/Firefox browser.
To enable SSL offload on Exchange 2016, and make changes to each Exchange service as described in the Configuring SSL offloading in Exchange 2013 Microsoft TechNet article.
To set up a secondary Exchange Server, follow the steps above. We don’t need to go ahead with an AD installation but have to make sure that the secondary Exchange Server is part of the same domain and that a new forest domain is NOT created. We just need the existing domain that was created.
Load-Balancing Policies
Avi Load Balancer supports the deployment of an Exchange solution in three different ways:
One virtual service (VS) and one pool: This is the quickest way to deploy the Exchange service and requires only one virtual IP address. However, individual health monitoring for different services is not possible. If you deploy Exchange 2016, you have to choose one persistence method across all services; this may result in suboptimal operational results because different Exchange 2016 services require different persistence methods for the best result. The statistics and analytics information from the Avi Load Balancer system will be an aggregate of all services.
One virtual service and multiple pools: This requires configuring the Layer 7 policy on Avi Load Balancer, to forward an HTTP message based on the host header to a corresponding pool. This deployment requires only one virtual IP address and enables individual health monitoring for different services. In addition, for Exchange 2016,Avi Load Balancer supports a different persistence method per pool. This deployment enables Avi Load Balancer to provide statistics and analytics information on a per-pool basis.
Multiple virtual services and one pool per virtual service: This requires as many IP addresses as Exchange services to load balance. Each virtual service will have one pool. This deployment enables Avi Load Balancer to provide statistics and analytics information on a per-VS basis.
A virtual service is defined as a virtual IP address and a port number.
In this section, we are going to use the second deployment model. We will create a single virtual service for all services with multiple pools. Each pool corresponds to an Exchange service. The table below lists all the Exchange services and ports to load balance and health check methods. Exchange 2016 provides pre-defined HTML pages for health monitoring by a load balancer.
CAS Service |
Ports on VS |
Ports on Pools |
FQDN for VIP |
Path |
---|---|---|---|---|
Outlook Anywhere |
443/HTTPS |
80/HTTP |
lab-dc01.avitest.com |
/rpc/healthchecks.htm |
Outlook Web Access |
443/HTTPS |
80/HTTP |
lab-dc01.avitest.com |
/OWA/healthchecks.htm |
Exchange Web Service |
443/HTTPS |
80/HTTP |
lab-dc01.avitest.com |
/EWS/healthchecks.htm |
Exchange Administration Center |
443/HTTPS |
80/HTTP |
lab-dc01.avitest.com |
/ECP/healthchecks.htm |
Exchange Management Shell |
443/HTTPS |
80/HTTP |
lab-dc01.avitest.com |
/PowerShell/healthchecks.htm |
AutoDiscover |
443/HTTPS |
80/HTTP |
lab-dc01.avitest.com |
/Autodiscover/healthchecks.htm |
ActiveSync |
443/HTTPS |
80/HTTP |
lab-dc01.avitest.com |
/Microsoft-Server-ActiveSync/healthchecks.htm |
Offline Address Book |
443/HTTPS |
80/HTTP |
lab-dc01.avitest.com |
/OAB/healthchecks.htm |
Messaging Application Programming Interface |
443/HTTPS |
80/HTTP |
lab-dc01.avitest.com |
/MAPI/healthchecks.htm |
POP3 |
995/POP3 with SSL |
995/POP3 with SSL |
lab-dc01.avitest.com |
TCP port 995 |
IMAP4 |
993/IMAP4 with SSL |
993/IMAP4 with SSL |
lab-dc01.avitest.com |
TCP port 993 |
SMTP |
465/SMTP with SSL |
465/SMTP with SSL |
lab-dc01.avitest.com |
TCP port 465 |
In table 1, _lab-dc01.avitest.com_ and _autodiscovery.avitest.com_ must point to the virtual IP. All HTTPS based services will be terminated by Avi Load Balancer. The traffic will be decrypted and sent to the pool and will be encrypted and sent back to the client. For SMTP/IMAP4/POP3 traffic, the Layer 4 policy will be applied. With the Layer 4 policy, Avi Load Balancer just terminates a TCP connection but bypasses the SSL connection.