Exchange 2016 SLB configuration involves the following activities:

Health Monitor

  1. Navigate to Templates > Profile > Monitor.

  2. Create an HTTP health monitor for each Exchange service (8 in number). Use URLs listed in table 1. Client Request Data needs to be set to GET //healthcheck.htm HTTP/1.1. As an example, this one is set for OWA as GET /OWA/healthcheck.htm HTTP/1.1.

  3. Create a TCP health monitor each for POP3, IMAP4, and SMTP on specific port numbers as shown in table 1.

SSL Certificate

  1. Navigate to Template > Profile > Certificate.

  2. Click Create > Application Certificate. Import the self-signed certificate that was exported when the CSR was created on Exchange Server. The Exchange Server that is exported is in PFX format and needs to be converted to .pem format to be imported into the NSX Advanced Load Balancer UI. This can be achieved as “openssl pkcs12 -in cert.PFX -out cert.pem -nodes”.

Virtual Service

  1. Navigate to Application > Virtual Services. Create an L7 Virtual Service for Exchange service and associate it with other objects, such as an application profile, health monitor, SSL, etc.

  2. For HTTPS, use System-Secure-HTTP and System-TCP-Proxy for Application Profile and TCP/UDP Profile. Note: When HTTPS or the System-Secure-HTTP profile are used, disable the "Secure Cookies" and "HTTP-only Cookies" checkboxes in the Security tab for that HTTP profile.

  3. Create three L4 Virtual Services each for POP3, IMAP4, and SMTP, use System-L4-Application and System-TCP-Proxy with the same IP address as the L7 VS (this is optional) but different service port numbers than the L7 VS.


You can create a shared VS using different ports.


  • This can be accessed separately or from the Virtual Services configuration wizard. The pool is a construct that includes servers, load balancing method, persistence method, and health monitor. Add servers across which load is to be balanced and choose Least-Connections for the load balancing method. Below is an example of a pool created for the Outlook Web Access (OWA) service.

  • The Active health monitor is chosen as the one created above. In this case, it’s the OWA health monitor which is chosen.

  • The server IP address is the IP of the Exchange server which resolves to

  • Create 12 pools with names based on table 2.

HTTP Policy

  1. This can be added after creating a virtual service or from the Virtual Service configuration wizard.

  2. Create a HTTP policy and it includes 8 HTTP request rules, each rule corresponding to an Exchange service.

  3. To create the HTTP policy, follow the steps next.

  4. Navigate to Application > Virtual Services. Click the virtual services edit icon. This will pop up in the Edit Virtual Service menu.

  5. Navigate to Policy > HTTP Request.

  6. Click Add HTTP Request Rule.

  7. Enter a rule name, e.g., rule-pool-oa.

  8. Select Path and Begins With for Matching Rules. Then, enter /rpc.

  9. Select Content Switch and Pool for Action. Then, select a corresponding pool, e.g., pool-oa.

  10. Click Save Rule.

Below we can see an example of creating the same for an L7 virtual service for OWA.

Below we see all HTTP-based policies created for the L7 virtual service.

  • Repeat the steps for each Exchange pool. Refer to table 2 for URLs and pools.

Table 1. Table 2. Pools for Exchange 2016 services

CAS Service

Pool Name

Ports on Pools


Outlook Anywhere




Outlook Web Access




Exchange Web Service




Exchange Administration Center




Exchange Management Shell












Offline Address Book




Messaging Application Programming Interface






995/POP3 with SSL




993/IMAP4 with SSL




465/SMTP with SSL


Load Balancing

  • To support load balancing across Exchange Servers on a single VIP, choose the “Round Robin” load balance option under all pools that have been configured. Below we show this being done for the owa-pool.

  • Add the secondary exchange server IP under all pools. This is seen below for the owa-pool.

Confirming Proper Operation

The L7 service had a default pool pointing to pool-as (ActiveSync). The below screenshot confirms clients accessed the Exchange virtual service several times during the 15-minute timeframe depicted in the timeline.

Non-significant logs having been on, one observes a total of 43 log entries, including the successful ones (return code = 200). The most recent log entry is shown expanded. The other 42, collapsed into single-line rows, are not shown in the screenshot. The L7 virtual service successfully content-switched requests to the pool-owa pool as a result of the rule-pool-owa request policy rule.

The NSX Advanced Load Balancer solution provides additional information about the client from which the request originated, including the client’s operating system (Android), device type (Moto G Play), browser (Chrome Mobile), SSL version (TLSv1.2), certificate type (RSA), and so on.