Microsoft Exchange Server 2016 is an e-mail server solution, with a calendar and contact manager, which supports a variety of clients such as Outlook, web browser, and mobile devices.

NSX Advanced Load Balancer's Exchange Server Solution Benefits

NSX Advanced Load Balancer solution provides the following benefits for Exchange deployment:

Horizontal scale: You do not have to be caught off guard by a sudden traffic surge. NSX Advanced Load Balancer can adjust the capacity of the load balancer infrastructure dynamically by scaling out and scaling in its data plane engines called Service Engine (SE).

Analytics and visibility: Analytics and visibility play a key role in troubleshooting issues and evaluating risks that can affect end-user experience. Unlike other ADC vendors, NSX Advanced Load Balancer provides an end-to-end timing chart, pinpointing latency distribution across segments of a client, the ADC, and servers. NSX Advanced Load Balancer understands the resource utilization of servers, combines it with observed performance, and presents the result as a health score. By looking at the health score, you can judge the current end-user experience and risk coming from resource utilization.

SSL offload and management with ease of use: Simply select NSX Advanced Load Balancer's SSL Everywhere and import a certificate. The rest will be taken care of by NSX Advanced Load Balancer. You do not have to convert a certificate and configure multiple things to make Exchange secure. Other significant advantages include SSL compute offload and HTTP visibility. In particular, SSL compute offload allows the reduction of the number of CAS units and related license cost. By terminating SSL on NSX Advanced Load Balancer, you can fully enjoy NSX Advanced Load Balancer's innovative analytics and visibility engine.

Cloud-optimized deployment and high availability: The NSX Advanced Load Balancer Controller automatically discovers available resources, such as networks and servers in the virtual infrastructure. This allows IT admins to be less vulnerable to human errors. In addition, the NSX Advanced Load Balancer Controller detects a problem when its SE or a hypervisor has a problem; it automatically looks for a best available hypervisor and launches an SE to recover. Unlike other ADC solutions, this approach does not require a redundant device.

Deployment Architecture



Exchange Server 2016 has two roles for servers, the Client Access server (CAS) and the Mailbox server, which comprise CAS Array and DAG (Database Access Group) respectively for high availability and increased performance. The CAS provides client protocols, SMTP, and a Unified Messaging Call Router. The client protocols include HTTP/HTTPS and POP3/IMAP4. The UM Call Router redirects SIP traffic to a Mailbox server.

Note:

An external load balancer is required to build a CAS array. Unlike CAS array, DAG does NOT require an external load balancer. A server can take both roles of the Client Access and the Mailbox.

CAS provides the following services that require load balancing:

Outlook Anywhere

It enables an Outlook client to connect to the Exchange server. It uses RPC over HTTP(S).

Outlook Web Access

It enables any Web browser to connect to the Exchange server, offering Outlook-client like experience on the browser.

Exchange Web Service

It enables client applications to communicate with the Exchange server. EWS provides access to much of the same data that is made available through Microsoft Outlook.

Exchange Administration Center

It provides a web-based management console for the Exchange server.

Exchange Management Shell

It enables a remote admin over HTTP(S) to perform every task that can be performed by the Exchange Administration Center.

ActiveSync

It enables mobile devices, such as iPhone and Android devices, to synchronize mail, calendar, contact, and tasks with the Exchange server.

AutoDiscover

It enables a client application, e.g., ActiveSync app or Outlook, to configure itself with minimal user information. With the AutoDiscover service, a user's e-mail address and password are enough to find out the rest of the configuration information.

Offline Address Book

It enables an Outlook client in Cached Exchange Mode to lookup addresses when offline.

POP3/IMAP4

It enables 3rd party e-mail clients to download e-mail from the Exchange server. SMTP is used for outgoing e-mail.

SMTP

It enables 3rd-party e-mail clients to use the Exchange server as an outgoing e-mail server. POP3/IMAP4 is used for incoming e-mail.

MAPI

It enables client programs to become (e-mail) messaging-enabled, aware, or based by calling MAPI subsystem routines that interface with certain messaging servers.

Setting Up Exchange for Load Balancing

The Exchange 2016 System Requirements Microsoft Technet article specifies requirements for setting up Exchange Server 2016.

  • In this case, a Windows 2012 Server (using a 2012 iso) was brought up on a VM with an 8-core CPU, 8 GB of RAM, and 100 GB of disk capacity. (Ideally, the disk should be partitioned into four drives for OS, Logs, Exchange Install Directory, and Databases).

  • An Exchange server in 2016 then needs to be installed on the Windows 2012 server. An Exchange server license can be obtained free of cost for 180 days using Outlook credentials (personal). The license can be obtained from here: Microsoft Exchange Server 2016 product page, Microsoft Exchange Server 2016 download page.

  • With an Exchange 2016 server, it's a prerequisite that the server has a static IP.

  • Before Exchange 2016 can be installed, it's necessary that the prerequisites are installed, else the setup.exe file for 2016 fails with multiple errors. The same can be installed using Windows PowerShell from the 2012 server VM that was created. Once installed, the server needs to be rebooted. ** .NET 4.5 support (Ideally, you need 4.5.2, but the same would be upgraded to 4.5.2 automatically once the setup.exe is run.) ** Desktop Experience ** Internet Information Service (IIS) ** Windows Failover Clustering.

  • After the reboot, install Unified Communications Managed API (UCMA) 4.0 Runtime: download page

  • In case the server chosen is 2012 RTM, Windows Management Framework 4.0 needs to be installed as well: download page

  • Install the Active Directory Remote Server Administration Tools plugin on the Exchange server using PowerShell.

  • Install Active Directory per the steps outlined here: Setting up an Active Directory Lab (Part 1).

  • An important step to note is that the DNS Resolver under System Settings in NSX Advanced Load Balancer should point to the local DNS server set-up during Active Directory install. In this case, AD, Exchange 2016, DNS, and IIS were installed on one single server.

  • From the link above we need to make sure that we have a client machine that can be a part of the domain we create ( avitest.com in this case) and the user that we create in Active Directory can log in to the same. For test purposes, a Win7 test machine was chosen as the client machine ( VM spawned out of a Windows 7 iso) which was made a part of the domain avitest.com and with credentials configured in AD for the said test user from the client machine.

  • Once the client machine is a part of the domain, switch to the 2012 server PowerShell prompt wherein the 2016 setup file resides and then configure Active Directory to receive Exchange 2016. The Exchange Schema version should be on 15317. Verify this using ADSI edit.

  • The setup.exe for 2016 can now be executed and we need to set it up for the Mailbox rule.

  • Once set up, ECP can be browsed using https://servername/ecp (in our case the server name is lab-dc01).

  • Since this is a lab-only environment, we need to skip the namespace part of Split DNS for external and internal access. In this case, the internal and external hostname was kept as same for being lab-dc01.avitest.com for all the Exchange services. (The same needs to be done from the ECP login as done above.)

  • MAPI and auto-discover services cannot be configured through ECP in the browser and need to be configured via Exchange Management Shell.

  • Log in to the Exchange Admin Center and create a self-signed certificate for the server. Export the same to the desktop, as the same would be used for importing in the VS that we create.

  • The self-signed certificate needs to be assigned to the IIS service.

  • Create two mailbox users using EAC so that emails can be sent from two accounts.

  • An Exchange client could be on Outlook 2016 or Outlook 2013. For tests, we used the OWA access through a normal Chrome/Firefox browser.

  • To enable SSL offload on Exchange 2016, and make changes to each Exchange service as described in the Configuring SSL offloading in Exchange 2013 Microsoft TechNet article.

  • To set up a secondary Exchange Server, follow the steps above. We don’t need to go ahead with an AD installation but have to make sure that the secondary Exchange Server is part of the same domain and that a new forest domain is NOT created. We just need the existing domain that was created.

Load-Balancing Policies



NSX Advanced Load Balancer supports the deployment of an Exchange solution in three different ways:

  1. One virtual service (VS) and one pool: This is the quickest way to deploy the Exchange service and requires only one virtual IP address. However, individual health monitoring for different services is not possible. If you deploy Exchange 2016, you have to choose one persistence method across all services; this may result in suboptimal operational results because different Exchange 2016 services require different persistence methods for the best result. The statistics and analytics information from the NSX Advanced Load Balancer system will be an aggregate of all services.

  2. One virtual service and multiple pools: This requires configuring the Layer 7 policy on NSX Advanced Load Balancer, to forward an HTTP message based on the host header to a corresponding pool. This deployment requires only one virtual IP address and enables individual health monitoring for different services. In addition, for Exchange 2016,NSX Advanced Load Balancer supports a different persistence method per pool. This deployment enables NSX Advanced Load Balancer to provide statistics and analytics information on a per-pool basis.

  3. Multiple virtual services and one pool per virtual service: This requires as many IP addresses as Exchange services to load balance. Each virtual service will have one pool. This deployment enables NSX Advanced Load Balancer to provide statistics and analytics information on a per-VS basis.

Note:

A virtual service is defined as a virtual IP address and a port number.

In this section, we are going to use the second deployment model. We will create a single virtual service for all services with multiple pools. Each pool corresponds to an Exchange service. The table below lists all the Exchange services and ports to load balance and health check methods. Exchange 2016 provides pre-defined HTML pages for health monitoring by a load balancer.

Table 1. Table 1. Exchange 2016 services for load balancing

CAS Service

Ports on VS

Ports on Pools

FQDN for VIP

Path

Outlook Anywhere

443/HTTPS

80/HTTP

lab-dc01.avitest.com

/rpc/healthchecks.htm

Outlook Web Access

443/HTTPS

80/HTTP

lab-dc01.avitest.com

/OWA/healthchecks.htm

Exchange Web Service

443/HTTPS

80/HTTP

lab-dc01.avitest.com

/EWS/healthchecks.htm

Exchange Administration Center

443/HTTPS

80/HTTP

lab-dc01.avitest.com

/ECP/healthchecks.htm

Exchange Management Shell

443/HTTPS

80/HTTP

lab-dc01.avitest.com

/PowerShell/healthchecks.htm

AutoDiscover

443/HTTPS

80/HTTP

lab-dc01.avitest.com

/Autodiscover/healthchecks.htm

ActiveSync

443/HTTPS

80/HTTP

lab-dc01.avitest.com

/Microsoft-Server-ActiveSync/healthchecks.htm

Offline Address Book

443/HTTPS

80/HTTP

lab-dc01.avitest.com

/OAB/healthchecks.htm

Messaging Application Programming Interface

443/HTTPS

80/HTTP

lab-dc01.avitest.com

/MAPI/healthchecks.htm

POP3

995/POP3 with SSL

995/POP3 with SSL

lab-dc01.avitest.com

TCP port 995

IMAP4

993/IMAP4 with SSL

993/IMAP4 with SSL

lab-dc01.avitest.com

TCP port 993

SMTP

465/SMTP with SSL

465/SMTP with SSL

lab-dc01.avitest.com

TCP port 465

In table 1, _lab-dc01.avitest.com_ and _autodiscovery.avitest.com_ should point to the virtual IP. All HTTPS-based services will be terminated by NSX Advanced Load Balancer. The traffic will be decrypted and sent to the pool and will be encrypted and sent back to the client. For SMTP/IMAP4/POP3 traffic, the Layer 4 policy will be applied. With the Layer 4 policy, NSX Advanced Load Balancer just terminates a TCP connection but bypasses the SSL connection.