Presentation on theme: "Ireland: +353 61 260 101 Germany: +49 511 367393 – 0 Load Balancing Exchange 2010 in the real world Mahmoud Magdy Senior Technical Architect Exchange Server."— Presentation transcript:
Ireland: +353 61 260 101 Germany: +49 511 367393 – 0 Load Balancing Exchange 2010 in the real world Mahmoud Magdy Senior Technical Architect Exchange Server MVP Alexander Sebestian Pre-Sales & System Engineering EMEA KEMP Technologies
Mahmoud Magdy Senior Technical Architect Exchange Server MVP Alexander Sebestian Pre-Sales & System Engineering EMEA at KEMP Technologies Introduction
Agenda Load Balancing Fundamentals Roundup Load Balancing Exchange 2010: Overview Network Topology Load Balancing Exchange 2010: Per-Service Details Site Resilience Sizing: Choosing the right LoadMaster (Hardware / Virtual)
Introducing KEMP Established in year 2000 – Global HQ in New York – EMEA HQ Ireland – Local representation in many countries Pioneered Affordable Load Balancing & ADC – Price 50% below other higher-end vendors (at same performance) – Named „Value Leader“ in Q4/2011 EMA analyst report Thousands of customers in EMEA – Installation from 100s up to multiple 10,000s of mailboxes US & EMEA based Tech Support, Available 7 X 24
What is “Server Load Balancing” and why do we need It?
Server Load Balancing Client/Server Applications (TCP or UDP) „Whenever one Server is not enough.“ – Performance / Capacity – Robustness / Availability Idea: Put a dispatcher in front of the Servers – (In reality, you want two for it‘s own redundancy)
Core Tasks Scheduling: Define how much each Server gets used – Maybe we want even usage, maybe not – Different strategies to determine the current usage
Internet Server 1Server 2 Scheduling & Balancing Methods Round Robin Weighted Round Robin Least Connection Weighted Least Connection Weighted Least Response Time Fixed Weighted Adaptive Scheduling
Core Tasks Session Persistence: Send Returning Client to same Server – A.k.a. “Session Affinity” – Based on suitable criteria - Cookies, Source IP, RDP token, Header, … Drawbacks of “Source IP” persistence – Uneven distribution – Lost sessions (Exchange: Re-Authentication)
Core Tasks Health Checking: Do not use faulty Servers – As reliable as possible - Application Level / Scriptable
Server Health Checking Real Server Check Parameters: – ICMP Verify that the Server is contactable from the LoadMaster – TCP Connection Only Verify that the LoadMaster can connect to the Real Server on the specified port – HTTP/HTTPS Waits for a valid response from the Webserver, i.e. 200 OK Regex Check Specific URL possible – Mail (SMTP)/IMAP/POP3 Waits for a valid response from the Mail Server, i.e. 220 SMTP Service Ready Should the Health Check fail, the server will be taken out of service -> Once the service is available again the server will be put back in service
Microsoft NLB? WNLB can't be used on Exchange servers where mailbox DAGs are also being used (...) Due to performance issues, we don't recommend putting more than eight Client Access servers in an array that's load balanced by WNLB. WNLB doesn't detect service outages (...) WNLB configuration can result in port flooding, which can overwhelm networks. Because WNLB only performs client affinity using the source IP address, it's not an effective solution when the source IP pool is small (...) http://technet.microsoft.com/en-us/library/ff625247.aspx#options
Microsoft On Persistence („Affinity“) Protocols That Require Client to Client Access Server Affinity Outlook Web App and the Exchange Control Panel Exchange Web Services Only a subset of Exchange Web Services requires affinity. Availability Service requests don't require affinity, but subscriptions do. Outlook RPC over TCP on the Intranet http://technet.microsoft.com/en-us/library/ff625248.aspx
Microsoft On Persistence („Affinity“) Exchange Protocols That Benefit From Client to Client Access Server Affinity Outlook Anywhere When there's no affinity between these two types of connections, Outlook Anywhere tries to correlate the connections by coordinating with other members of the Client Access server array. This increases traffic between Client Access servers by about 50% for a two-server array and up to 100% for an array with a large number of servers. Exchange ActiveSync Exchange Address Book service Remote PowerShell Without affinity, users will need to reauthenticate if a connection is interrupted. http://technet.microsoft.com/en-us/library/ff625248.aspx
Microsoft On Persistence („Affinity“) Exchange Protocols That Don't Require Affinity Offline address book Autodiscover service POP3 IMAP4 Not covered in this TechNet article: SMTP (Hub and Edge Transport) http://technet.microsoft.com/en-us/library/ff625248.aspx
LoadMaster Deployment Guide Part of Microsoft‘s Certification for all KEMP LoadMasters Covers Basics, Specifics, and multiple scenarios – Choose what‘s best for you! Even more detailed than this Webinar
Financially, you will impress your boss! The normal setup requires 4 servers (2 HUB/CAS, 2 Mailbox). The standard server from HP (DL 360 1 CPU 16 GB) starts at 1,900 USD approx. - thus TCO will be around 3,800 USD. The standard VM appliance from KEMP starts at 2.230 USD (incl 1st year of support!) Expected saving (Not mentioning management, monitoring, patching, power..etc).
Microsoft informed about changes to the roadmaps of some of the security solutions made available under the Forefront brand- now they announced discontinuing any further releases of the Forefront-branded solutions. „Forefront TMG :( it will be a hugde effort to replace that*sigh*.“ „We are looking for a replacement of TMG. Background: secured access to the Intranet (Sharepoint). Does anyone know about alternatives?“ Microsoft discontinuing TMG and 4 other Forefront-products
KEMP ESP key features End Point Authentication for Pre-Auth Persistent Logging and Reporting for User Logging Single Sign On across Virtual Services LDAP authentication from the LoadMaster to the Active Directory NTLM and Basic authentication communication from a Client to the LoadMaster ESP Roll Out expected for June 2013 Existing LoadMaster customers will be eligible for an upgrade (for details, please contact KEMP Technologies; ) VLM customers will be provided with a software upgrade
Transparency General requirement: Real Server's response must flow back through the LoadMaster – Technical exception: "DSR" setups – see manual - not recommended This can be tricky if the Real Server knows a different Route (e.g. default gateway) back to the Client! But would the Real Server know the Client's actual IP in the first place???
Transparency Transparency LoadMaster will pass along the original source IP address of the Client Non-Transparency LoadMaster will NAT the address so the source IP address appears to be the LoadMaster Transparency can only work if The Real Server's default gateway points to the LoadMaster AND The default gateway is actually used, i.e. no Clients reside in the Real Server's local IP subnet
Disabling Transparency Transparency can be set per Virtual Service Can only be disabled for L7 services Some Services must be L7 – e.g. if SSL Accelerated – thus no „Force“ Not available with „SSL Re-Encryption“ (see below)
Internet Server 1 Server 2 HTTPS:// CAS Responsibilities Key Exchange Setup/Teardown SSL Bulk Encrypt/Decrypt Manage Multiple SSL Certificates Serve Web Content SSL on servers is expensive SSL = Performance Hit -> TPS SSL Tunneling
Internet Server 1Server 2 HTTPS:// HTTP:// Offload and Accelerate Key Exchange Setup/Teardown SSL Bulk Encrypt/Decrypt Manage Single SSL Certificates Enables L7 Persist. with SSL 100 – 10,000 SSL TPS SSL ASIC L7 Persistence SSL Offloading Important: Web Server must not send clients to HTTP:// !!!
Internet Server 1 Server 2 HTTPS:// Re-Encryption LoadMaster has Access to L7 Separate SSL connection to the CAS Security CAS works on HTTPS (=default) SSL ASIC SSL Re-Encryption HTTP://
SSL Summary: Encrypted Traffic can be load balanced („tunneled“) Or… can be decrypted on the LoadMaster – Performance boost through SSL Acceleration Hardware, saves CPU on the servers (even more on 2048/4096 bit!) – Access to Application Level -> Quality Load Balancing – Single point of maintenance (Certificate renewal, …) HTTPS and all other TCP (POP3, IMAP4,...) Optional Re-Encryption between LoadMaster and Server
HTTP/S handling options OptionProCon SSL Tunneling+ Simple Setup + No SSL Load on LoadMaster - Affinity Issues (only „Source IP“ possible) - No Layer 7 features SSL Offloading+ Quality Load Balancing + Acceleration - CAS Changes Needed - SSL Load on LoadMaster SSL Re-Encryption+ Quality Load Balancing + Zero CAS Changes - More SSL Load on LoadMaster - Only Non-Transparent
SSL Details Key Size? Min. 2048 Bit recommended Remember: Multiple concurrent connections per client! „UCC / SAN“ certificates for multiple domains in one service
Multiple or Consolidated? You can setup one LoadMaster Service per HTTPS CAS Service Or you can use one LoadMaster for everything – This is common practice.
Consolidated HTTPS Service Setup Choose SSL Acceleration – With or without Re-Encryption Choose „Super HTTP“ Persistence – Some Clients (Outlook Anywhere!) do not support Cookie Persistance – Long Persistence Timeout recommended For Health Check URL, enter „/owa“
MAPI MAPI can be changed to use a static TCP port, but a dynamic port range is the default. – Both work ok, no opinion here – In the Webinar, we assume the default behavior (i.e. port range) Set Port to „*“ „Force L7“ is important! Choose Source IP Persistence – Long Persistence Timeout recommended Idle Connection Timeout = 86400 (i.e. one day) Real Server Check = „TCP Connection Only“, Port 135
POP3 / IMAP4 SSL (=TLS) Acceleration available for POP3 / IMAP4 – But: Service cannot be used without SSL (TLS) – Makes sense if you need extra performance – Turn off TLS on the CAS (see Deployment Guide for details) No Persistence needed Idle Connection Timeout = 3600 (i.e. one hour) Standard TCP Ports (110/143) – Will automatically enable Application Level Health Checking
SMTP (Transport Services) SSL (=TLS) Acceleration available for SMTP – Opportunistic („STARTTLS if requested“) – Turn off TLS on the CAS (see Deployment Guide for details) No Persistence needed Idle Connection Timeout = 120 Standard TCP Port (25) – Will automatically enable Application Level Health Checking
SMTP vs. Transparency Need to see Source IP for Relaying Control? Set up for Transparency (see above) Use DSR (not recommended) Or: Move the Control on the LoadMaster by using per-Virtual Service Access Control Lists (ACLs)
Two Locations, one Pair of LoadMaster Requires Ethernet Connection!
GEO Loadmaster But what if you want - independent - distributed - more than two data centers??? GLM - The GEO LoadMaster – Site Failover – Load Distribution among Data Centers – Customer direction to specific servers (i.e. content) – Location Awareness
Works as an "rule-based DNS" Multiple Rule Sets – Round Robin – Weighted Round Robin – Failover ("Fixed Weighted") – Real Server Load (requires on-premise LoadMasters) – Location Based – Regional GEO LoadMaster
Be careful with full automation for Exchange – Especially for fail-back – possible data corruption! – Details available from Microsoft – GEO LoadMaster supports configurable Recovery Behavior GEO LoadMaster
Sizing: Choosing the right LoadMaster (Hardware / Virtual)
LoadMaster Models KEMP Server Load Balancers come in two flavors: – Hardware Load Balancers – Virtual Appliances (Identical Product!) for VMware and Hyper-V All have the same Feature Set – Fully enabled, no extra licensing Free trial available! – kemptechnologies.com/try – Evaluation Hardware available, too
LoadMaster Model Matrix No extra licensing: All models have the full featureset (different in Performance and Ports) For Active/Hot-Standby configuration, order quantity 2 (two), HA License at No Extra Cost
Sizing Guide Sizing: Needs experience Simple Rule-Of-Thumbs: – Hundreds of mailboxes -> LM-2200 – Really few thousand mailboxes -> LM-2600 – Higher: Need closer look – Typical bottlenecks are Throughput or SSL TPS Sizing Guide for Exchange 2010: kemptechnologies.com/sizing-exchange2010/