Client Access Server: CAS array + Zen Load balancing

Print Friendly, PDF & Email

1.- Install Zen Load balancer

Load balancer are more and more in use within the enterprise. Companies needs to provide high availability and load balancing capabilities.  Most of the projects I’ve been working on lately , there was always a request to have load balancing.  Moreover, more and more software might requires the use of a Load balancer (i.e Lync 2010, Shareponit, Webs …)

I was wondering if there would be a free/opensource load balancer project out there. And Guess what ?  Yes, there is. ZenLoadbalancer project aims to provide a load balancer software solution.  On their web site, we can see that partnership with some companies offer you the possibility to have an hardware load balancer solution.

It’s really a new product for me. I’ll be testing the software and see in which situation this solution might fit.  This post might be the first of a series as well.  We shall see !  But for the moment, let’s perform a simple and basic installation.

 http://www.zenloadbalancer.org/web/

Installing Zen Load balancer

To perform the installation of the software, I’ve created a virtual machine on my Proxmox VE test server. For this test, I have created a simple virtual machine with only 1 network card. The installation is rather straightforward and similar to a Debian installation

To perform the installation,you will need to grab the software from here.   Download it (and choose to burn it or to install it as a virtual machine using whatever virtualization platform you want)

Boot your virtual machine from the iso file or cdrom and you will be presented with the zen Load Balancer Installer. Select the Option Install to start the process.

 In the Language Page, select the appropriate and press enter


In the location page, select the appropriate location and press Enter


In the configure Locale Page, select your local and press enter


In the keyboard page, select the appropriate settings and press Enter


The Installer will load some components. Wait until you see the configure your network screen


In the Configure the network, you will have to provide the IP address that you will be assigning to the Load Balancer. Move to continue and press Enter


 You will then have to provide the subnet mask to be used. Put the information and press continue


 You will then need to specify a Default Gateway. Again, provide the information for you network and press the continue option


You can then specify Names Servers to be used. /DNS)


You have to provide the hostname that will be used by the load Balancer.  Provide the appropriate info and press on continue


Final step in the configure the network settings, you can specify the DNS suffix (nike.local) that you want to use.


 

 

You will then need to provide password for the root account on the system.  When this is done, Press Continue.


In the Partitioning disk, because we are new to the product, we have selectedGuided – Use entire disk.  Press Enter


Select the disk/partition where you want to install the software and press next


Accept defaults in this screen and simply create one big partition where the software will stores the files. press Enter


Accept the configuration you have performed by select Finish partitioning and Write changes. Press Enter


In the following screen, be sure to move to the yes “button” and press Enter.


The Installer will start and you will see a progress bar. The installation process should be quite fast. At the end of the process, if you didn’t encountered any issues, you will get the Finish Installation screen. Press on the Continue and the system will reboot. Remember to remove the cd/iso or ensure you are booting from the hard disk


At the reboot, you should see that a Grub boot manager is available.  The system will boot automatically

At this stage, you could login at the console using the root account and the password you have provided earlier but for the moment we are not really interested in that.  We wanna see the Web Interface gui of the thing. Root / Password


2.- Configurar Zen Load Balancer:

To login to the web interface, you have to open a browser and point to the following url

https://ip_address_of_load_balancer :444

You will then be prompted to provide some credentials, you have to use the following ones :

  • User Account : admin
  • Password : admin

If you have provided the correct information, you will access the dashboard of the load balancer software


As a quick example, you can create a “farm”.  In Zen load balancer terminology, a farm is the virtual server (or ip address) where user will be connecting to and where zen load Balancer will be able to redirect the traffic to the most appropriate host. If you have 2 web servers that you want to load balance, you will create a Farm called for example LB_Web_Server. This Farm will be assigned a IP address to represent the load balanced service.  This IP address will be then mapped to the “real” IP addresses of the web servers.  Zen load balancer will then be able to redirect the traffic to the appropriate web server.

Paso 1: To create una granja

On the dashboard page > Manage > Farms. Le damos un nombre, Save & contimnue


En Virtual IP podemos seleccionar la IP por defecto (lo más probable si es nuestra primera granja), o podemos crear una “New VIP Interface” la cual nos redirecciona a “Setting > interfaces”. Nosotros elegimos la existente (eth0-> 192.168.4.19)


Se habrá creado la Farm


NOTA: como crear un nuevo Interfaz. (New VIP Interface)

Supongamos que hemos creado una nueva VIP y estamos redirigido a Settings>Interface. Le damos al 3 boton para añadir un nuevo interfaz


Le damos una dirección IP nueva y el nombre de la interfaz (eth0:1) y salvamos


En la página de administración de la granja, seleccionamos la correcta IP virtual deseada, y el puerto virtual. Salvamos


 

Ya tenemos creada una granja llamada “Exchmage” creadao con una IP virtual


 

Editar la granja

Sobre la granja a editar, le damos al boton 2 (editar)


 

 

 

 

 

Aquí configuramos algunas cosas respecto al balanceador de carga y pondríamos las IP reales de los servidores que necesitan ser balanceados (Exchange, Werb Servers, etc…)

 


 
 

 

 

 

 

 

 

 

3.- Configure Exchange 2010 CAS

Background info about HA & Exchange 2010  

 If you have some experience with Exchange 2010, you know that you can achieve high availability of the server roles through different mechanism.  The mailbox server roles can be configured in cluster through the Database Availability Group (DAG).  The Client Access Servers (CAS) can be grouped in a CAS Array and load balancing software can provide high availability has well.

If you want to use the free Network Load Balancing (NLB) component available within Windows Server operating system, you will need to install a minimum of 4 Exchange servers:

  • 2 Exchange servers hosting CAS/HT Role to create the CAS Array infrastructure
  • 2 Exchange Server configured as Mailbox servers with DAG Technology enabled.

This is because you cannot have NLB component running on a machine using failover Clustering technology.

However, you can achieve high availability for mailbox roles, Hub transport roles and Client Access roles using 2 Exchange Servers by using a third party load balancer solution.  In this post, we will see if the Zen load balancer can be used within an Exchange infrastructure and thus providing a free alternative to other solutions available on the market.

Note :

  • You can download some load balancer virtual appliance for free but they generally come with a 30 day trial limitation. (Barracuda Networks, Kemps technologies, Citrix Netscaler)
  • We are providing here a really simple and basic configuration installation scenario. This post is for demonstration purposes only. Zen load balancer might not have all the features (such as reverse ssl) you might expect. 

 

1.- Prepare the Exchange infrastructure

In order to perform this setup, we assume that an Exchange Organization is already in place.  We assume that a domain Controller with Global catalog role is installed in the AD site where the exchange is installed.  We assume that 2 Exchange servers hosting the Client Access/Hub Transport/mailbox Role are available and already installed. We assume that you have the correct credentials in order to perform the following setup.

The following screenshot describes the Exchange infrastructure that will be used to perform this demonstration. So, we will have only 2 exchange Servers configured will CAS/HT/MBX roles.  We will also have our Zen load balancer (virtual) appliance running within the infrastructure.


 

When creating a CAS Array, you will need to perform some additional actions after completing the setup of the Exchange Server.  You will need to

  • Create a DNS Entry for the CAS Array
  • Configured Static Ports for MAPI connection and Address book service
  • Create the CAS Array object
  • Configure mailbox servers to use the CAS Array information

Step 1 – DNS Entry

In our example, we want to create a cas array called CASARRAY.  The IP Address associated to this Array will be set to 192.168.1.20.  So, you will simply open your DNS console and create a new Host record.


También me puedo crear un alias llamado “mail” para que los clientes por OWA, etc, se conecten este nombre, en vez del “casarray” que es más feo


Step 2 – Configure Static ports for the CAS Array

By default, the CAS Array (or RPC Client Access Service) will be communicating through the port TCP/135 and the dynamic RPC Port range between 6005 and 59530 for outgoing connections when an outlook clients contact the CAS server.

We strongly recommend you to fix MAPI ports.  This will limit the number of ports that you will need to enable on your load balancer solution.  This will make easier also troubleshooting process given that you know exactly which port you will need to check for mail traffic

In Exchange 2010 SP1, you can fix MAPI ports through the Registry, you will need to block ports for the

  • Address Book Service
    • MAPI Connections

When fixing MAPI ports, Microsoft recommends you set this to a unique value between 59531 and 60554 and use the same value on all CAS. Aquí tenemos la página Microsoft de cómo hacerlo:


http://social.technet.microsoft.com/wiki/contents/articles/864.configure-static-rpc-ports-on-an-exchange-2010-client-access-server.aspx

 

Step 2a – Configure Static RPC Port for the Address Book Service (Exchange SP1)

  • create a new REG_SZ registry key named “RpcTcpPort” under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters // si no existe “Parameters,” lo creamos tambien (es una key)


 

  • Finally assign a port number (between 59531 and 60554). In our example, we have used the value 60001
  • Restart Address book service to have changes applied


Note :

Prior Exchange 2010 SP1 (RTM) to fix the port you would edit the file  Microsoft.exchange.addressbook.service.exe.config located in: “C:\Program Files\Microsoft\Exchange Server\V14\Bin” and set the selected value next to the RcpTcpPort key. 

 

Step 2b – Configure Static Port for MAPI Ports

Esto se configure en cada CAS server

  • Vamos a la clave del registro HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC y creamos una Key llamada ParametersSystem,

Under this key create a REG_DWORD named TCP/IP Port. The Value for the DWORD should be the port number to use.

Podemos asignar un Puerto entre 59531 y 60554. Nosotros usaremos el 60000 (la imagen muestra el 59532)


  • restart the Microsoft Exchange RPC Client Access service in order for the changes to be applied


 

Verifying the Statically Configured Ports Are Used

In order to verify that the static ports configured are used, the netstat.exe tool can be used:

Netstat -an -p tcp


 

Step 3 – Creating the CAS Array

It’s time to create the CAS Array AD object within our Exchange environment.  After the creation of the CAS Array, you might need to perform some additional configuration settings based on whether or not you have a mailbox database already present within your Exchange infrastructure.

Create the CAS array Object

Creamos el array, cuyo FQDN será el mismo que el registro A DNS que creamos en el DNS, cuyo registro apunta a balanceador de carga (192.168.4.20). Especificamos el sitio de Active Directory en donde está el CAS array

  • New-ClientAccessArray [-Name <String>] -Fqdn casarray.nike.local -Site <AdSite>


Testeamos que se ha creado

  • Get-ClientAccessArray


Apuntar las bases de datos de mailbox al CAS array

If a mailbox database existed before the creation of the CAS Array, this mailbox database would use the first CAS Server installed as RPC client Access Server.  You will need to change the RpcClientAccessServer attribute on the existing mailbox database within the Active Directory to point to the newly created CAS Array

  • Get-MailboxDatabase -Server MBX1 | Set-MailboxDatabase -RpcClientAccessServer casarray.nike.local

NOTA: más adelante me puedo crear un Alias que apunte al FQDN del CASArray para que no sea el nombre tan feo, y a la hora de crear el certificado en CAS, en el SAN , aparte del casarry.nike.local, añado el mail.nike.local para que no de error de certificado

Ya hemos preparado en el Exchange el balanceo pero nos queda configurar el balanceador de carga. Básicamente es agregar la IP de todos los CAS del Sitio AD en la granja de Zen load balancer

 

Configuración de Certificados y Directorios virtuales

Configuramos el External Client para que desde fuera se puedan conectar al FQDN del array. Tambien si hemos creado el alias podíamos poner el mail.nike.local, en vez del casarray.nike.local


La configuración de los Directorios virtuales, en los distintos CAS ( a nivel de OWA y ECP) la InternalURL NO se configura con el FQDN del NLB, sino con el del servidor CAS, ya que cuando se esta dentro de internet, el OWA autentica con kerberos

Si tenemos 3 CAS pues sera: “https://EX01.nike.local/owa“, https://EX02.nike.local/owa“, https://EX03.nike.local/owa” tanto para el directorio virtual OWA y ECP


Para el resto de directorios virtuales, lo puedo cambiar al CAS array para que balancee


 

 

Certificados:

Solicitamos un certificado a traves, por ejemplo del CAS EX01, el donde pondremos todos los SAN de los CAS involucrados


Automáticamente, como ya está en CAS creado, y la dirección externa la pusimos a casarray.nike.local nos la pne a nivel Externo. Nosotro ponemos todos los CAS, ya que solo se crea el certificado una vez, se implanta en un CAS, y se exporta al otros CAS, por eso debe tener todos los SAN de todos los CAS


Aqui podría añadir más SAN


Tras seguir el proceso e implementar el certificado a los servicios, procedemos a exportar a *.pfx, para poder luego importarlo en el resto de CAS


Se exporta


Copiamos el PFX a los CAS (EX02, EX03), se importa. Como ya tiene el SAN con el nombre del certificado, pues ya funciona. Es importante que debe estar instalado en todos los CAS antes de asignar los servicios


 

Una vez importado el certificado, lo asignamos a los servicios, seleccionamos lo CAS al cual agregarlos



 

 

 

 

 

Configure Zen load balancer for Exchange

 

Crearemos 5 granjas dentro de Zen Load Balancer (una granja por cada puerto a ser balanceado). Son todos TCP


Accedemos al balanceador http://IP_Address_LoadBalancer:444/ (admin/admin)

 

Step 1 – creating your Farms

Manage > Farms. Creamos una granja llamada “CasArray” usando la IP virtual 192.168.4.20 y el puerto virtual 135. El nombre de casArray no es porque tenga que coincidir con el FQDN del CAS, sino que es porque queremos

 


 

 

 

 

 

 

 

 

 

Hacemos la misma operación (crear granja) para cada servicio o Puerto a ser balanceado (usamos la misma IP virtual, pero obviamente los puertos seran distinto). Recordar que los puertos 60000 y 600001 se modificó en los CAS server


 

IMPORTANTE:
para que nos funcione el laboratorio el OWA, en vez de que la “farm” deel OWA sea 443 HTTPS, la ponemos como TCP 443, ya que aunque hay por ahí otros manuales que dice que sea HTTPs-443, no nos funciona, daba servicio


 

Step 2 – associates target servers to your farm

Después de crear la granja, le debemos decir al balanceador donde redirigir el tráfico que reciba. Esto se hará por cada “farm” que hayamos creado.

Editamos todas las granjas y añadimos las IP de los CAS de Exchange de nuestra organización. Por ejemplo editamos la del OWA


 

En “Edit real IP servers configuration” añadimos las Ip de los CAS, y podremos hasta configuara algunas configuraciones relativas al balanceador. Si hemos editado la granja del OWA (virtual port 443), obviamente tendremos que añadir como puerto el 443. Las direcciones que aparecen son la de los 2 CAS de nuestra organizacion


También podemos configurar a nivel de cada “farm”. el tipo de balanceo, conexiones simultaneas


 

Testing your configuration

To validate your configuration, you will need to configure your Outlook client to connect to the Exchange cas array object. Remember that we have created DNS entry for that.  When your outlook is correctly configured, you will have to check that the connection is performed against the CAS Array object.  To check that, you will simply  Hold down CTRL while right-clicking on the Outlook icon in the systray in the lower right corner. Select Connection status in the context menu and you should see the following windows displaying information about the CASArray you are connected to


 

Instalación de un par de nodos de balanceo (clúster)

Llegados a este punto, añadir la capacidad de clúster son sólo unos pocos pasos más:

  • Instalación de un segundo Zen Load Balancer siguiendo el anterior primer paso.
  • El Zen Load Balancer que ya teniamos instalado (no el del paso previo) será el nodo primario del Clúster. Crearemos elcluster en Settings > Cluster y usamos la ip virtual. A continuación añadimos los datos del segundo Zen Load Balancer (Remote hostname), puesto que el principal -que es en el que estamos- ya figura. Guardamos (Save).
  • Ahora establecemos la contraseña del segundo Zen Load Balancer (Remote host root password) para que el primero pueda sincronizarse a fin y efecto de crear el cluster, sincronizar datos y, en definitiva, operar con el mismo. Nos aseguramos de establecer correctamente la RSA connection between nodes.
  • Finalmente definimos un Cluster type, que puede estar en Disabled (sin cluster), Master/Failback ó Both masters. La diferencia entre los 2 últimos tipos es que en el caso del Master/Failback, el nodo secundario del clúster sólo entra en funcionamiento temporalmente mientras el primario no esté disponible (y cuando lo está, cada uno recupera su rol). En el segudo caso (Both masters), el nodo secundario del clúster se convertirá en primario de modo permanemte (o hasta que forcemos manualmente lo contrario) mientras el primario no esté disponible.

Si todos los anteriores pasos han terminado satisfactoriamente, veremos (en cada Zen Load Balancer, bien en la cabecera al lado del usuario admin, bien en la sección Cluster) la indicación de que existe una configuración de clúster y su rol en cada caso (master o failback/backup).

Comprobación de funcionamiento. Podemos apagar el que esté actuando como nodo primario del clúster Zen Load Balancer y ver que el secundario rescata los requests (levantando la ip virtual) y los redirige a los real servers de igual modo que hacía el primario. Y cuando el primario vuelva a levantarse, podemos ver si recupera o no su rol en función del tipo de cluster elegido.

 

 

OTRO MANUAL

Prerequisites

Before you start this process you need to ensure that you have the following:

  • Configured an RPC CAS Array on your Exchange 2010 Servers and have all clients using it.
  • Configured static ports in Exchange 2010 for the MAPI and Address Book services – more information.
  • Configured the web services and other client access URLs to use a generic host name – more information.

Configuration Instructions

  1. Download and install Zen Load Balancer as per the instructions on their web site. If installing on VMWARE, install the management tools.
  2. On the Settings, Interface menu option, add an additional interface. This will be for your Exchange traffic.
  3. Choose Manage, then Farms to bring up the farms option. 
    Each “Farm” is a port that the load balancer is responsible for. For a regular installation you will be configuring five ports:
     
    1. SMTP (port 25)
    2. HTTPS (port 443)
    3. RPC (port 135)
    4. MAPI (static port as previous configured)
    5. ADDRESS BOOK (static port as previously configured)

    You need to have set the static ports before you configure the load balancer.

  4. Click on the Add Farm button under Actions.
  5. Enter the description of the service that you are going to configure, and select TCP. Choose Save and Continue.
  6. Select the Virtual IP address of the new interface selected above and then enter the virtual port. This should be the same port number as the service on the actual Exchange server, for example 135. Click on Save.
  7. Choose the Edit Farm button under actions.
  8. Change the “Load Balancing Algorithm” to “Priority: Connections to the highest priority available” and then press Modify to save the change.
  9. All other options can be left alone, unless you are configuring SMTP, when you should deselect the option “Enable client ip address persistence through memory”. Again press Modify to commit the change.
  10. Scroll down to the Edit real IP servers configuration.
  11. Choose the button to add a new server.
  12. Enter the real IP address and port. Set the Weight and Priority. Enter 1 for the first server, 10 for the second, 20 for the third etc. Press Enter when complete and add any additional servers in the site. 
    All but HTTPS can have servers in multiple sites. HTTPS should be same AD site only.
  13. Once you have configured all services, verify that the load balancer sees they are alive by choosing the last button next to each service which allows you to view the backend server status. Each server should have a green button.
  14. To implement, change the internal DNS entries for the RPC CAS Array and your web service so to the virtual IP address of the interface created. 
    For external traffic, point the NAT on your firewall at the same IP address. As clients refresh their DNS information, they will start to connect through the server. Running “netstat -ano -p tcp” on the Exchange server should show connections from the IP address of the load balancer.

Be the first to comment

Leave a Reply