Exchange has always been difficult to load balance because of the way it works, but with the release of Exchange 2013, it has become a lot easier to load balance as the architecture in Exchange 2013 has been dramatically simplified with only two roles, the Client Access server (CAS) and the Mailbox server. The CAS now only serves as a stateless proxy to the Mailbox server. This means that we can load balance on layer 4 as it does not matter which CAS a user is sent to. Also, RPC has been removed as a protocol and now HTTPS is used by default with Outlook Anywhere, which makes it a lot easier to load balance. When configuring Exchange, we need to set up CAS using an external URL, which is available only in NetScaler.
Note
An important point to note is that Exchange 2013 does not support SSL offloading, even with the latest release of CU3 and service pack 1. Microsoft has not stated that this would change or be added. Even though it places an extra load on the Exchange servers, they still benefit from NetScaler's ability to do SSL session multiplexing and health checking.
Now, there are multiple features and protocols that we can load balance using NetScaler. They are listed as follows:
- Outlook Web Access (OWA)
- Outlook Anywhere
- ActiveSync
- IMAP4
OWA, Outlook Anywhere, and ActiveSync all use the same port, and can be load balanced using the same vServer. The only difference is that they are available on different URL paths. First, we need to add the servers that are running as CAS to the list of servers. Next, we need to create a service or service group, which we will bind to the server on port 443 and protocol HTTPS. After we have chosen HTTPS as a protocol for the service, the SSL Settings pane will become active, and there we need to add the digital signed certificate that is attached to CAS. This can be done by going to Traffic Management | SSL. From there, we can import the certificate, and then install it for the service.
Next, we need to create a vServer to set up a load-balanced service. Then, we need to bind it to a virtual IP address, port (443), and protocol (SSL), and bind a new certificate to the vServer. Under Method and Persistence, we choose Least Connection and COOKIEINSERT respectively and a timeout of 2 minutes, and then click on Create. Also, it is important to set the external domain URL in CAS. This needs to be set from the exchange management console, which you can read more about at http://technet.microsoft.com/en-us/library/jj218640%28v=exchg.150%29.aspx.
The external domain URL in the Exchange management console needs to point to the VIP address of the load-balanced service we created.
IMAP is also a protocol that is commonly used in conjunction with Exchange, even though it does not provide many of the same features, such as calendar and public folders. IMAP is primarily used by a client to access e-mail on an Exchange server. Note that IMAP is not enabled by default on Exchange 2013. If you want to use this feature, you can read more about it at http://technet.microsoft.com/en-us/library/bb124489(v=exchg.150).aspx.
IMAP primarily uses two ports, TCP 143 for non-secure connections and TCP 993 for secure connections. Again, if we already have CAS on the server list, we do not need to add them again. If they are not added, add them to the list. Before we set up a service, we need to create a custom monitor. Go to Traffic Management | Load Balancing | Monitors, and click on Add. Here, we need to enter a name, define an interval of 30 seconds, and define port 143 as the destination port. As type, choose TCP-ECV and then go to the Special Parameters pane. Here, we need to type The Microsoft Exchange IMAP4 service is ready as the received string. This monitor queries CAS on that particular port and expects the text in response. Next, we need to create a service or service group. Add CAS to the list and bind them to the service, using protocol TCP and port 143. Then, bind the custom-made monitor we just created.
Now, we need to create a vServer. To this, we bind the service we created earlier, protocol SSL_TCP, port 993, and define a virtual IP address. Then, we need to add a digital certificate in the SSL Settings pane of the vServer to ensure that clients can use the IMAP service securely.
Note
As we have seen in the SharePoint part, Citrix has the AppExpert feature, which simplifies deployment of a service and configures optimization such as caching and redirection. As of now, this is only available for Exchange 2010 but stay tuned on http://www.citrix.com/static/appexpert/appexpert-template.html for newer releases of Exchange 2013.