RPC Load Balancing on CSM and SSL

Mohamad Qayoom · ‎06-20-2011

We are load-balancing SSL successfully but the Exchange people want to use RPC to access

mailboxes using CSM.

We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?

zac.quinn · ‎06-21-2011

Mohamad,

To balance over a large range of ports I'd suggest using a separate VIP for the exchange traffic so you don't need to specify any specific port, just balance any traffic hitting that VIP. But if you need to do this over SSL I suspect you would need a second SSL engine in the module and I think the CSM only has the one. I'm sure someone on this forum can confirm or deny this.

Alternatively, it is possible restrict RPC to a range of ports in the Registry. There are a number of articles on MS Technet and it does vary with the version of Windows so a quick goole by the server admins should point them in the right direction. This is common practice when using firewalls in the Windows environment. Beware though if you don't allow a sufficient port range for RPC (minimum of 100 recommended for most environments), performance will suffer. This would then mean you only need to balance on that smaller range of ports.

HTH

Zac

Mohamad Qayoom · ‎06-21-2011

Thanks you, Zac. I was thinking about creating two vservers. One that allows only SSL, and the other allows all tcp ports. Both vservers would use the same VIP. When the traffic will come on port 443, the first vserver would be used, and for all other ports, the second vserver will be used.

zac.quinn · ‎06-21-2011

That should do the trick. The CSM should work on the most exact match so if you don't specify a port on the second rule any traffic not matching 443 should be sent that route.

Mohamad Qayoom · ‎06-21-2011

Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:

serverfarm EXCH-CAS
nat server
no nat client
real x.x.248.100
inservice
real x.x.248.101
inservice
probe EXCH-CAS

serverfarm EXCH-CAS-SSL
nat server
no nat client
real x.x.254.60
inservice
real x.x.254.61
inservice
probe SSL-FARM

! vserver EXCH-CAS
virtual x.x.254.154 tcp www
vlan 460
serverfarm EXCH-CAS
sticky 1440 group 152
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
!
vserver EXCH-CAS-S
virtual x.x.214.139 tcp https
vlan 400
serverfarm EXCH-CAS-SSL
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
vserver EXCH-CAS-TEST-S
virtual x.x.214.139 tcp 0
vlan 400
serverfarm EXCH-CAS
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!

Thanks,

Mohamad

zac.quinn · ‎06-21-2011

I think it needs to be

vserver EXCH-CAS-TEST-S
virtual x.x.214.139 any

Mohamad Qayoom · ‎06-21-2011

Thanks again. I made the change as you suggested. Let's see if it works now.

Mohamad Qayoom · ‎06-21-2011

Still not working. Any other suggestions?

zac.quinn · ‎06-21-2011

Curious! What type of probe are you using and is the server being seen as alive by the probe?

Mohamad Qayoom · ‎06-21-2011

This is the probe I am using and the servers are up.

probe EXCH-CAS http

request method head url http://exchca01.xxxx.edu/probe.html

expect status 200

interval 5

retries 1

failed 30

port 80

zac.quinn · ‎06-21-2011

OK,

I think you need to create another farm with the same real servers but a diferent probe (a basic ping probe). I seem to recall when working with CSS boxes (and I've not done this on a CSM) that when not specifying the port in the vserver (we're using ANY here) if the probe is set to http the box infers that the service is an http service.

If your web services are not live you could change the probe on the existing farm to prove the theory otherwise create a new one (A real server can be a member of multiple server farms)

Zac

Mohamad Qayoom · ‎06-22-2011

Thanks, Zac.

I had to remove the sticky group to make it work.

Thanks for all the help.

Mohamad

zac.quinn · ‎06-22-2011

You're welcome. Glad you got it working.