cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2041
Views
5
Helpful
12
Replies

RPC Load Balancing on CSM and SSL

Mohamad Qayoom
Level 3
Level 3

We are load-balancing SSL successfully but the Exchange people want to use RPC to access

mailboxes using CSM.

We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?

12 Replies 12

zac.quinn
Level 1
Level 1

Mohamad,

To balance over a large range of ports I'd suggest using a separate VIP for the exchange traffic so you don't need to specify any specific port, just balance any traffic hitting that VIP.  But if you need to do this over SSL I suspect you would need a second SSL engine in the module and I think the CSM only has the one. I'm sure someone on this forum can confirm or deny this.

Alternatively, it is possible restrict RPC to a range of ports in the Registry. There are a number of articles on MS Technet and it does vary with the version of Windows so a quick goole by the server admins should point them in the right direction. This is common practice when using firewalls in the Windows environment.  Beware though if you don't allow a sufficient port range for RPC (minimum of 100 recommended for most environments), performance will suffer. This would then mean you only need to balance on that smaller range of ports.

HTH

Zac

Thanks you, Zac. I was thinking about creating two vservers. One that allows only SSL, and the other allows all tcp ports. Both vservers would use the same VIP. When the traffic will come on port 443, the first vserver would be used, and for all other ports, the second vserver will be used.

That should do the trick.  The CSM should work on the most exact match so if you don't specify a port on the second rule any traffic not matching 443 should be sent that route.

Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:

serverfarm EXCH-CAS
nat server
no nat client
real x.x.248.100
  inservice
real x.x.248.101
  inservice
probe EXCH-CAS

serverfarm EXCH-CAS-SSL
nat server
no nat client
real x.x.254.60
  inservice
real x.x.254.61
  inservice
probe SSL-FARM

! vserver EXCH-CAS
  virtual x.x.254.154 tcp www
  vlan 460
  serverfarm EXCH-CAS
  sticky 1440 group 152
  replicate csrp sticky
  replicate csrp connection
  persistent rebalance
  inservice
!
!
vserver EXCH-CAS-S
  virtual x.x.214.139 tcp https
  vlan 400
  serverfarm EXCH-CAS-SSL
  sticky 5 group 252
  replicate csrp sticky
  replicate csrp connection
  persistent rebalance
  inservice
!
vserver EXCH-CAS-TEST-S
  virtual x.x.214.139 tcp 0
  vlan 400
  serverfarm EXCH-CAS
  sticky 5 group 252
  replicate csrp sticky
  replicate csrp connection
  persistent rebalance
  inservice
!

Thanks,

Mohamad

I think it needs to be

vserver EXCH-CAS-TEST-S
   virtual x.x.214.139 any

Thanks again. I made the change as you suggested. Let's see if it works now.

Still not working. Any other suggestions?

Curious! What type of probe are you using and is the server being seen as alive by the probe?

This is the probe I am using and the servers are up.

probe EXCH-CAS http

request method head url http://exchca01.xxxx.edu/probe.html

expect status 200

interval 5

retries 1

failed 30

port 80

OK,

I think you need to create another farm with the same real servers but a diferent probe (a basic ping probe).  I seem to recall when working with CSS boxes (and I've not done this on a CSM) that when not specifying the port in the vserver (we're using ANY here) if the probe is set to http the box infers that the service is an http service.

If your web services are not live you could change the probe on the existing farm to prove the theory otherwise create a new one (A real server can be a member of multiple server farms)

Zac

Thanks, Zac.

I had to remove the sticky group to make it work.

Thanks for all the help.

Mohamad

You're welcome. Glad you got it working.

Review Cisco Networking for a $25 gift card