cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3014
Views
0
Helpful
1
Replies

Trying to load-balance Exchange 2010 with ACE30

ivarstrandberg
Level 1
Level 1

Hi.

We have an ACE30 (running A5(1.2)) and a couple of Exchange 2010 CAS.

We have little experience in load-balancing, but we found this guide from Cisco: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/Exchange_VSphere_UCS_NetApp.html#wp345264

We have also tried to use the template for Exchange 2010 in ANM. The result seems to be the same:

If we go to the URL for OWA, nothing happens. If we go directly to a CAS (by editing the hosts-file on the client), the same URL is working perfectly.

Here's the config of the ACE-context:

access-list all line 10 extended permit ip any any
access-list all line 20 extended permit icmp any any


probe http http-probe
  interval 60
  passdetect count 2
  request method get url /exchweb/bin/auth/owalogon.asp
  expect status 400 404
probe https https-probe
  interval 60
  passdetect count 2
  ssl version all
  request method get url /owa/auth/login.aspx
  expect status 400 404


rserver host CAS1
  ip address 10.10.10.1
  probe http-probe
  probe https-probe
  inservice
rserver host CAS2
  ip address 10.10.10.2
  probe http-probe
  probe https-probe
  inservice
rserver redirect SSLREDIRECT
  webhost-redirection https://www2.test.com/owa 302
  inservice

serverfarm host CAS-FARM
  predictor leastconns
  rserver CAS1
    inservice
  rserver CAS2
    inservice
serverfarm host CAS-FARM-80
  predictor leastconns
  rserver CAS1 80
    inservice
  rserver CAS2 80
    inservice
serverfarm redirect SSLREDIRECT
  rserver SSLREDIRECT
    inservice

sticky ip-netmask 255.255.255.255 address source CAS-IP
  replicate sticky
  serverfarm CAS-FARM
sticky http-cookie Cookie OWA-STICKY
  cookie insert browser-expire
  timeout 60
  replicate sticky
  serverfarm CAS-FARM-80
sticky http-header Authorization CAS-RPC-HTTP
  serverfarm CAS-FARM-80

ssl-proxy service OWA
  key www2.test.com.pfx
  cert www2.test.com.pfx

class-map match-any IMAPI-RPC
  2 match virtual-address 10.1.1.1 any
class-map match-all OWA-OUTLOOKANYWHERE-SSL
  2 match virtual-address 10.1.1.1 tcp eq https
class-map match-all OWAREDIRECT
  2 match virtual-address 10.1.1.1 tcp eq www

policy-map type management first-match mgmt-pm
  class class-default
    permit

policy-map type loadbalance first-match IMAPI-RPC
  class class-default
    sticky-serverfarm CAS-IP
policy-map type loadbalance first-match OWA-OUTLOOKANYWHERE
  match OUTLOOK_ANYWHERE http header User-Agent header-value "MSRPC"
    sticky-serverfarm CAS-RPC-HTTP
  class class-default
    sticky-serverfarm OWA-STICKY
policy-map type loadbalance http first-match SSLREDIRECT
  class class-default
    serverfarm SSLREDIRECT

policy-map multi-match int118
  class OWAREDIRECT
    loadbalance vip inservice
    loadbalance policy SSLREDIRECT
  class OWA-OUTLOOKANYWHERE-SSL
    loadbalance vip inservice
    loadbalance policy OWA-OUTLOOKANYWHERE
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 118
    ssl-proxy server OWA
  class IMAPI-RPC
    loadbalance vip inservice
    loadbalance policy IMAPI-RPC
    nat dynamic 1 vlan 118

interface vlan 118
  description to server-side vlan
  ip address 172.16.1.2 255.255.255.252

  access-group input all
  nat-pool 1 10.1.1.2 10.1.1.2 netmask 255.255.255.255 pat
  service-policy input int118
  service-policy input mgmt-pm
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1


Are there any obvious mistakes in this config?

1 Reply 1

ivarstrandberg
Level 1
Level 1
crypto chaingroup www2.test.com
  cert digicert_intermediate

access-list all line 10 extended permit ip any any
access-list all line 20 extended permit icmp any any


probe http http-probe
  interval 10
  faildetect 2
  passdetect interval 10
  passdetect count 2
  request method get url /iisstart.htm
  expect status 200 200


rserver host CAS1
  ip address 10.10.10.1
  probe http-probe
  inservice
rserver host CAS2
  ip address 10.10.10.2
  probe http-probe
  inservice
rserver redirect SSLREDIRECT
  webhost-redirection https://%h%p 301
  inservice

serverfarm host CAS-FARM
  predictor leastconns
  rserver CAS1
    inservice
  rserver CAS2
    inservice
serverfarm host CAS-FARM-80
  predictor leastconns
  rserver CAS1 80
    inservice
  rserver CAS2 80
    inservice
serverfarm redirect SSLREDIRECT
  rserver SSLREDIRECT
    inservice

sticky ip-netmask 255.255.255.255 address source CAS-IP
  replicate sticky
  serverfarm CAS-FARM-80
sticky http-cookie Cookie OWA-STICKY
  cookie insert browser-expire
  timeout 60
  replicate sticky
  serverfarm CAS-FARM-80
sticky http-header Authorization CAS-RPC-HTTP
  serverfarm CAS-FARM-80

ssl-proxy service OWA
  key www2.test.com.pfx
  cert www2.test.com.pfx
  chaingroup www2.test.com

class-map match-any IMAPI-RPC
  2 match virtual-address 10.1.1.1 any
class-map match-all OWA-OUTLOOKANYWHERE-SSL
  2 match virtual-address 10.1.1.1 tcp eq https
class-map match-all OWAREDIRECT
  2 match virtual-address 10.1.1.1 tcp eq www

policy-map type loadbalance first-match IMAPI-RPC
  class class-default
    sticky-serverfarm CAS-IP


policy-map type loadbalance first-match OWA-OUTLOOKANYWHERE
  match OUTLOOK_ANYWHERE http header User-Agent header-value "MSRPC"
    sticky-serverfarm CAS-RPC-HTTP
  class class-default
    sticky-serverfarm OWA-STICKY
policy-map type loadbalance http first-match SSLREDIRECT
  class class-default
    serverfarm SSLREDIRECT

policy-map multi-match int118
  class OWAREDIRECT
    loadbalance vip inservice
    loadbalance policy SSLREDIRECT
  class OWA-OUTLOOKANYWHERE-SSL
    loadbalance vip inservice
    loadbalance policy OWA-OUTLOOKANYWHERE
    nat dynamic 1 vlan 118
    ssl-proxy server OWA
  class IMAPI-RPC
    loadbalance vip inservice
    loadbalance policy IMAPI-RPC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 118

interface vlan 118
  description to server-side vlan
  ip address 172.16.1.2 255.255.255.252
  access-group input all
  nat-pool 1 10.1.1.1 10.1.1.1 netmask 255.255.255.255 pat
  service-policy input int118
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1

snmp-server community IntiliReaD group Network-Monitor


We finally got it working. Above is the config as it is right now. The main difference is the URL for redirection. With Cisco's example, we got caught in a redirection loop.

Review Cisco Networking for a $25 gift card