09-13-2012 03:24 AM - edited 08-29-2017 05:04 AM
Exchange ActiveSync offers end users with low bandwidth and high-latency devices such as cell phones a way to access their mailboxes via HTTPS and synchronizes e-mail, contacts, calendar information, and tasks. The Cisco ACE load balancer can be used to distribute requests to the exchange Client Access Server (CAS) array.
It is possible to use shared vip addresses on the ACE for multiple Exchange services or you can have a different vip for each service. By matching on the URL /microsoft-server-activesync, it makes it possible to load balance ActiveSync and other Exchange services across a shared vip. Usually ActiveSync traffic uses SSL to encrypt http into https. To properly load balance ActiveSync traffic the ACE will need to terminate the SSL traffic. This termination can be done either on the ACE only (front-end SSL) or done on the ACE and the sever (End–to-End SSL).
Server load balancing (SLB) is the process of deciding to which server a load-balancing device should send a client request for service. For example, a client request may consist of a HyperText Transport Protocol (HTTP) GET for a web page or a File Transfer Protocol (FTP) GET to download a file. The job of the load balancer is to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole. To provide services to clients, you configure real servers (the actual physical servers) on the ACE. Real servers provide client services such as HTTP or XML content, hosting websites, FTP file uploads or downloads, redirection for web pages that have moved to another location, and so on. Real server host configuration mode commands allow you to create and configure host real servers that are used in server load balancing (SLB). To create a host real server and access real server host configuration mode, use the rserver host command in configuration mode.
To provide services to clients, you configure real servers (the actual physical servers) on the ACE. Real servers provide client services such as HTTP or XML content, hosting websites, FTP file uploads or downloads, redirection for web pages that have moved to another location, and so on. The ACE also allows you to configure backup servers in case a server is taken out of service for any reason.
Servers are organized into related groups called server farms. Servers within server farms often contain identical content (referred to as mirrored content) so that if one server becomes inoperative, another server can take its place immediately. Also, mirrored content allows several servers to share the load of increased demand.
Although it is possible to load balance ActiveSync and not use a sticky method, this is not recommended. When an Exchange ActiveSync client is assigned to a new Client Access Server (CAS), that server must re-create the notification subscription against the user's mailbox. This can result in a significant performance penalty. Using a good sticky method will rectify this. If it is known that inbound connection client IP addresses are actually unique to each device being synchronized (e.g. no NAT between the device and the load), then Source IP-based sticky would be a good sticky choice. However, since ActiveSync is typically used over cellular carrier networks, the inbound traffic will often be sourced from the carrier’s NAT infrastructure. This can result in all inbound connections from users on a particular carrier appearing to come from one or a small set of source IP addresses.
SSL ID-based sticky is not recommended for ActiveSync as some devices are known to frequently renegotiate SSL security parameters. Cookie insert is not recommended as many mobile devices do not accept cookies.
Generally the best method of sticky for ActiveSync is sticking on the Authorization HTTP header. Basic authentication is the default and most commonly used type of authentication for Exchange ActiveSync. This header is uncommon for other protocols and authentication methods. Sticking on the basic authentication authorization header sends all traffic that uses basic authentication and that is from a specific user to the same Client Access Server. This header is also used when Outlook traffic is transmitted from behind a reverse proxy server. For the ACE to perform sticky on an HTTP header on HTTPS traffic, it must terminate the SSL connection.
To Configure Exchange ActiveSync to Support SSL termination, first remove the requirement for SSL in IIS on the ActiveSync server. Do the following steps:
1) Open the IIS Manager and expand the Default Web Site.
2) Under the Default Web Site select the “Microsoft-Server-ActiveSync” virtual directory.
3) Click on "SSL Settings".
4) Uncheck ”Require SSL” check box and click “Apply” in the Actions pane.
To finalize open a command prompt window and run “iisreset /noforce” so that the changes are applied.
Next, the Certificates and keys will need to be imported on to the ACE module. Follow the ACE SSL Guide Managing Certificates and Keys for importing certs and keys.
If both front end and backend SSL is required then these above changes to the server are not needed. Instead SSL initiation from the ACE to the end servers will be added to complete the end-to-end SSL config. Follow the ACE SSL Guide for Configuring End-to-End SSL.
Sample Config for Front End SSL
probe http HTTP
interval 30
faildetect 30
passdetect interval 30
expect status 200 200
rserver host Cas_sync1
ip address 1.1.1.10
inservice
rserver host Cas_sync2
ip address 1.1.1.12
inservice
serverfarm host ActiveSync
probe HTTP
rserver Cas_sync1 80
inservice
rserver Cas_sync2 80
inservice
sticky http-header Authorization Auth_Stick
serverfarm ActiveSync
ssl-proxy service Active_Sync_SSL
key cisco-sample-key
cert cisco-sample-cert
class-map match-all ActiveSync
2 match virtual-address 2.2.2.10 tcp eq https
class-map type http loadbalance match-any l7Async
2 match http url /microsoft-server-activesync
policy-map type loadbalance first-match ActiveSync-l7slb
class l7Async
sticky-serverfarm Auth_Stick
class class-default
serverfarm ActiveSync
policy-map multi-match EAS
class ActiveSync
loadbalance vip inservice
loadbalance policy ActiveSync-l7slb
ssl-proxy server Active_Sync_SSL
interface vlan 178
description "client vlan"
ip address 2.2.2.1 255.255.255.0
access-group input any
service-policy input mgt
service-policy input EAS
no shutdown
interface vlan 1
description "server vlan"
ip address 1.1.1.1 255.255.255.0
service-policy input mgt
Sample Config for End to End SSL
probe https HTTPS
interval 30
faildetect 30
passdetect interval 30
expect status 200 200
rserver host Cas_sync1
ip address 1.1.1.10
inservice
rserver host Cas_sync2
ip address 1.1.1.12
inservice
serverfarm host ActiveSync
probe HTTPS
rserver Cas_sync1 443
inservice
rserver Cas_sync2 443
inservice
sticky http-header Authorization Auth_Stick
serverfarm ActiveSync
ssl-proxy service Active_Sync_SSL
key cisco-sample-key
cert cisco-sample-cert
ssl-proxy service SSL_PSRVICE_CLIENT
class-map match-all ActiveSync
2 match virtual-address 2.2.2.10 tcp eq https
class-map type http loadbalance match-any l7Async
2 match http url /microsoft-server-activesync
policy-map type loadbalance first-match ActiveSync-l7slb
class l7Async
sticky-serverfarm Auth_Stick
ssl-proxy client SSL_PSERVICE_CLIENT
class class-default
serverfarm ActiveSync
ssl-proxy client SSL_PSERVICE_CLIENT
policy-map multi-match EAS
class ActiveSync
loadbalance vip inservice
loadbalance policy ActiveSync-l7slb
ssl-proxy server Active_Sync_SSL
interface vlan 178
description "client vlan"
ip address 10.86.178.129 255.255.255.0
access-group input any
service-policy input mgt
service-policy input EAS
no shutdown
interface vlan 1
description "server vlan"
ip address 1.1.1.1 255.255.255.0
service-policy input mgt
no shutdown
Exchange Setup
parameter-map type http Exchange-OWA
case-insensitive
persistence-rebalance
set header-maxparse-length 16384
set content-maxparse-length 8192
sticky ip-netmask 255.255.255.255 address source ActiveSync
timeout 7200
replicate sticky
serverfarm ActiveSync
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: