Proxying RPC/HTTP using a Hardware LB

    General discussion

  • Hello,

    We have a 4-node DAG. Each node is a multi-Role and all sitting behind a HWLB (See Picture). My mailbox is on MBX-CAS1 which has active DBs. I am using outlook 2010 in online mode pointing to a VIP  on the HWLB which then proxies me to my mailbox server. I noticed that sometimes if I reboot MBX-CAS2 (passive node or any passive node in the DAG) my outlook freezes for few seconds, sometimes up to a minute and then becomes responsive. I am assuming it's because the HWLB is point traffic randomly to MBX-CAS2. The question I have is:

    1- What is the behavior I should see when we have no Session Affinity on the HWLB?

    2- What is the behavior I should see when we have Session Affinity on the HWLB?

    Tuesday, May 30, 2017 4:01 PM

All replies

  • Let's step back a second - how are your mailbox databases configured, WRT the RPCClientAccessServer setting? Is it pointing to the VIP, or to your individual servers?

    That being said, and assuming you point to the VIP, the HWLB can't determine if your Exchange server is available, so unless you drain the systems and ensure there are no connections going through it, the HWLB will hold the connection until your server won't ping.  Then, when your client first goes on to the next server, it will re-authenticate and determine where it "left off" before it gives you the reins again.  Something that can speed this is to use Kerberos for the HWLB namespace, and to do this, you need to follow the guidance in the following:

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Tuesday, May 30, 2017 4:41 PM
  • We are using a VIP mapped to a name space outlook client ---> outlook.domain.local (Name space in outlook anywhere setting) ----> VIP (HWLB) ---> Random MBX/CAS Servers in the DAG. Did I mention these are Exchange 2013 servers? So RPCClientAccessServer  should not really be a factor here unless I am missing something.  I guess my questions still stand though. what happens with and without session affinity on the HWLB.
    • Edited by Mike Logan Tuesday, May 30, 2017 5:06 PM
    Tuesday, May 30, 2017 4:52 PM
  • Ex2013 doesn't need session affinity.  Is your load balancer checking the healthtest.htm web page for the service?  If it is, it should catch the server going offline and immediately move the connected clients to other systems. I take it that your certificates on your Exchange servers are internally signed, since no externally trusted certificate will allow you to have a .local namespace.  Is this cerrtificate also installed on your HNLB appliance?

    And the RPCClientAccessServer setting is still used by Ex2013 for determining what system the clients connect to, unless you have forced OL Anywhere both internally and externally.

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Thursday, June 1, 2017 4:12 AM
  • I get that Ex2013 does not need Affinity. What happens if the HWLB is configured with affinity. Does Exchange just ignore it? Our HWLB is checking the healthtest.htm so based on what you are saying it should move the client onto the next CAS and start proxying which is not happening. Do client need re authenticate with the next CAS? Our cert is internally signed and it's not installed on the HWLB. Do we need to even if we are not offloading SSL at the HWLB level?
    Thursday, June 1, 2017 8:21 PM
  • If the HWLB isn't inspecting traffic (and it appears from your explanation of your architecture that it isn't - otherwise, the clients wouldn't be able to connect in the first place), it won't need the internal certificate installed on it.

    Now, have you tested your HWLB to determine how long it takes it to determine that one of your servers isn't responding?

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Tuesday, June 20, 2017 12:59 PM