Jump to content


Photo

Exchange 2016 NetScaler VPX 100 Load Balancing

Started by Brian Mooney , 12 April 2017 - 03:04 AM
7 replies to this topic

Brian Mooney Members

Brian Mooney
  • 14 posts

Posted 12 April 2017 - 03:04 AM

I am having issues with load balancing Exchange 2016 with our Citrix NetScaler VPX 1000. Both are in an HA pair. I am running the latest NS11.1 51.26.nc NS firmware. There are 2 NS in HA pair. I have followed the precise instructions from the following URL's below. Currently using RR DNS in production which is not recommended and hence I need to get this working.

 

I am successfully seeing LB use for OWA which is great. When I refresh OWA I see the change from 00 to 01 occurring. But I can't get the RPC portion working. I need to set up my Outlook 2016 client to connect to the VIP. To test this I have used a host file and pointed the vip to email.companyname,com and autodiscover.companyname.com

 

http://www.vikash.nl/load-balancing-microsoft-exchange-2016-citrix-netscaler/

 

https://www.citrix.com/content/dam/citrix/en_us/documents/guide/deploying-netscaler-with-microsoft-exchange-2016.pdf

 

Attached Thumbnails

  • ContentSwitchingActions.PNG
  • ContentSwitchingPolicies.PNG
  • ContentSwitchingVirtualServers.PNG
  • TrafficMgmt_LB_ServiceGroups.PNG
  • TrafficMgmt_LB_Services.PNG
  • TrafficMgmt_LB_VS.PNG


Jens Ostkamp Members

Jens Ostkamp
  • 34 posts

Posted 13 April 2017 - 09:58 AM

I'd strongly suggest to write your CSW Policies like this:

http.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS("hostname.domain.com") && http.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/rpc")

 

Further - what exact issue are you facing? Client just doesn't conenct? Any error messages? Do you have any pre-authentication methods enabled? NetScaler doesn't support the "Modern Authentication (ADAL)" mechanism invented by Microsoft with Outlook 2016 yet. 

What does the Microsoft Connection Analyzer say when u try to run a test? 

Is RR DNS unavoidable?


Helpful Answer

Jenna Egly Members

Jenna Egly
  • 23 posts

Posted 17 April 2017 - 04:35 PM

I agree. Try to use the ignore case in your policies but I'm not sure if rpc traffic will use the 443 content switch.

 

In my setup, I have all exchange services going to a 443/SSL content switch. I also have a separate LB vserver using the same IP as the content switch but configured for TCP/* for rpc. I don't believe this traffic is initiated on 443.


Helpful Answer

Jens Ostkamp Members

Jens Ostkamp
  • 34 posts

Posted 18 April 2017 - 12:36 PM

I agree. Try to use the ignore case in your policies but I'm not sure if rpc traffic will use the 443 content switch.

 

In my setup, I have all exchange services going to a 443/SSL content switch. I also have a separate LB vserver using the same IP as the content switch but configured for TCP/* for rpc. I don't believe this traffic is initiated on 443.

in my cases working with this kind of expression(s) all the virtual directories specified in the csw policies are functional. 

do you have any sources why rpc traffic isnt initiated via 443?


Helpful Answer

Brian Mooney Members

Brian Mooney
  • 14 posts

Posted 18 April 2017 - 05:02 PM

Thank you all for replying to this thread. I am reviewing the ideas and possible solutions. Once I have more information I will kindly post my results! I am working with Sr. NetScaler engineers @ Citrix hoping to get this resolved. I keep sharing the information being provided here.



Jenna Egly Members

Jenna Egly
  • 23 posts

Posted 19 April 2017 - 01:22 PM

I believe exchange must be configured to use RPC over HTTP. I haven't looked into this as we are not using OA and only load balancing inside the network.



Jens Ostkamp Members

Jens Ostkamp
  • 34 posts

Posted 19 April 2017 - 03:08 PM

cant confirm this for my setup(s). we are using content switch, loadbalancing and aaa pre-auth over SSL/443 without any problems. what version of exchange and netscaler are you using jenna?



Kai Thorsrud Members

Kai Thorsrud
  • 29 posts

Posted 19 April 2017 - 09:10 PM

Hey,

Exchange 2016 does no longer rely on rpc. You might need to change your rpc rule to match on mapi instead of rpc. Your Exchange admin might not be providing rpc.
The rpc is only used as an mapi proxy. in 2016 (and 2013 sp1) they made mapi over http as an option to "mapi over rpc over http" available


Also tagged with one or more of these keywords: VPX 1000, NetScaler, NetScaler VPX, Exhange 2016, Load Balancing, Load balancing Microsoft Exch, VIP, ContentSwitching, VirtualServers