Jump to content


Photo

Exchange 2010 load balancing without SSL offload

Started by JASON POYNER , 04 April 2012 - 05:38 AM
9 replies to this topic

JASON POYNER Members

JASON POYNER
  • 157 posts

Posted 04 April 2012 - 05:38 AM

I am looking to configure Exchange OWA, OA & EAS load balancing without SSL offload, so am planning on using SSL Bridge. Can anyone confirm this will work ok?
Do we need to create a separate vServer for each type of Exchange traffic, or is single vServer ok? From reading the Citrix NetScaler Deployment Guide for Microsoft Exchange 2010 it seems different persistence methods are required therefore separate vServers would be required.

And do we use Context Switching to determine which vServer traffic should go to? For example:
mail.xyz.com/owa - redirect to OWA vServer
mail.xyz.com/eas - redirect to ActiveSync vServer
etc

Any help is appreciated.

Thanks,
Jason



Christopher Gray Members

Christopher Gray
  • 409 posts

Posted 04 April 2012 - 05:41 AM

Yes you can load balance using SSL Bridge, as long as you only want IP based persistence.

Take a look at this other recent thread on the same topic:

http://forums.citrix.com/thread.jspa?threadID=304735&tstart=0



Paul Blitz Members

Paul Blitz
  • 3,911 posts

Posted 04 April 2012 - 09:05 AM

yes, it does, I have done this.... takes only a few mins to set up!



JASON POYNER Members

JASON POYNER
  • 157 posts

Posted 04 April 2012 - 12:39 PM

Christopher, so I cannot use cookieinsert & rule based persistence methods with SSL Bridge, only IP based? If so, what impact does this have on load balancing Exchange? I assume the persistence methods specified in Citrix NetScaler Deployment Guide for Microsoft Exchange 2010 are there for a good reason.

Paul, you say you have done this, do you mean using SSL Bridge? Can I get more details from you?

Thanks,
Jason



Terry Anderson Members

Terry Anderson
  • 1,522 posts

Posted 04 April 2012 - 12:44 PM

The challenge with using SSL Bridge is that the NetScaler is not decrypting the SSL data, so it can not make intelligent decisions like content switching, persistence, etc. based on the data in the URLs/Headers/Cookies/Etc. The packets are just passed through the NetScaler in encrypted format. The only thing the NetScaler would know about is IP/network level stuff.



JASON POYNER Members

JASON POYNER
  • 157 posts

Posted 04 April 2012 - 08:02 PM

Thank Terry, yes I did wonder about that.

So if we go down the SSL Bridge path the only option is to use IP source persistence. Does this work correctly with OWA, OA, EAS & RPC Client Access?

Alternatively we enable SSL offload and use Content Switching to direct the traffic to the appropriate vServer based on URL, then each vServer can be configured with the correct persistence method?



Natanael Mignon Members

Natanael Mignon
  • 192 posts

Posted 04 April 2012 - 08:44 PM

You should really reconsider whether you really have to use SSL Bridge. If you have military, banking or other high security standards to fullfill, you maybe have to, but you will loose a lot of intelligence then.

You maybe want to use frontend SSL and backend SSL, this allows for all intelligent functionality on the ADC and still encrypts any traffic outside the box.

If you stick with SSL Bridge, it will work for your services, just enable Source IP Persistence for the persistence group (if using individual vservers). But I recommend not to go this way without explicit requirements.



JASON POYNER Members

JASON POYNER
  • 157 posts

Posted 04 April 2012 - 09:03 PM

Any problem running SSL offload on a NetScaler VPX with approx 1000 mailboxes? I do not believe OWA, OA or EAS are heavily used.



Natanael Mignon Members

Natanael Mignon
  • 192 posts

Posted 05 April 2012 - 05:31 AM

Well, the mailbox count is not that relevant, but the actual usage. What's the available bandwidth (public uplink) and how much resources does your host provide to the VPX? In general the answer would be: no problem. Have an eye on the load and maybe add resources, but NetScaler is very efficient in handling SSL even without the accelerator chips.



Assad Baig Members
  • #10

Assad Baig
  • 14 posts

Posted 15 October 2012 - 10:22 AM

Janson, i am curious how did you manage to setup your Netscaler. I am trying to do same but with ssl ofloading. I think I will do content swtiching!!!