Create custom SMTP Monitor to check Exchange ServerComponentState

[Julian Jakob]

Ok this is a tough one, where are my monitor gurus?

The built-in SMTP monitor is checking TCP 25 + nssmtp.pl Script is asking for a SMTP connection - all good.When Exchange Admins are doing maintenance on a DAG, they are using the StartDAGMaintenance Scripts (https://www.alitajran.com/put-exchange-server-in-maintenance-mode ) the Server is getting into Maintenance Mode, the HubTransport is set to Inactive (Exchange Shell Get-ServerComponentState EX01 | Format-Table Component, State) and will redirect all SMTP Traffic to the other DAG Member.

 

SMTP is available because of the redirect method, so SMTP Monitor at my ADC says all is fine...

 

I know it's a kind of a blemish but I would like that my SMTP Service Group is going to partial-up so the lb is routing all SMTP Traffic to the other DAG member, directly. I don't want to disable the server manually. Any ideas for creating a custom monitor to checkout the exchange ServerComponentState HubTransport? For example if there is a "Inactive" in the response -> DOWN, if there is a "Active" -> UP

 

I've found an old thread https://discussions.citrix.com/topic/370060-modify-perl-script-for-smtp-monitor/ with the idea to ask for the "Microsoft ESMTP MAIL service ready" header, but what I see is, also if the Microsoft Exchange Transport Service is down, the telnet via Port 25 is working without problems?! That makes absolutely no sense in my eyes...

 

Thanks for your ideas

Best Regards

Julian

[Rhonda Rowland1709152125]

The custom script in the thread you reference is supposed to be doing two things:

1) if (1) port connects, then if (2) "MAIL Serivce ready" found, return success 0. Else (2), return failure due to "ready" not found. 

     else (1), fail because port connect failed.  << this is handled by the connect OR return 1 statement (any return non-zero is failure state)

 

But again, I'm not in a position to test it (but that is what the code looks like it is doing)

 

But if this monitor does work and you want a duplicate to look for the "Inactive" string.

Then create a second monitor with a REVERSE flag enabled to down the service when this monitor succeeds.

Or you you could try a regular TCP-ECV monitor (test to see if this would work).

 

With the REVERSE flag enabled on the new monitor (in addition to your regular SMTP monitor).

See if the monitor can retrieve the "inactive" in the response (since active would overlap). 

if monitor succeeds, service is down (with reverse flag)

If monitor fails, service is up (assuming other monitor is working too success)

 

I'm just not in a position to test what the TCP-ecv send string would need to look like for this test.

 

Hopefully someone else can give you a more concrete answer if neither of these suggestions help.

[Joshua Foley]

On 8/20/2020 at 5:00 PM, Julian Jakob said:

Ok this is a tough one, where are my monitor gurus?

The built-in SMTP monitor is checking TCP 25 + nssmtp.pl Script is asking for a SMTP connection - all good.When Exchange Admins are doing maintenance on a DAG, they are using the StartDAGMaintenance Scripts (https://www.alitajran.com/put-exchange-server-in-maintenance-mode ) the Server is getting into Maintenance Mode, the HubTransport is set to Inactive (Exchange Shell Get-ServerComponentState EX01 | Format-Table Component, State) and will redirect all SMTP Traffic to the other DAG Member.

 

SMTP is available because of the redirect method, so SMTP Monitor at my ADC says all is fine...

 

I know it's a kind of a blemish but I would like that my SMTP Service Group is going to partial-up so the lb is routing all SMTP Traffic to the other DAG member, directly. I don't want to disable the server manually. Any ideas for creating a custom monitor to checkout the exchange ServerComponentState HubTransport? For example if there is a "Inactive" in the response -> DOWN, if there is a "Active" -> UP

 

I've found an old thread https://discussions.citrix.com/topic/370060-modify-perl-script-for-smtp-monitor/ with the idea to ask for the "Microsoft ESMTP MAIL service ready" header, but what I see is, also if the Microsoft Exchange Transport Service is down, the telnet via Port 25 is working without problems?! That makes absolutely no sense in my eyes...

 

Thanks for your ideas

Best Regards

Julian

Did you ever solve this? We are facing the same issue. Curious if/how you solved it. 

[Jens Dellner]

Hi Julian,
I had the same problem and I think I found an acceptable solution for this.

 

Since I have only basic programming knowledge it was important to me to extend the 'nssmtp.pl' script only by the really necessary code parts. So it is possible to compare and customize the script even after Citrix maybe changed it.

 

1. Which SMTP Ports can you monitor with this Script?
-> Every SMTP Port without authentication (Port 25: Yes, Port 587: No)

 

2. Can I monitor a SMTP Port with authentication Type "LOGIN"?
-> Yes. I tested this and it worked. But it didn´t worked with "smtp->auth()" Method. 

 

Specify Username and Password variable (Line 49/50):
    my $user = encode_base64('USERNAME');
    my $passwd = encode_base64('PASSWORD');

 

Put this above the lines "## Connection established, checking if SMTP Service is online and if it is possible to send an e-mail" (Two times; IPv4 and IPv6)
    $smtp->datasend("AUTH LOGIN\n") or die 'auth login';  
    $smtp->response();  
            
    $smtp->datasend($user) or die 'username';  
    $smtp->response();  
  
    $smtp->datasend($passwd) or die 'password';  
    $smtp->response(); 

 

This part is inspired by user Beat from https://forum.selfhtml.org/self/2009/sep/6/perl-net-smtp-auth-login-verfahren/1391423

3. Can I monitor a SMTP Port with authentication Type "PLAIN"?
-> I think it should work, but didn´t test it. Try this:

 

Specify Username and Password variable (Line 49/50):
    my $user = 'USERNAME';
    my $passwd = 'PASSWORD';

 

Put this above the lines "## Connection established, checking if SMTP Service is online and if it is possible to send an e-mail" (Two times; IPv4 and IPv6)
    $smtp->auth($user,$passwd);

If this doesn´t work, try the solution which is presented above.

4. Can I monitor a SMTP Port with authentication type "NTLM"?
-> Maybe. My programming knowledge is not good enough to achieve this :)

 

Back to my script. The script can be used with IPv4 and IPv6. It tries to connect to the SMTP Server and Port like the original "nssmtp.pl" Script. With this part it is only possible to check if the Exchange FrontendTransportService is available or not. If the service is up, the Script will send back a return code 0. If the service is down, the Script will send back a return code 1 with the error message "Failure - Unable to connect to server - Operation times out". But if you put your Exchange Server in Maintance mode and the FrontendTransportService is not stopped, the original "nssmtp.pl" Script won´t return with a return code 1. Thats bad. 

 

After this, the script begins to build an e-mail on the backend server. This part is ONLY possible when the backend services is not in maintenance and the FrontendTransportService is online . So it will solve your problem with DAG! If the Backend server is not in Maintenance mode and the FrontendTransportService is running, the Script will send back a return code 0. If the Backend server is in Maintenance mode, the Script will send back a return code 1 with the error message "Failure - Unable to connect to server - 4.3.2 Service not active"

The error messages are also shown at the ADC GUI or CLI.

 

a) How can you implement it?

1. Download "nssmtpExchange.txt" and rename it to "nssmtpExchange.pl"
2. Change the hello address in "nssmtpExchange.pl"
3. Copy "nssmtpExchange.pl" to this directory: /nsconfig/monitors/
4. In an ha setup this script will be copied automatically to your secondary appliance

5. Set Permission to the script. I used the parent permissions of this directory (rwxr-xr-x (0755 Octal))

 

b) How can you test it from CLI?
1. Connect to your shell and run the script against your Backendserver + Port
2. /netscaler/monitors/nsumon-debug.pl /nsconfig/monitors/nssmtpExchange.pl <IP> <Port> <Timeout> "" no

 

Output Successful:
/nsconfig/monitors/nssmtpExchange.pl syntax OK
0

 

Output Failed (Server in Maintenance):
/nsconfig/monitors/nssmtpExchange.pl syntax OK
1,Unable to connect to server - 4.3.2 Service not active

c) How can you build the monitor?
1. Create Monitor with Type 'USER'
2. Select Script Name "nssmtpExchange.pl"
3. Create

 

d) Monitor Responses in GUI:

1. Probe successfull

 

2. FrontendTransportService down

 

3. Backendserver in Maintenance

I hope it helps you too. Since we only use GSSAPI and NTLM authentication, we only can monitor the unauthenticated ports. My programming skills are not goog enough for this. But if you only need LOGIN, i think you can handle it. We created the monitor for port 25 twice, but assigned the Destination Port 25 to one of them. This monitor is bound to the smtp service with port 587. This solution is also better than the original script. If the backend server is in maintenance, both ports are not available, so both services are going down.

 

Feel free to update and customize this script. I would be happy if someone can do it with NTLM authentication!

 

Best regards,
Jens

 

nssmtpExchange.txt