NetScaler VPX and Exchange 2010

-
From the title you can guess that we have Exchange 2010 (SP1 CU6 - with Hotfix for EVault) and we are using NetScaler VPX to load balance the services. 

I used the excellent document from Citrix to configure the NetScalers (we have two in active/active - sort of using VMACs to split the traffic RPC to one, HTTP(S) and SMTP to the other).

However I found a document from Microsoft which points out that there is "significant performance penalty" if we configure incorrect persistence for EAS.  The Microsoft document is here:

http://technet.microsoft.com/en-us/library/ff625248.aspx

This put us in a pickle and no mistake. 

This is because in a NetScaler persistence is per vServer. 

We have one vServer for HTTPS as we have one IP address for all HTTP traffic. 

This vServer would then deal with all HTTPS traffic including OWA,ECP,EWS,RPC over HTTPS and EAS.  OWA requires cookie based persistence, this is also the method the Citrix document recommends.  From the Microsoft article leading us we found that EAS requires a RULE based persistence method.

We solved this by adding into the vServer for HTTPS a responder policy for the URL path "/Microsoft-Server-ActiveSync" this would then redirect to a different vServer (on a different port - I guess you could use a different IP) which is set up for RULE based persistence.

*phew*

I am not sure if all this jiggling around is truely necessary however I can see that clients (iPads, iPhone etc...) are connecting through the responder just fine.

For those who want to know how to do this here's how I did it.

1. Create a new HTTP vServer or copy your current OWA one and change the port or IP. 
2. Set the persistence to RULE

3. Create a Responder Action to redirect to your new vServer (check my port change from 443 to 445)

4.  Create a Responder Policy using the new action and responding to requests with "Microsoft-Server-ActiveSync" in the URL


5. Add the Responder Policy to your HTTP vServer


Comments

  1. Anonymous29 March 2012 at 17:25

    Are you publishing EVault cache folders via OWA, through your Netscaler? I can't figure out how to do that.

    ReplyDelete
  2. The IT Crowd11 April 2012 at 16:28

    I'm not really sure what you mean by cache folders. Our users are able to see archived content using OWA which is published by our NetScalers.

    However I assume you are doing something far more complicated than that.

    I will chat to my eVault guy and come back to you.

    Thanks for posting a comment!

    ReplyDelete
  3. Anonymous24 April 2013 at 17:13

    on step "5. Add the Responder Policy to your HTTP vServer" you mean "HTTPS vServer" rigth???

    Great Post!!!

    ReplyDelete
  4. David Garcia25 April 2013 at 16:27

    Did you validate this configuration? I configured our netscaler following this post but when I monitor the numbers of hits of the EAS vserver I don't see that the number increases when I send emails to an iPhone.
    I've been troubleshooting this but it seems that the iphone is no redirected to the EAS vserver. If I go manually it does though.

    Any Ideas???

    Thanks

    ReplyDelete
    Replies
    1. David Garcia25 April 2013 at 16:29

      Instead I see the hits of my regular SSL vserver increase each time...

      Delete
    2. David Garcia25 April 2013 at 20:39

      OK, I think I got it. In order for this to work instead of HTTP.REQ.URL.ENDSWITH("/Microsoft-Server-ActiveSync") I used HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/microsoft-server-activesync") and now I getting redirected. Now the problem is that the phone does not "like" that redirection...

      Delete
    3. David Garcia26 April 2013 at 17:26

      At the end I used Content Switching...
      http://blogs.dirteam.com/blogs/davestork/archive/2012/12/21/loadbalancing-exchange-2010-with-citrix-netscaler-using-content-switching.aspx

      Delete
    4. AK30 April 2013 at 11:00

      Sorry. I've been AFK for a while getting settled into my new role.

      Yes we validated the process and things worked fine for us.

      Glad you found something that worked for you!

      Delete
    5. David Garcia30 April 2013 at 15:25

      Allen thanks, for the reply!. Now I'm working on load balancing the SMTP service. I have no problems with the straight SMTP, but when I add SSL (using SSL_TCP) or TLS to the mix it doesn't work. Have you tried to this before??? Any ideas about this??? I'm new to the netscaler so any information is greatly appreciated. Thanks

      Delete
  5. AK28 May 2013 at 15:30

    David,

    Hmmm we only worried about SMTP not the SSL-ed

    I will have a look @ my lab here and see. What version of NetScaler are you using?

    ReplyDelete
  6. Anonymous12 November 2016 at 07:46

    Great Post, I really appreciate your effort here.
    Netscaler 11 training

    ReplyDelete
  7. Unknown27 March 2017 at 07:00

    "This blog is very helpful to Information seekers like me. Citix Netscaler Course | Netscaler 11 Training will helps you out to learn Configure and manage NetScaler Traffic Management features.

    "

    ReplyDelete

Post a Comment

Popular posts from this blog

PXE booting, MDT and 802.1x

-
Image
Oh dear. We implemented site wide 802.1x when we moved. This has caused numerous issues which we are still tracking down and killing with fire. Again "only-when-we-needed-it" struck as we had a new starter and need to build a machine. Ah.   No PXE.  However thankfully we were able to make a bootable USB using 802.1x and get our build working again from MDT in our 802.1 environment. Here's how we did it.   Caveats:  I'm assuming you know MDT and how PXE works. We use Computer certificates as the 8021x auth method. 802.1x is working in our environment GPO is used to start the wired 802.1x service on built machines. GPO is used to configure the network profile to use 802.1x What you need Get a USB stick to take your WinPE 4GB may be enough Make sure you are running an up to date working MDT installation! Create a machine certificate which has a long expiry date, you don't want to be making USB WinPE images every month!! Export the machine
Read more

Intune installation requires a wire...or does it?

-
If you are using Intune (great!) it assumes you have a wired connection (not great) - this is more of an issue as some machine now no longer have built in ethernet ports. It is possible to connect to your wireless - albeit in a slightly awkward way.....here's how During the OOBE hit SHIFT+F10 to get a command window and type either; start ms-settings: To get the settings window or start ms-availablenetworks: To see the network fly outs. Thanks to  Using a wireless network connection with Windows Autopilot white glove – Out of Office Hours (oofhours.com)
Read more

Security Policy 1001

-
We had an annoying warning showing every 5 minutes on our Read Only Domain Controllers.  This didn't affect service but meant we were losing our logs of important events (should the have occurred) "Security policy cannot be propagated. Security Configuration Server (in services.exe) is not ready. This is probably in system reboot. Policy will be tried again in the next propagation." Source: SceCli Event: ID 101 We tracked this down to a GPO which was populating the local Administrators group. Obviously a Domain Controller has no local users or groups so this was causing the issue. Ensuring that the GPO did not apply to the Domain Controllers - yes the GPO was linked at the root! fixed the issue. It is strange that we did not see the warnings on our main Domain Controllers only on the Read Only DC's as this would have affected all DCs the same (I would have thought)
Read more