Forum Discussion

Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Sep 30, 2010

Exchange 2010 CAS Array advice

I posted something a bit ago for those of you deploying Exchange 2010 CAS arrays and wanting to support RPC MAPI through the load balancer. Used in combination with the F5 Exchange 2010 Deployment Guide, this has us working well. I hope someone finds it useful!

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/Exchange2010_SNATPool_Persist.html

 

 

I should point out that a similar approach to SNAT pool persistence also fixed some nagging issues with OpenText clients -- rolling SNAT IP addresses caused sessions to randomly invalidate.

 

 

Joel

5 Replies

  • Hi Joel,

     

     

    That's a great example. Thanks for posting it.

     

     

    I think it would be useful if F5 could build in SNAT "persistence" options for SNAT pools to ensure the same client IP receives the same SNAT IP over separate connections. Maybe I'll open a request for enhancement.

     

     

    Are there any other applications or protocols that you know of which break when the source IP changes over time during a session? I think NTLM is another one.

     

     

    Aaron
  • Correct; NTLM will do this as well, although the behavior is masked because the server will just 401 again and repeat the authentication. It would lead to an increase number of 401s overall, though.

     

    Since running into this with RPC, as I mentioned, I've since discovered that it affects other applications -- including some web applications. OpenText was the first, but I've also seen it occur in a few SSO products as well. Essentially, anything that partially bases its session model on incoming IP address will suffer from this.

     

     

    I agree, this is absolutely something that should be an option on a SNAT pool and on an Automap; maybe even with a configurable persistence type like a regular pool, although it could easily be a "sticky" option checkbox.

     

    I'd also like to see an iRule function to list all possible SNAT addresses for the current virtual regardless of its configuration ("LB::snat list"?). For automap or single SNAT, it'd return a list of all possible automap SNAT IPs or the single SNAT IP. For a pool, it would return a list of all SNAT IPs, ordered the same way they're ordered in the GUI. It'd make it easier to write a rule that did manual SNAT ordering.

     

  • There's an existing CR for this behavior (SNAT persistence). I'll try and track it down and post it for people's reference.

     

     

    -Matt
  • I'm doing an Exchange 2010 F5 build between 2 sites, with an internal/external GTM, and internal/external LTM on each site.

     

     

    I have one CAS Server per site listening on port 443, and one mail box server per site. Actually, this Exchange 2010 F5 build is for users from another site.

     

     

    How should I go about designing this F5 build. Should I split the exchange services between internal and external usage. For instance, outlook, and rpc could be an internal build, on an internal LTM/internal GTM (per-site), whereas OWA, autodiscover are externally accessed, and could be contained on a VIP in an external LTM/external GTM per-site?

     

     

    Since, the users will be accessing the Servers from another site, do I need NATTing for the internal VIPs on both LTMs, if I go with the above framework? As per the person who did the installation for Exchange 2010 all Exchange Services both internal/external on the CAS Servers are listening on the same port (port 443)?

     

     

    Not sure, if all CAS services should be listening on the same port, but if they are listening on the same port what's the best design option given this scenario. However, if the CAS services are listening on different port numbers, what's the best design option in this scenario to provide for a failover/replicated build on both sites?

     

     

    r_dynamo
  • BenT's avatar
    BenT
    Icon for Altostratus rankAltostratus
    How do you track the realtime connections by snat pool member? I've recently applied a similar irule, but the connections being snatted by the irule no longer show up under the snat translations statistics.