Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Set up reliable Exchange 2013 load balancing with open source tools

You can now use free third-party load-balancing options, including Linux offerings, thanks to improvements in Exchange.

Steve Goodman
Content and Code

Expensive load balancers are no longer required, thanks to Exchange 2013 improvements. Clients don't require affinity,...

so Layer 7 load balancers that inspect traffic and ensure the same client always goes back to the same server can be substituted with simple Layer 4 load balancers with simple configurations.

There are many reasons why an expensive load balancer might make sense for you, but you should also consider free Linux-based offerings. Most commercial load balancers are based on Linux, and some even use HAProxy, the free load balancer software we'll use, under the hood. Used by some of the largest websites in the world across many Exchange implementations, HAProxy is an open source load balancer that could fit the bit for your organizations.

sample Exchange Server setup
Figure 1

Setting up Exchange 2013 load balancing with a free option isn't complicated because it's easy to implement and doesn't require lots of maintenance to keep up and running. Commercial load balancers are great and come with good support, additional features and simple graphical user interfaces (GUIs), but a free option might meet your needs for Exchange 2013.

Let's look at an example environment. We'll keep everything relatively simple in our example environment, so we'll have a single site with two Exchange Servers. Each server is running both the Client Access Role and the Mailbox Role and participates in a single database availability group (Figure 1).

The benefit of simple Layer 4 load balancing might mean our load balancer configuration is simple, but it also means that we need to use fully qualified domain names (FQDNs) for each Web service, along with corresponding Exchange configuration for internal and external URLs.

Service            FQDN
Outlook Web App and SMTP mail.exchangelabs.co.uk
Exchange Admin Center eac.exchangelabs.co.uk
Exchange Web Services ews.exchangelabs.co.uk
Offline Address Book oab.exchangelabs.co.uk
Exchange ActiveSync eas.exchangelabs.co.uk
Autodiscover autodiscover.exchangelabs.co.uk
Outlook Anywhere oa.exchangelabs.co.uk

Layer 4 load balancing can't inspect the traffic passing through and therefore won't know if the client is requesting OWA, ActiveSync or something else. To ensure that we can perform per-service monitoring on the load balancer, we'll need to split up traffic by using different IP addresses, the result of which is separate names for each service.

Installing Linux to run Exchange 2013 load balancing

To run our load balancer, we'll need a basic Linux installation. If you haven't installed Linux before, it isn't particularly hard. If you're familiar with PowerShell, then you will adapt pretty easily.

The Linux distribution we'll use for this load balancer is Ubuntu 12.04 LTS. LTS stands for Long-Term Support, which means it will continue to receive updates long after newer versions of Ubuntu stop receiving updates. Ubuntu isn't necessarily better than any other Linux distribution, but we've chosen it because it includes HAProxy. That makes it easy to install and update.

Download Ubuntu Server 12.04 LTS from the Ubuntu website. We'll use that ISO to create a new virtual machine (Figure 2).

New Virtual Machine Wizard
Figure 2

The Hyper-V configuration dialogue shows that we don't need a lot of resources to run this load balancer; 1 GB RAM and a single virtual CPU will suffice for our small database availability group.

Ubuntu installation is straightforward. It's a virtual machine, so we know the hardware will be supported and we can choose the defaults for every stage of the installer; the only exceptions are when choosing your login user account and package selection. When prompted to install packages, choose OpenSSH to allow remote administration of the server. The server will reboot after the installation completes, and after the first boot, we're presented with the login prompt. We'll log in here to perform a couple of core tasks:

  1. Perform updates, the equivalent of installing Windows Updates on the server.
  2. Configure the IP addresses the server will use.

Log in with the user created during the setup process. This user allows us to elevate privileges to the administrator user (root) by prefixing commands with sudo (the equivalent of User Account Control) to make our changes. The program apt-get is used to install and update software, so we'll update the package list and then install updates using the following commands:

sudo apt-get update

sudo apt-get upgrade

After performing updates, assign static IP addresses to the server. We'll have a primary IP address and an additional IP address for each load-balanced service. The configuration for the network is contained in a text file, which we'll edit with a text editor, similar to Notepad, called Nano:

sudo nano -w /etc/network/interfaces

After opening the interfaces file, replace it with configuration information to match your network:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 
  
   
        netmask 
   
    
        gateway 
    
     
# OWA and SMTP
auto eth0:0
iface eth0:0 inet static
        address 
     
      
        netmask 
      
       
# EAC
auto eth0:1
iface eth0:1 inet static
        address 
       
         netmask 
        
          # EWS auto eth0:2 iface eth0:2 inet static address 
         
           netmask 
          
            # OAB auto eth0:3 iface eth0:3 inet static address 
           
             netmask 
            
              # EAS auto eth0:4 iface eth0:4 inet static address 
             
               netmask 
              
                # Autodiscover auto eth0:5 iface eth0:5 inet static address 
               
                 netmask 
                
                  # OA auto eth0:6 iface eth0:6 inet static address 
                  
                  
 netmask 
                   
                   
 
                   network configuration  
                   
 Now you can view the changes you've made (Figure 3).

Using Ctrl-X, then restart the networking service using the following command:

sudo /etc/init.d/networking restart

Install and configure the load balancer

With our server set up, it's time to install the load-balancer software, HAProxy. We'll use the following command to install it:

sudo apt-get install haproxy

The HAProxy package will download and install. Because it was installed using the package manager, it'll also benefit from updates as and when they're applied. Just like the networking configuration, the load-balancer configuration -- HAProxy -- is contained within a simple text file. To complete our load-balancer configuration, we'll need to edit the configuration file for HAProxy and define a number of parameters:

  1. The definitions for each load-balanced service, such as OWA, and how they are monitored
  2. The IP addresses each load-balanced service is attached to
  3. The IP addresses of the back-end servers

We'll use our simple Nano text editor again to edit the configuration file:

sudo nano -w /etc/haproxy/haproxy.cfg

We'll also have to create definitions for each service, using the following configuration file as a reference:

global
        maxconn 4096
        user haproxy
        group haproxy
        daemon
defaults
        mode    tcp
        balance roundrobin
        retries 3
        option redispatch
        maxconn 10000
        contimeout      5000
        clitimeout      50000
        srvtimeout      50000

listen OWA 
  
   
:443
        option httpchk /owa/healthcheck.htm
        server <Server 1 Name> <Server one IP> check port 80
        server <Server 2 Name> <Server 2 IP> check port 80

listen EAC <EAC IP>:443
        option httpchk /eac/healthcheck.htm
        server <Server 1 Name> <Server 1 IP> check port 80
        server <Server 2 Name> <Server 2 IP> check port 80

listen EWS 
   
    :443
        option httpchk /ews/healthcheck.htm
        server <Server 1 Name> <Server one IP> check port 80
        server <Server 2 Name> <Server 2 IP> check port 80

listen OAB 
    
     :443
        option httpchk /oab/healthcheck.htm
        server <Server 1 Name> <Server one IP> check port 80
        server <Server 2 Name> <Server 2 IP> check port 80

listen EAS 
     
      :443
        option httpchk /Microsoft-Server-ActiveSync/healthcheck.htm
        server <Server 1 Name> <Server one IP> check port 80
        server <Server 2 Name> <Server 2 IP> check port 80

listen Autodiscover 
      
       :443
        option httpchk /Autodiscover/healthcheck.htm
        server <Server 1 Name> <Server one IP> check port 80
        server <Server 2 Name> <Server 2 IP> check port 80

listen OA 
       
        :443 option httpchk /rpc/healthcheck.htm server <Server 1 Name> <Server one IP> check port 80 server <Server 2 Name> <Server 2 IP> check port 80 listen SMTP 
        
         :25 option smtpchk server <Server 1 Name> <Server 1 IP> check port 25 server <Server 2 Name> <Server 2 IP> check port 25 listen stats 
         
          :8080 mode http stats enable stats uri /

Having problems with the Health Check URL?

If you haven't done so already, make sure to untick Require SSL for the OWA virtual directory on each Exchange Server. You'll need to do this because HAProxy must perform the health check over a standard HTTP connection.

creating definitions in a network
Figure 4

You can view the changes after you've made them (Figure 4).

Use Ctrl-X to save the configuration file and activate the configuration using the following commands:

update-rc.d haproxy enable
sudo /etc/init.d/haproxy restart

As with any load balancer, you'll need to direct traffic toward it for it to actually load-balance anything. For each service load-balanced, we'll update the DNS entries to match each corresponding service (Figure 5). 

update DNS entries
Figure 5

As we begin to test traffic with the load balancer, we'll want to verify that it's distributing the load correctly while we gain insight into how healthy the load balancer is. HAProxy includes statistics, which we've enabled in the configuration. To access the statistics, use the following URL: http:// :8080/stats. 

Lastly, we'll illustrate how simple the HAProxy-based load balancer is to manage and examine what we need to do when performing Exchange Server maintenance. In previous versions of Exchange, we would have used the GUI for a load balancer to disable all new traffic from reaching a server. In Exchange 2013 load balancing, we can simply use a command on Exchange to put the Client Access Role into maintenance:

Set-ServerComponentState <Server Name>  -Component ServerWideOffline -State Inactive -Requester Maintenance

As HAProxy is using the parts of Exchange to monitor services, it will automatically mark the server as Down while maintenance is performed.

When maintenance is finished, use this command to mark the server as Active again. HAProxy will pick this up and begin routing requests.

Set-ServerComponentState <Server Name> -Component
ServerWideOffline -State Active -Requester Maintenance

About the author:  Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners, Phoenix IT Group. Goodman has worked in the IT industry for 14 years and has worked extensively with Microsoft Exchange since version 5.5.

This was last published in December 2013

Dig Deeper on Exchange Server setup and troubleshooting

Join the conversation

14 comments

Send me notifications when other members comment.

Register

Please create a username to comment.

This is indeed a great alternative to various levels of load balancers, but I also want to point out that for people looking for open source solutions, relayd, on OpenBSD, does offer for connectivity persistence. Solutions on BSD are often overlooked, unfortunately, but all the daemons reated to PF, such as OpenBSD, are often simpler than their Linux counterparts and with simpler syntax.

Nothing to go against the article, but an additional option to consider for people looking to get into those types of solutions.

http://www.openbsd.org/cgi-bin/man.cgi?query=relayd.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current
Cancel
Thanks for sharing this load balancing option for Exchange admins to look into, Sieggy. Do you use OpenBSD?
Cancel
Hi Seiggy,

As you'll no doubt be aware HAProxy is available for OpenBSD as well. As a former FreeBSD Sysadmin, I always want to feature BSD when I can, however support for BSD on mainstream virtualization platforms is limited, and most Windows Admins may need a push to try Linux.

Don't forget BSD is seldom overlooked as it forms a large part of Mac OS and iOS so BSD certainly gets it's share of real-world use.

Steve
Cancel
Hi,
I tried the configuration but when I tried it, I'm getting connection refused.
Cancel
Client Access servers to ensure that no one endpoint takes on a disproportional share of the load. Load balancing can also provide failover redundancy in case one or more endpoints fails ensure that your users continue to receive Exchange service in case of a computer failure. Load balancing also enables your deployment to handle more traffic than one server can process while offering a single host name for clients
Cancel
Excellent article Steve. Just wanted to a line in the haproxy.cfg file "option httpchk /owa/healthcheck.htm". When I include this in my config the stats page of HAProxy shows the CAS servers as "down" yet the health check url is resolvable from any server. Is there anything behind the scenes I'm missing - something to do with SSL or certificates that is stopping the loadbalancer accessing the page?
Cancel
I am having the exact same problem at MattP75 . Has anyone else run into this problem and have any ideas to solve it.
Cancel
Hi Matt and Rob! I asked Steve about this problem, and this is his response: "If you haven't already, make sure that you untick Require SSL for the OWA virtual directory on each Exchange Server. This is because HAProxy needs to perform the health check over a standard HTTP connection." I'll include a small sidebar in this article to help other readers who have this question. Thanks for commenting! -Toni
Cancel
Thank you for the reply. I turned ssl off and I can now see. 200 OK server1.domain.com on port 80. However haproxy still says down.
Cancel
I also forgot to mention that I believe you would need to uncheck ssl for every service, not just owa.
Cancel
For anyone who comes across this site. Change the httpchk command with this one. option httpchk GET /ecp/healthcheck.htm http-check expect status 200 That is TWO lines This works whereas the previous command in Steve's article does not.
Cancel
To clarify the first line is: httpchk GET /ecp/healthcheck.htm The second line is: http-check expect status 200
Cancel
What if OWA responds on 80, but there is an immediate redirection to 443 in IIS? Will the health check work? Thanks
Cancel
Or can it call the healthcheck.htm with port 443 instead of 80? My server returns nothing on port 80, but on 443 it returns the correct 200 OK response.
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close