Exchange 2016: Load balancing with F5 BigIP LTM 11.6 (iApp) Part 2

As already announced, the second part of this article series "Loadbalancing Exchange 2016 with F5 Big IP" deals with a few optimizations on the part of Exchange Server and Loadbalancer. The first part can be found here.

Mailboxes for the "Advanced Monitors"

LTM can check two mailboxes in the iApp. The user accounts should be set so that the passwords do not expire:

Furthermore, the mailboxes should be stored in different mailbox databases. The mailbox databases should normally be active on different mailbox servers.

The configuration within the iApp then looks something like this:

In order for the mailboxes to be checked, the authentication for OWA must be changed to "User name only":

However, I have not noticed any problems when the Authentication with the UPN instead of just the user name.

SSL Offloading

Exchange 2016 does not allow SSL offloading in the default setting. Without a corresponding configuration change, the service is offline as soon as SSL offloading is activated:

The Exchange configuration must therefore be adjusted before SSL offloading is activated. An exception is Outlook Anywhere, where SSL offloading is already activated in the standard configuration:

To activate SSL offloading for the other services (OWa, EAS, etc), the following PowerShell commands can be used:

Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/OWA"
Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/ECP"
Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/OAB"
Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/EWS"
Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/Microsoft-Server-ActiveSync"
Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/Autodiscover"
Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/MAPI"

After the changes have been made, the application app and the IIS must be restarted:

Restart-WebAppPool MSExchangeOWAAppPool
iisreset

These commands must be executed on every Exchange Mailbox Server.

SSL offloading can now be activated in the iApp:

Once the changes have been made to the Exchange configuration, the iApp should look something like this:

Different URLs for the Exchange web services

Different URLs for the individual web services make perfect sense, but in my experience they are not always so easy to implement in practice. The topic for Exchange 2016 is explained very clearly on the Exchange Team Blog:

http://blogs.technet.com/b/exchange/archive/2015/10/08/load-balancing-in-exchange-2016.aspx

Everyone must now decide for themselves whether or not to use different URLs. In practice, this is sometimes somewhat difficult to implement, keyword: firewalls, IP addresses and costs for the SAN certificate.

Whether Single Namespace or Multiple Namespace, the setting "Different FQDNs for each HTTP service" should be activated in any case. In my test environments, I always publish Exchange with a single namespace. However, LTM is able to check the web services accordingly even with a single namespace:

Conclusion

I have not noticed any problems with iApp Relase Candidate so far. I think the iApp will be released without any major changes. However, I would wait until then.

While I was writing this article, I remembered that I still have a KEMP LoadMaster lying around, so I'm going to get it ready for use and update it to the latest version. Then there will be part 3...