Wie schon angekündigt, geht es im zweiten Teil dieser Artikelserie „Loadbalancing Exchange 2016 mit F5 Big IP“ um ein paar Optimierungen seitens Exchange Server und Loadbalancer. Der erste Teil can be found here.
Postfächer für die „Advanced Monitors“
LTM can check two mailboxes in the iApp. The user accounts should be set so that the passwords do not expire:
Furthermore, the mailboxes should be stored in different mailbox databases. The mailbox databases should normally be active on different mailbox servers.
The configuration within the iApp then looks something like this:
Damit die Postfächer geprüft werden können, muss die Authentifizierung für OWA auf „Nur Benutzername“ umgestellt werden:
However, I have not noticed any problems when the Authentication with the UPN instead of just the user name.
SSL Offloading
Exchange 2016 does not allow SSL offloading in the default setting. Without a corresponding configuration change, the service is offline as soon as SSL offloading is activated:
The Exchange configuration must therefore be adjusted before SSL offloading is activated. An exception is Outlook Anywhere, where SSL offloading is already activated in the standard configuration:
To activate SSL offloading for the other services (OWa, EAS, etc), the following PowerShell commands can be used:
Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/OWA" Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/ECP" Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/OAB" Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/EWS" Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/Microsoft-Server-ActiveSync" Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/Autodiscover" Set-WebConfigurationProperty -Filter //security/access -Name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/MAPI"
After the changes have been made, the application app and the IIS must be restarted:
Restart-WebAppPool MSExchangeOWAAppPool iisreset
These commands must be executed on every Exchange Mailbox Server.
SSL offloading can now be activated in the iApp:
Once the changes have been made to the Exchange configuration, the iApp should look something like this:
Different URLs for the Exchange web services
Different URLs for the individual web services make perfect sense, but in my experience they are not always so easy to implement in practice. The topic for Exchange 2016 is explained very clearly on the Exchange Team Blog:
http://blogs.technet.com/b/exchange/archive/2015/10/08/load-balancing-in-exchange-2016.aspx
Everyone must now decide for themselves whether or not to use different URLs. In practice, this is sometimes somewhat difficult to implement, keyword: firewalls, IP addresses and costs for the SAN certificate.
Ob nun Single Namespace oder Multiple Namespace, die Einstellung „Different FQDNs for each HTTP service“, sollte in jedem Fall aktiviert werden. In meinen Testumgebungen veröffentliche ich Exchange immer mit einem Single Namespace. Allerdings ist LTM in der Lage auch bei einem Single Namespace die Webservices entsprechend zu prüfen:
Conclusion
I have not noticed any problems with iApp Relase Candidate so far. I think the iApp will be released without any major changes. However, I would wait until then.
While I was writing this article, I remembered that I still have a KEMP LoadMaster lying around, so I'm going to get it ready for use and update it to the latest version. Then there will be part 3...