Monday, April 11, 2016

NetScaler VPX - load balance Exchange - Part 4 (load balance Outlook Web App)

After configuring load balancing for SMTP traffic and Outlook (RPC) in my two previous blog posts, I will configure it for Outlook Web App (formerly "Access") - or OWA - in this post. As for the previous exercises, we need to create (if they are not already created):
  • Servers
  • Services
  • Virtual Servers (with a "VIP")
  • Monitors (optional).

We have already created two server entries, representing our two Exchange servers, so there is no need to repeat this process. Please refer to my previous blog post if you need to see how to create these entries. Otherwise, we will create two entries for the OWA service and then a virtual server (with a VIP) to which OWA clients will be directed.

OWA uses SSL and the NetScaler offers a number of features that optimize this type of connection, for example:
  • SSL offloading: the NetScaler decrypts the incoming SSL connection and thus lessens the workload on the backend servers (in this case, the Exchange servers).
  • Rewrite (of URLs): users can enter a shortened URL for OWA and the NetScaler, analyzing the packets, sees that it is for OWA and (for example) adds "s" to http and "/owa" and the end of the URL.

In this blog post, I will opt for a simple configuration where the SSL traffic passes through the NetScaler and where users would have to enter the full URL (or use either a shortcut or a Internet favorite).


As mentioned above, we already have server entries for both Exchange servers and will start with the creation of services for OWA/SSL. Here is the list of existing services:

NetScaler | Traffic Management | Load Balancing | Services

We click on "Add" (see above) and create the following services for OWA/SSL:

We now have the following services:

Now let's create a virtual server (and VIP) to which OWA clients will connect. We go to...

NetScaler | Traffic Management | Load Balancing | Services

And click on "Add" (note the existing virtual servers for SMTP and Outlook (RPC)):

I enter the following values (use values appropriate for your network) and click on OK:

As with the other virtual servers, we need to bind the appropriate service(s) to the virtual server. Click on the binding link shown below (under "Services and Service Groups"):

I "Click to select" a service...

(Here I check the OWA services and click on "Select"):

Then click on "Bind":

I click "OK" and "Done" as needed to return to the list of Virtual Servers:

The State (and effective State) of the virtual server is "down".

However, we still need to configure the load balancing method and the type of persistence. Let's see if configuring these features changes the state of the virtual server.

We highlight the lb_vs_OWA virtual server as show above and click on the "Edit" button.

In the resulting menu that appears on the far right, we select Method (and later Persistence):

For the load balancing method, we will select ROUNDROBIN:

Note: other choices may be more appropriate. If we have two servers, one with more capacity than the other, we may want to select a method that directs a greater percentage of connections to the more powerful server.

For persistence, Citrix documentation recommends COOKIEINSERT for OWA with a 30 minute timeout (2 minutes was the default):

Note: click "OK" and then "Done" to return to the list of virtual servers.

However, the state of the virtual server remains "down":

This is because I have opted not to use (at least for now) SSL offloading. I want the OWA SSL traffic to "pass through" the NetScaler and remain encrypted until it reaches the Exchange server(s). This method requires us to import the SSL certificate used to secure OWA into the NetScaler.

If you need directions on the procedure to export a certificate from Exchange, I would direct you to my blog posts where I perform this operation (there are several). In this blog post, I export a certificate from an Exchange 2007 server for use on ISA/TMG:

Exchange 2007 (SP3) - ISA - Publish OWA - Export/Import SSL certificates

For other examples, I would search my blog posts for "export certificate" (use the search function in the upper left-hand corner):

Other option: refer to sources online ("export certificate Exchange 2010" or "2013" depending on your version of Exchange).

Once we have the certificate, we must import it and install it on the NetScaler VPX.

Note: I will perform each of these steps separately (the process seemed somewhat confusing. In the end, however, the certificate was usable).

First (after we have accessed the NetScaler web interface), go to the following section:

NetScaler > Traffic Management > SSL > SSL Certificates

The yellow exclamation mark indicates that the feature is not enabled. We need to right-click on SSL to enable the feature:

Now that SSL is enabled, we will import the certificate. In the Tools section, click on Import PKCS#12

We create what is called an "Output File Name" (simply a name - we can call it what we want - but make sure to use the .pem file extension) and then browse to the location of the exported certificate file. We enter the password created when we exported the certificate from the Exchange server (this is necessary since the exported certificate file also contains the private key associated with the public key in the certificate). I was able to leave the Encoding Format field blank and proceed all the same: 

We click on OK and return to the list of SSL options. If we click on the Manage Certificates / Keys / CSR link...

We can see that both the exported .pfx file and the .pem certificate we created:

Next, we move to this location to install the certificate:

NetScaler > Traffic Management > SSL > SSL Certificates

Click on "Install":

I enter a name for the Certificate-Key Pair and then browse to the "ns-SSL-Exch.pem" file I created in the previous step:

Note: make sure PEM is selected. Yes, I designated the same file for Certificate File Name and Key File Name. It was not necessary to re-enter a password. Leave the other settings as they are. Also, when you open "Browse", you can select the option "Appliance" (meaning the NetScaler) since the certificate (with the private key) has already been exported and (apparently) converted into the .pem format:

This is what we see when we browse the "Appliance" (essentially the content of the /nsconfig/ssl folder):

Once we click "Install" (Install Certificate screenshot above), we return to the list of installed SSL certificates:

We can now (finally!) bind the certificate to the OWA virtual server. Go to the list of virtual servers...

We will highlight the lb_vs_OWA virtual server and click on "Edit". In the Certificates section of the virtual server settings, click on "No Server Certificate". This is where we will bind the certificate to the virtual server:

I select my imported (and installed) "imp-SSL-OWA" certificate:

I click on "Bind":

Now the "State" and "Effective State" of the OWA virtual server are both "Up":

IMPORTANT: as explained in the previous blog post for Outlook (RPC), we have to adjust the DNS record for OWA so clients are directed to the VIP (virtual IP) of the virtual server rather than to the Exchange servers themselves.

So what happens when a user attempts to connect to OWA?

On my initial attempts, the credentials are accepted but the connections time out immediately (yes, instantaneously).

This is because the COOKIEINSERT persistence type assumes that SSL offloading is being used, which is not the case here. The solution is to use the SOURCEIP method instead:


Once I make this adjustment, users can connect to OWA via the NetScaler VIP/virtual server without any problem. However, we should note that if clients are connecting through NAT (a single IP) the SOURCEIP persistence type may not be the best choice. This is not a problem if we use SSL offloading and are able to use the COOKIEINSERT persistence type.

The advantages and disadvantages of these various peristence options are compared in this discussion on the Citrix NetScaler forums:

No comments:

Post a Comment