Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 706
  • Last Modified:

Exchange 2013 DNS Round Robin with IIS ARR

Hi all,

We have exchange 2013 configured with DNS Round robin, problem is when i configure firewall, how to configure IP to point services of exchange ?

If we have Load balancer, we will give VIP address to the firewall, so with DNS RR situation, how can we manage ?

regards
0
ucguy
Asked:
ucguy
  • 5
  • 4
  • 2
  • +1
2 Solutions
 
Jamie McKillopCommented:
Hello,

Each of your Exchange servers will need to be NAT'ed out on their own dedicated public IPs. You then configure your firewall to allow port 443 from the internet to the internal IP of each Exchange server. You also need to setup DNS records for each public IP.

-JJ
0
 
ucguyAuthor Commented:
why do we need it ?
 External can we have one IP  like this.

Mail.contoso.com 123.123.123.123 pointing to the firewall. firewall can be configure if traffic hits, forwared to either CAS1 or CAS2 ?
0
 
Jamie McKillopCommented:
No, that won't work. You would need a load balancer to do that. You can only tell your firewall to send traffic to one IP.

-JJ
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ucguyAuthor Commented:
If we have WNLB, should we install it on cas servers ?
0
 
Jamie McKillopCommented:
You can use WNLB as log as you have dedicated CAS servers with no mailbox role.

-JJ
0
 
kevinhsiehCommented:
WNLB is seriously brain dead and will start accepting requests way before any of your other network services have started, thereby causing service outage. You are much better off using a load balancer from Kemp that understands server health and only distributes traffic to working servers. They are pretty reasonably priced.
0
 
ucguyAuthor Commented:
Can we configure Kemp Load Balancer to handle only External traffic, Internal clients talk to both CAS servers via DNS Round Robin.
0
 
Gareth GudgerCommented:
Potentially yes. But why would you want to do that?

DNS round robin is not real load balancing. A KEMP hardware load balancer is.
0
 
ucguyAuthor Commented:
yeah, but problem is we cannot do that because current VLM-100 load balancer cannot handle the 200 users internally and externally both.
0
 
Jamie McKillopCommented:
With Exchange 2013, DNS RR is a real load balancing solution. It is not as good as a hardware load balancer, but it will work just fine. The main difference you will see is that a HLB will detect a failure of a CAS node fairly quickly and take that node out of the pool. DNS RR depends on the TTL of the DNS record, so it will be at least a couple of minutes before the client reconnects.

You can use the HLB for external and DNS RR internally. You just point a single external DNS entry to the public IP of the HLB VIP and internally your create RR DNS entries that point directly as your CAS servers.

-JJ
0
 
Gareth GudgerCommented:
I have to disagree with Jamie on DNS RR. It does not perform health checks so it has no idea if a component of Exchange goes down. Or if Exchange is down entirely. The server could be up and responding to IP but Exchange could be down. DNS RR will keep sending requests to that server and cause unnecessary outages for your users.

If you need a free hardware load balancer (that can do health checks) then you should go with IIS ARR. Its a free add-in from Microsoft.

I highly recommend checking this video from the Microsoft Exchange Conference on using ARR for Exchange 2013 as a free load balancer.
http://channel9.msdn.com/Events/MEC/2014/USX305

More info here for its use with Exchange 2013
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

Microsoft's download link:
http://www.iis.net/downloads/microsoft/application-request-routing
0
 
Jamie McKillopCommented:
Watch this video (https://www.youtube.com/watch?v=35l2lQ0LIZU) from TechEd 2013 (start at about 50 minutes) and you will understand how DNS RR works for redundancy in Exchange 2013. The client will load up all the A records. If the client fails to connect, it will wait about 20 seconds then try the next A record. It doesn't matter if the IP responds, the client must be able to successfully connect or it moves on. DNS RR is now how Microsoft recommends you implement site resiliency.

An HLB is still recommended in front of each CAS array because it has the advantage of being able to automatically or manually pull a CAS server out of the pool for near completely transparency to the client. With DNS RR, you have the 20 second wait and some clients will continue to try connecting to a failed IP when they start up. an HLB has other advantages as well, such as the ability to truly balance the load.

The ideal infrastructure includes an HLB. If you can't afford an HLB, DNS RR is a viable alternative. You can use IIS AAR but you have a single point of failure, unless you use NLB to create an IIS cluster. If you are going to use NLB, you might as well just use it directly on your CAS servers. IIS AAR is intended more as alternative to TMG. It is a security layer to proxy requests from the Internet so that client connections don't hit Exchange before being authenticated.

-JJ
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now