Exchange 2013 DNS Round Robin with IIS ARR

Hi all,

We have exchange 2013 configured with DNS Round robin, problem is when i configure firewall, how to configure IP to point services of exchange ?

If we have Load balancer, we will give VIP address to the firewall, so with DNS RR situation, how can we manage ?

regards
ucguyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jamie McKillopIT ManagerCommented:
Hello,

Each of your Exchange servers will need to be NAT'ed out on their own dedicated public IPs. You then configure your firewall to allow port 443 from the internet to the internal IP of each Exchange server. You also need to setup DNS records for each public IP.

-JJ
0
ucguyAuthor Commented:
why do we need it ?
 External can we have one IP  like this.

Mail.contoso.com 123.123.123.123 pointing to the firewall. firewall can be configure if traffic hits, forwared to either CAS1 or CAS2 ?
0
Jamie McKillopIT ManagerCommented:
No, that won't work. You would need a load balancer to do that. You can only tell your firewall to send traffic to one IP.

-JJ
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

ucguyAuthor Commented:
If we have WNLB, should we install it on cas servers ?
0
Jamie McKillopIT ManagerCommented:
You can use WNLB as log as you have dedicated CAS servers with no mailbox role.

-JJ
0
kevinhsiehCommented:
WNLB is seriously brain dead and will start accepting requests way before any of your other network services have started, thereby causing service outage. You are much better off using a load balancer from Kemp that understands server health and only distributes traffic to working servers. They are pretty reasonably priced.
0
ucguyAuthor Commented:
Can we configure Kemp Load Balancer to handle only External traffic, Internal clients talk to both CAS servers via DNS Round Robin.
0
Gareth GudgerCommented:
Potentially yes. But why would you want to do that?

DNS round robin is not real load balancing. A KEMP hardware load balancer is.
0
ucguyAuthor Commented:
yeah, but problem is we cannot do that because current VLM-100 load balancer cannot handle the 200 users internally and externally both.
0
Jamie McKillopIT ManagerCommented:
With Exchange 2013, DNS RR is a real load balancing solution. It is not as good as a hardware load balancer, but it will work just fine. The main difference you will see is that a HLB will detect a failure of a CAS node fairly quickly and take that node out of the pool. DNS RR depends on the TTL of the DNS record, so it will be at least a couple of minutes before the client reconnects.

You can use the HLB for external and DNS RR internally. You just point a single external DNS entry to the public IP of the HLB VIP and internally your create RR DNS entries that point directly as your CAS servers.

-JJ
0
Gareth GudgerCommented:
I have to disagree with Jamie on DNS RR. It does not perform health checks so it has no idea if a component of Exchange goes down. Or if Exchange is down entirely. The server could be up and responding to IP but Exchange could be down. DNS RR will keep sending requests to that server and cause unnecessary outages for your users.

If you need a free hardware load balancer (that can do health checks) then you should go with IIS ARR. Its a free add-in from Microsoft.

I highly recommend checking this video from the Microsoft Exchange Conference on using ARR for Exchange 2013 as a free load balancer.
http://channel9.msdn.com/Events/MEC/2014/USX305

More info here for its use with Exchange 2013
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

Microsoft's download link:
http://www.iis.net/downloads/microsoft/application-request-routing
0
Jamie McKillopIT ManagerCommented:
Watch this video (https://www.youtube.com/watch?v=35l2lQ0LIZU) from TechEd 2013 (start at about 50 minutes) and you will understand how DNS RR works for redundancy in Exchange 2013. The client will load up all the A records. If the client fails to connect, it will wait about 20 seconds then try the next A record. It doesn't matter if the IP responds, the client must be able to successfully connect or it moves on. DNS RR is now how Microsoft recommends you implement site resiliency.

An HLB is still recommended in front of each CAS array because it has the advantage of being able to automatically or manually pull a CAS server out of the pool for near completely transparency to the client. With DNS RR, you have the 20 second wait and some clients will continue to try connecting to a failed IP when they start up. an HLB has other advantages as well, such as the ability to truly balance the load.

The ideal infrastructure includes an HLB. If you can't afford an HLB, DNS RR is a viable alternative. You can use IIS AAR but you have a single point of failure, unless you use NLB to create an IIS cluster. If you are going to use NLB, you might as well just use it directly on your CAS servers. IIS AAR is intended more as alternative to TMG. It is a security layer to proxy requests from the Internet so that client connections don't hit Exchange before being authenticated.

-JJ
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.