Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2013 DNS Round Robin with IIS ARR

Posted on 2014-11-05
12
Medium Priority
?
683 Views
Last Modified: 2014-11-24
Hi all,

We have exchange 2013 configured with DNS Round robin, problem is when i configure firewall, how to configure IP to point services of exchange ?

If we have Load balancer, we will give VIP address to the firewall, so with DNS RR situation, how can we manage ?

regards
0
Comment
Question by:ucguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40426008
Hello,

Each of your Exchange servers will need to be NAT'ed out on their own dedicated public IPs. You then configure your firewall to allow port 443 from the internet to the internal IP of each Exchange server. You also need to setup DNS records for each public IP.

-JJ
0
 

Author Comment

by:ucguy
ID: 40426067
why do we need it ?
 External can we have one IP  like this.

Mail.contoso.com 123.123.123.123 pointing to the firewall. firewall can be configure if traffic hits, forwared to either CAS1 or CAS2 ?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40426122
No, that won't work. You would need a load balancer to do that. You can only tell your firewall to send traffic to one IP.

-JJ
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:ucguy
ID: 40426134
If we have WNLB, should we install it on cas servers ?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40426144
You can use WNLB as log as you have dedicated CAS servers with no mailbox role.

-JJ
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40426301
WNLB is seriously brain dead and will start accepting requests way before any of your other network services have started, thereby causing service outage. You are much better off using a load balancer from Kemp that understands server health and only distributes traffic to working servers. They are pretty reasonably priced.
0
 

Author Comment

by:ucguy
ID: 40431938
Can we configure Kemp Load Balancer to handle only External traffic, Internal clients talk to both CAS servers via DNS Round Robin.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40431973
Potentially yes. But why would you want to do that?

DNS round robin is not real load balancing. A KEMP hardware load balancer is.
0
 

Author Comment

by:ucguy
ID: 40431983
yeah, but problem is we cannot do that because current VLM-100 load balancer cannot handle the 200 users internally and externally both.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40432650
With Exchange 2013, DNS RR is a real load balancing solution. It is not as good as a hardware load balancer, but it will work just fine. The main difference you will see is that a HLB will detect a failure of a CAS node fairly quickly and take that node out of the pool. DNS RR depends on the TTL of the DNS record, so it will be at least a couple of minutes before the client reconnects.

You can use the HLB for external and DNS RR internally. You just point a single external DNS entry to the public IP of the HLB VIP and internally your create RR DNS entries that point directly as your CAS servers.

-JJ
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 1000 total points
ID: 40434091
I have to disagree with Jamie on DNS RR. It does not perform health checks so it has no idea if a component of Exchange goes down. Or if Exchange is down entirely. The server could be up and responding to IP but Exchange could be down. DNS RR will keep sending requests to that server and cause unnecessary outages for your users.

If you need a free hardware load balancer (that can do health checks) then you should go with IIS ARR. Its a free add-in from Microsoft.

I highly recommend checking this video from the Microsoft Exchange Conference on using ARR for Exchange 2013 as a free load balancer.
http://channel9.msdn.com/Events/MEC/2014/USX305

More info here for its use with Exchange 2013
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

Microsoft's download link:
http://www.iis.net/downloads/microsoft/application-request-routing
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 1000 total points
ID: 40437336
Watch this video (https://www.youtube.com/watch?v=35l2lQ0LIZU) from TechEd 2013 (start at about 50 minutes) and you will understand how DNS RR works for redundancy in Exchange 2013. The client will load up all the A records. If the client fails to connect, it will wait about 20 seconds then try the next A record. It doesn't matter if the IP responds, the client must be able to successfully connect or it moves on. DNS RR is now how Microsoft recommends you implement site resiliency.

An HLB is still recommended in front of each CAS array because it has the advantage of being able to automatically or manually pull a CAS server out of the pool for near completely transparency to the client. With DNS RR, you have the 20 second wait and some clients will continue to try connecting to a failed IP when they start up. an HLB has other advantages as well, such as the ability to truly balance the load.

The ideal infrastructure includes an HLB. If you can't afford an HLB, DNS RR is a viable alternative. You can use IIS AAR but you have a single point of failure, unless you use NLB to create an IIS cluster. If you are going to use NLB, you might as well just use it directly on your CAS servers. IIS AAR is intended more as alternative to TMG. It is a security layer to proxy requests from the Internet so that client connections don't hit Exchange before being authenticated.

-JJ
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question