• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » CAS load balancing on Exchange 2019, 2016 and 2013

CAS load balancing on Exchange 2019, 2016 and 2013

June 26, 2020 - by Zsolt Agoston - last edited on June 30, 2020

1. CAS - stateless goodness!

This article is solely dealing with the Exchange CAS array (client access services), more precisely with Outlook connectivity. A client has multiple ways to access his/her mailbox on an Exchange server. They can use the very well-known POP3 or IMAP4 protocols that virtually any email client can handle, or using Microsoft-proprietary protocols like EAS (Exchange Active sync) with mobile devices or MAPI (more precisely MAPI over HTTP starting with Exchange 2013), as well as Outlook Anywhere (for legacy devices that can only support RPC over HTTP).

The three latter are better suited for MS clients as they make the client experience more seamless, ideally faster, snappier. When they are not behaving this way that usually boils down to configuration issues with Exchange or in the network-stack.

In this article we focus on these three, as they are the main client-connection protocols and they all use the HTTPS network protocol. That means when it comes to load-balancing and setting our reverse proxy up we only need to worry about port 443/tcp. Of course, if needed ports for POP3 (110 and 995/tcp) and IMAP4 (143 and 993/tcp) can also be set up following the guide below.

After installation is done, by default the Exchange server is set up with virtual directories for the different kind of services that clients can access. These virtual directories refer to the individual server names in their addresses, making it differ on each server in the organization. For instance, OWA, the Web-based user interface is listening on https://MB1.alwayshotcafe.com/owa on server MB1. MB2 has the same service configured on https://MB2.alwayshotcafe.com/owa

Get Virtual Directories

Function GetVirtDirs {

Get-MailboxServer | %{
	Get-ActiveSyncVirtualDirectory -Server $_.Name | Select Server, Name, InternalUrl, ExternalUrl
	Get-WebServicesVirtualDirectory -Server $_.Name | Select Server, Name, InternalUrl, ExternalUrl
	Get-MapiVirtualDirectory -Server $_.Name | Select Server, Name, InternalUrl, ExternalUrl
	Get-EcpVirtualDirectory -Server $_.Name | Select Server, Name, InternalUrl, ExternalUrl
	Get-OwaVirtualDirectory -Server $_.Name | Select Server, Name, InternalUrl, ExternalUrl
	Get-OabVirtualDirectory -Server $_.Name | Select Server, Name, InternalUrl, ExternalUrl
	Get-PowerShellVirtualDirectory -Server $_.Name | Select Server, Name, InternalUrl, ExternalUrl
	Get-AutodiscoverVirtualDirectory -Server $_.Name | Select Server, Name, InternalUrl, ExternalUrl
	}
}
CAS load balancing on Exchange 2019, 2016 and 2013

The issue with this is when a client access server goes down, all the clients who are connected to the server will have their Outlook frozen causing a long downtime. Assuming of course that the databases are taken care of by configured DAG.

Luckily starting with Exchange 2013 the CAS connections are stateless connections, so all we need to do is to configure the virtual directories with a designated namespace for the client connections.

In our example we pick 'outlook.alwayshotcafe.com' for the CAS. This will match on all the member servers, so when a client connects through a layer 4 or layer 7 load balancer, it doesn't matter which server gets that user query. Remember, CAS connections are stateless so layer 4 load balancers will just do the job, although a layer 7 solution is better as it remembers a client and directs it to the same member each time, making the queries much faster.

CAS load balancing on Exchange 2019, 2016 and 2013

Here we use HAProxy on our pfSense firewall for load balancing (setup guide comes here). Let's see how it all comes together.

2. Configure the unified namespace for client access

We'll use outlook.alwayshotcafe.com for client access. First, we configure the load balancer with a dedicated IP that listens for connection requests, then forwards them to available CAS servers. The IP in our case is 10.0.1.250, we add an new A record to our domain zone file with this IP as 'outlook'.

CAS load balancing on Exchange 2019, 2016 and 2013

The next step is setting the virtual directories on the servers with the new FQDN

# Setting the name of the unified cas address
$cas = 'outlook'

ForEach ($server in (Get-MailboxServer).Name) {
	# Getting virual direcory addresses
	$eas = (Get-ActiveSyncVirtualDirectory -Server $server).InternalUrl.AbsoluteUri
	$ecp = (Get-EcpVirtualDirectory -Server $server).InternalUrl.AbsoluteUri
	$mapi = (Get-MapiVirtualDirectory -Server $server).InternalUrl.AbsoluteUri
	$oab = (Get-OabVirtualDirectory -Server $server).InternalUrl.AbsoluteUri
	$owa = (Get-OwaVirtualDirectory -Server $server).InternalUrl.AbsoluteUri
	$ews = (Get-WebServicesVirtualDirectory -Server $server).InternalUrl.AbsoluteUri

	# Uniformizing virtual directory addresses (same namespace)
	$easUni = $eas -replace ($server, $cas)
	$ecpUni = $ecp -replace ($server, $cas)
	$mapiUni = $mapi -replace ($server, $cas)
	$oabUni = $oab -replace ($server, $cas)
	$owaUni = $owa -replace ($server, $cas)
	$ewsUni = $ews -replace ($server, $cas)

	# Setting new names, external address as well
	Get-ActiveSyncVirtualDirectory -Server $server | Set-ActiveSyncVirtualDirectory -InternalUrl $easUni -ExternalUrl $easUni
	Get-EcpVirtualDirectory -Server $server | Set-EcpVirtualDirectory -InternalUrl $ecpUni -ExternalUrl $ecpUni
	Get-MapiVirtualDirectory -Server $server | Set-MapiVirtualDirectory -InternalUrl $mapiUni -ExternalUrl $mapiUni
	Get-OabVirtualDirectory -Server $server | Set-OabVirtualDirectory -InternalUrl $oabUni -ExternalUrl $oabUni
	Get-OwaVirtualDirectory -Server $server | Set-OwaVirtualDirectory -InternalUrl $owaUni -ExternalUrl $owaUni
	Get-WebServicesVirtualDirectory -Server $server | Set-WebServicesVirtualDirectory -InternalUrl $ewsUni -ExternalUrl $ewsUni
	}

3. Verify the virtual directories are set

We run the GetVirtDirs function (see step 1) to verify they are all set with the outlook.alwayshotcafe.com FQDN

CAS load balancing on Exchange 2019, 2016 and 2013

From this point in time all client access connections are received by our load balancer, then forwarded to an available Mailbox server.

CAS load balancing on Exchange 2019, 2016 and 2013

We can verify this on a client too:

CAS load balancing on Exchange 2019, 2016 and 2013

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • 1. CAS – stateless goodness!
  • 2. Configure the unified namespace for client access
  • 3. Verify the virtual directories are set

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}