• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

June 30, 2020 - by Zsolt Agoston - last edited on July 1, 2020

The following steps describe how to set up a proper load balancer on pfSense for Exchange 2019, 2016 or 2013 using HAProxy.

1. Before You Begin

The outlook.alwayshotcafe.com A record is added to the alwayshotcafe.com domain zone file. IP is 10.0.1.250 as seen in the screenshot.

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

2. The Planned Setup

When we are done, all clients will connect to our load balancer. The balancer will forward client traffic to one of the configured CAS servers. We use round robin load balancing but you can use any other method you prefer, as the client connections are stateless we have a great amount of flexibility in that sense.

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

3. Install HAProxy on pfSense

Under System, select Package Manager/Available Packages and search for "haproxy". Click on the Install button.  

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

4. Configure HAProxy

After installing it open the configurator under the Services tab. a. Under Settings enable the service, set max connection number to 1000.

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

b. Set the internal stats port to 2200 so the stat page can be accessed later

 

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

c. SSL DH size needs to be at least 2048

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

d. Under the Backend tab we specify the name of the backend server collection, which is outlook_servers for easy identification. Then we add our three mailbox servers to the list, specifying port 443 with SSL encryption on.

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

e. Load balancing is set to round-robin, but you can set any option you prefer.

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

f. Health checking is 'none' in our case, as we have a lab it doesn't need to check if the connection to the backend servers are up. If one goes down, we adjust the load balancer manually.

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

g. Make connections sticky, so clients will not jump from one backend server to another making their user experience more seamless. Outlook can hang briefly when jumping CAS servers.

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

h. Set up the 10.0.1.250 virtual IP address earlier under the Firewall tab for the "outlook" listener

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

i. For SSL offloading to work (see next step), we need to import the SSL certificate for outlook.alwayshotcafe.com, that same that we use on the mailbox servers. In this example we use a wildcard cert which covers all hosts in the alwayshotcafe.com domain. For detailed steps on how to export the SSL certificate from an Exchange server and extract the private-, public keys and CA certificate from the PFX file, see the guide here.

Import the ca.cer to CAs

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

Then import pub.cer and priv.cer in the certificate store.

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

j. Under the Frontend tab we can set up the listener on the pfSense firewall. We use the virtual IP from step h., with port 443 listening. SSL offloading is also enabled. That means the client connection has the endpoint on the firewall, so the load balancer can see connection details, like session information for proper L7 balancing. This would be inaccessible if the encrypted HTTPS connection just passed through the load balancer.

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

k. Create an access list called "outlook", with incoming https requests to match outlook.alwyashotcafe.com. Action is set to use the "outlook_servers" backend collection

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

l. The forwardfor option is checked

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

m. Under the SSL Offloading section select the wildcard certificate we imported in step i.

Hello! This is the Gutenberg block you can edit directly from the WPBakery Page Builder.

n. The last step is very important: to allow connection on this address, under the firewall section we allow HTTPS traffic from all sources on all interfaces to the "outlook_servers" alias.

 

First, create alias for the three mailbox servers

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

Now you can add a floating firewall rule that is flexible as it applies to all interfaces

Load Balancer for Exchange 2019, 2016 and 2013 with HAProxy | FREE

Reader Interactions

Comments

  1. Brahim says

    June 4, 2023 at 22:25

    Hi, thanks for this tutorial, very helpfull.

    But I have a question regarding the firewall rule to allow access to the backend servers, I think this shouldn’t happen because we proxy all traffic via the VIP interface! so I think you have to allow only https traffic to the VIP interface only not the backend servers.

    Thanks.

    Reply

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • 1. Before You Begin
  • 2. The Planned Setup
  • 3. Install HAProxy on pfSense
  • 4. Configure HAProxy

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}