Basic CAS connection path
In this article we address the issue of client access during Exchange maintenance. By default, all client access services are configured with the owner server's name on Exchange servers after installation. Let's take a simple example. We have three client access capable Exchange servers in our system, like in our example: MB1, MB2 and MB3. Outlook clients will connect to them through the appropriate MAPI virtual directory on the CAS servers. Like a mailbox hosted on MB1 server will likely connect through the https://MB1.alwayshotcafe.com/mapi address, another user stored on a database on MB2 server will likely be using https://MB2.alwayshotcafe.com/mapi, and so on.
Clients are not necessarily connected through the Mailbox server where the user mailbox is hosted. Any Exchange server with the Mailbox role (starting with Exchange 2016 CAS is a part of the Mailbox server role) can be used by users to access their mailboxes, even if they have their mailboxes hosted on a different MB server in the same organization. On top of it, the client access connections are now stateless, so they can switch servers even during a client session.
Client connection during DAG maintenance
Now, say we have a DAG configured, with MB1 and MB2 servers are member nodes. A database that hosts John Doe's mailbox is currently active on MB1. We need to perform a server maintenance on MB1, that will take it offline for a while. We obviously perform the planned DAG failover procedure, so all the databases on MB1 will be activated on the other DAG members (on MB2 in this case), providing uninterrupted mail flow for the users on those databases. It is now safe to power down the member server in maintenance mode. But what happens to the users who are currently connected through this server? Remember, a user does not need to have their mailboxes hosted on MB1 to be connected through this server by Outlook. If we simply powered down MB1, their Outlook would freeze and it would take quite some time to connect through another server.
Of course, we might wait 1-2 hours for the client connections to switch over to the active server, but that's not ideal and not guaranteed to work for all users.
As seen in the screenshots below, the client will try to connect through the mailbox server where it's mailbox is hosted.
And through MB2:
Load Balancing
To get around this issue, as an elegant solution we configure a single namespace for all the CAS servers. Like https://outlook.alwayshotcafe.com/... , that is pointing to a load balancer and the load balancer will distribute the connections between the member servers. Remember, the CAS connections are stateless starting from Exchange 2013, so we can use both layer4 and layer 7 load balancers to achieve high availability. See a detailed guide here on how to set up HAProxy on pfSense as an excellent load balancing solution for Exchange CAS connections.
Now all clients will use outlook.alwayshotcafe.com as the common connection point. When a CAS server becomes unaccessible, the load balancer will redirect traffic to active servers automatically or manually, it all depends on your preference how you configure the load balancer.
Next step: configure load balancing for Exchange 2013-19 with HAProxy
Comments