Load balancing Exchange 2010 with Citrix Netscaler using Content Switching
Next to F5, KEMP technologies and a lot of other network load balancing vendors there’s also Citrix with it’s Netscaler brand. Especially when an environment also has Citrix servers, it could mean that well scaled Netscaler devices are present and can also be used for other purposes next to Citrix Secure Gateway access. Obviously Exchange 2010 comes to mind.
Citrix already has a very helpful Netscaler Exchange 2010 deployment guide (PDF warning). But unfortunately that guide is not always something one can implement exactly. For instance, in the guide Citrix uses an unique IP address for each separate protocol, which is not always possible if these are limited.
However, all or most Netscalers also provide Content Switching and with this you only have to use one IP but also have optimized settings for persistence/affinity and time-out for all protocols using the same TCP port (HTTPS). For some background information around persistence for Exchange 2010, check this article.
First create the services as described in the Citrix Deployment guide. You make one per physical server for each specific service, like HTTP (Load Balancing>Services>Add>):
When that is done you can create a Virtual Server for each different protocol, meaning OWA, ActiveSync, OAB, EWS etc. (Load Balancing>Virtual Servers>Add>). In this example, the OWA Service is shown with the specific Load Balancing method and persistence options (note that COOKIEINSERT requires SSL Offloading).
But instead of entering an IP address, keep it emtpy and untick the “Directly Addressable” box.
Now you have to make sure Content Switching is enabled on you Netscaler. You can do that via System>Settings>Configure Basic Settings> Enable Content Switching.
After this you can create Content Switching (CS) Policies via Content switching>Policies>Add…. For OWA I would check whether the specific hostname is requested in the HTTP request: HTTP.REQ.HOSTNAME.CONTAINS("webmail.contoso.com")
You can build it with the expression builder via Configure… button and build the expression from there.
When you’ve made the CS Policies, you can now make Content Switching servers via Content switching>Virtual Servers>Add…
Now you can add the IP address the Netscaler has to respond to. This is also the Virtual IP (VIP) address you have to point your FQDN for OWA and other protocols towards.
In the CSW field (open per default), right click and choose “Insert Policy”. A drop down menu appears (as shown above), and every available CS policy is visible. Note that a policy can only be used once.
In this case the previously made webmail.contoso.com policy is selected. Now select the target field and the different Load Balancing Virtual Servers are listed, in this case only VIP_Exchange_OWA.
Select it and choose Yes in the corresponding question box,
Now every HTTP request on IP 172.16.0.205 with FQDN webmail.contoso.com will be directed to use the Load Balancing Virtual Service which uses two Client Access Servers previously defined as valid services.
If you want to make another Load Balancing services for other protocols with other persistence timeout values, but with the same VIP, make another Contents Switching Policy and add it to the same Content Switching Virtual Server. However, you will have to point them to other Load Balancing targets, namely those with the optimal settings.
For Autodiscover use the expression:
For ActiveSync use the expression:
HTTP.REQ.HOSTNAME.CONTAINS("webmail.contoso.com") && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/microsoft-server-activesync")
For EWS, OAB and Outlook Anywhere you can change the ActiveSync expression with the URL Paths /ews, /oab and /rpc. If you don’t specify these specifically, they would just use the OWA Content Switching policy (as it is agnostic about the path in this case) and thus the same persistent values as those specified for OWA. I found that it is sufficient most times.
Insert every CS Policy in the CS Virtual Server, and order them in the correct sequence. Note that Netscalers checks policies with a lower priority value first and works up to higher values (first 10 and then 100). The protocols which would trigger with specific paths in it should come first, otherwise they would be triggered by our first policy and will not get the optimized load balancing rules.
In the above example you can see the generic webmail.contoso.com policy has an OWA target and a priority of 100. Subsequent policies are ActiveSync (EAS), Autodiscover and Offline Address Book (OAB) each with a corresponding target and persistence settings.
After implementation you can check whether the rules are (correctly) being used by watching the Hits column.
So with Netscaler Content Switching you are able to still optimize persistence settings per protocol and still use one Virtual IP address for each HTTPS service.
For these screenshots I’ve used the Citrix Netscaler Free trail virtual appliance which can be downloaded from www.citrix.com. Note that for some of these settings you’ll also need SSL Offloading. The specific configuration and certificate selection (in the Content Switching Virtual Server for instance) is not shown.