Sunday, March 27, 2016

NetScaler VPX - load balance Exchange - Part 2 (load balance SMTP traffic)

Having completed the basic configuration of the NetScaler VPX, I will now configure load balancing for SMTP traffic, specifically inbound mail traffic entering my network via the perimeter firewall.

These are the IP addresses that we will use. Some will be configured on the NetScaler. Others are for reference.

10.0.0.23 - EX13-1 (Exchange server 1)
10.0.0.24 - EX13-2 (Exchange server 2)

Note 1: despite the "13" in the hostname, these servers are Exchange 2010 servers.
Note 2: make sure all the related network nodes are up and running.

10.0.0.32 - VPX NSIP
10.0.0.33 - VPX SNIP

Note 3: these IP addresses were configured on the VPX in the previous blog post.


***


Verify connectivity

I will take advantage of this project to present some of the diagnostic tools of the NetScaler and test connectivity with the remote network nodes listed above.

If we browse to this location in the NetScaler GUI...

NetScaler > System > Diagnostics

We have several common diagnostic tools at our disposal, among others PING, TRACEROUTE and a command line interface:




If I open PING, I can enter the hostname or IP address of the remote target and the number of pings I want to send. There are a number of other options as well (not shown below):



When I have finished, I click on "Run" at the very bottom of the page:




Connectivity is verified for the first Exchange server (EX13-1):



Note : we can also open a command line and enter the commands directly there.

I also verified connectivity with the other Exchange server (success).




Configure load balancing for SMTP traffic (port 25)

Now I will configure load balancing. To begin, I will load balance SMTP traffic (port 25). Most organizations have one or more firewall appliances at the perimeter of their network and often perform what is known as "1 to 1 NAT".

Note: the paragraph that follows assumes basic knowledge of DNS, mail flow and networking. Also, there is some degree of simplification (some organizations may have more complex networks).

In the case of SMTP traffic, the MX records designate an A record that, in turn, designates the IP address of the external interface of the perimeter firewall. The external IP address is a routable address and usually needs to be associated with an internal non-routable IP address that would otherwise be inaccessible from the Internet. The association of the external routable address and internal non-routable address is an implementation of what we call "1 to 1 NAT". The internal IP address is often that of a mail hygiene appliance such as Barracuda or Ironport, but could be that of the Exchange server itself. If we have more than one Exchange server, and want to ensure some level of high availability, we can direct incoming mail to a load balancer that will monitor the status of the Exchange servers and direct SMTP traffic only to the active server(s) if the other(s) is (are) unavailable. As its name suggests, the appliance can also "balance" the traffic between the two nodes (and perform even more tasks that I will not address here).

Here is a very simple illustration:

Internet -> Firewall -> Load Balancer -> Exchange Server(s)

Load balancing is one of the many features of the NetScaler. We can enable the feature here...



By checking the appropriate box:





We configure load balancing itself here:

NetScaler > Traffic Management > Load Balancing




We need to create:
  • Servers
  • Services
  • Virtual Servers (with a "VIP")
  • Monitors (optional - there is always a default monitor that checks the status of the (Exchange) servers but not of the services. It is possible that the server is available (functional) but the actual services are stopped. Therefore, we can optionally configure a monitor if we want to fine-tune the awareness of service availability).

I will follow the order of creation used the in Citrix training course  (see reference in previous blog post), although creating the items above in a different order is possible.


Servers

First, I create "Servers". These servers represent the Exchange servers to which SMTP traffic will be redirected after it reaches the load balancer (yes, click on "Add"):



Enter the necessary details and click on Create:



Note: I use the naming convention used in the Citrix course: srv for server (followed by an underscore and the name of the server), svc for service, and lb_vs for load balancing virtual server (see below). However, you can name these elements according to your own conventions.

I then add a second server (note the first server we created in the server list):




Now we have designated our two Exchange servers:




Services

Next we must configure a "service" (in this case for SMTP) associated with each of the servers:



Configure a SMTP service for each of the Exchange servers as shown below






Here are the services we have configured:



Note: if we need to make adjustments to the configuration, we would need to make the changes for each service. If we had many servers (and one service configured per server) it might be preferable to use a "service group" so we could make a change once and have it apply to all the server members of the service group. Please consult the documentation for additional information about service groups.



Virtual Servers

Now we will create a "virtual server" for SMTP, associated with the two SMTP services, each of which is associated with one of the two Exchange servers. The virtual server, and its virtual IP address, or "VIP", in particular, represent the service (and indirectly the "real" servers)  to clients who will direct their communications to this VIP.



For the virtual server, we provide the details entered in the screenshot below. The IP address is the address that clients will access for the service in question (as opposed to the IP address of the Exchange servers themselves). In my case, the "client" for SMTP connections is the perimeter firewall that will forward email from the outside to this IP address (10.0.0.36):




Once we click OK, we will arrive at this page where we need to bind the two services (each linked to one of the Exchange servers) to the virtual server:



We click on "No Load Balancing Virtual Server Service Binding" (see above) and then "Click to select" services:



Select both of the services we configured earlier...


And click on "Bind":



We have almost finished! We still need to select a load balancing "method", the most common being "Round-Robin" which we will use here. Once we click on "Bind" (above), we should see a page similar to the one below. Select "Method" in the menu on the far right...



And select ROUNDROBIN as the Load Balancing Method:




The result should look like this:





Lastly, we should direct incoming SMTP traffic to the VIP of the virtual server (10.0.0.36). In my case, the perimeter firewall is a Cisco ASA device so I make the adjustments here:




Remember to save your configuration by clicking on the floppy disk icon in the upper right-hand corner. If you shut down the NetScaler from the NetScaler, you will be prompted to save the "running configuration". If you shutdown the NetScaler from VMware workstation, you will NOT be prompted to save your configuration...

***

I tested the configuration above by sending email to an internal test user from an external email account (Gmail or Hotmail for example). The email arrived in the Inbox successfully. Of course, this requires that we have correctly configured a number of other elements that I have not presented here, such as DNS MX and A records as well as 1 to 1 NAT on our perimeter firewall.  


No comments:

Post a Comment