The Cisco Application Control Engine (ACE) was used in a one-armed mode configuration in the tested Topology and provided load balancing services for the Exchange CAS servers. It also served as the point in the traffic flow for SSL offloading. The following ACE service module configuration was that of the virtual context that was created to support the Exchange load balancing service.
WAAS Central Manager (enabled on WAE-502-K9)
ESX Server, Vcenter Server, Vcenter Client 4.0 Update 1
LoadGen for Exchange 2010 V14.01.0139
Windows Server 2008 R2 x64 Enterprise edition for servers with Mailbox role (for DAG support); Standard edition for all other roles.
NetApp FAS 3170 Data OnTAP 7.3.2
DSX-14.0TB-QS-R5
DS14MK2 SHLF,14.0TB SATA,QS,R5 Table 19 Solution Components
Platform Version
Configuration Description
access-list all line 10 extended permit ip any any
access-list all line 20 extended permit icmp any any IP access list.
Access list to allow icmp.
probe http http-probe interval 60
passdetect interval 60 passdetect count 2
request method get url /exchweb/bin/auth/owalogon.asp expect status 400 404
probe https https-probe interval 60
passdetect interval 60 passdetect count 2
The probe definitions are used for health monitoring of the exchange servers. These probes are referenced in other parts of the configuration.
rserver host CAS1
ip address 10.7.53.55 Rserver statements define the remote servers to be load balanced. The probes defined in the previous section of the configuration are used in these statements.
probe http-probe
IP address are of the actual CAS servers supporting data interface. The rserver hosts will be used later in the configuration as they are referenced by the serverfarm statements.
rserver redirect SSLREDIRECT webhost-redirection
https://aceexchange-vip.ucshypervroles.com/owa 302 inservice
Used to redirect traffic to the stated URL. This is used in the case where traffic may be coming in destined for the VIP on a non-SSL connection. The URL defined in this statement is resolved by DNS to the address of the VIP on the ACE.
Serverfarms reference the rservers and are used to load balance against.
TCP Probes are applied here.
serverfarm redirect SSLREDIRECT rserver SSLREDIRECT
inservice
The SSLREDIRECT server farm points to the
SSLREDIRECT rserver which redirects to the SSL url for the OWA Web service.
sticky ip-netmask 255.255.255.255 address source CAS-IP replicate sticky
serverfarm CAS-FARM
Associates the server farm CAS-FARM to the sticky group CAS-IP. For load balancing to the actual CAS servers contained in the server farm (CAS-Farm).
sticky http-cookie Cookie OWA-STICKY cookie insert browser-expire timeout 60
replicate sticky serverfarm CAS-FARM-80
Sticky cookie used for OWA is referenced later in the configuration.
sticky http-header Authorization CAS-RPC-HTTP
serverfarm CAS-FARM-80 Sticky Statement bases stickiness on authorization in the http header.
2 match virtual-address 10.7.53.200 any Exchange IMAPI-RCP VIP matching inbound traffic destined for the virtual address of 10.7.53.200.
class-map match-all OWA-OUTLOOKAHYWHERE-SSL
2 match virtual-address 10.7.53.200 tcp eq https class-map match-all OWAREDIRECT
2 match virtual-address 10.7.53.200 tcp eq www
Exchange OWA and Outlook anywhere VIPs.
Matches https traffic destined for the virtual address of 10.7.53.200.
Matches www traffic destined for the virtual address of 10.7.53.200.
Configuration Description
policy-map type management first-match mgmt-pm
sticky-serverfarm CAS-IP
Ties traffic that is matched at the MAPI-RPC virtual server and load balances the traffic to Layer 7 sticky group (CAP-IP) based on the IP address.
policy-map type loadbalance first-match OWA-OUTLOOKANYWHERE
match OUTLOOK_ANYWHERE http header User-Agent header-value "MSRPC"
sticky-serverfarm CAS-RPC-HTTP class class-default
sticky-serverfarm OWA-STICKY
policy-map type loadbalance http first-match SSLREDIRECT class class-default
serverfarm SSLREDIRECT
Statement ties traffic that is matched with the MARPC value in the header and load balances that traffic to the sticky group CAS-PRC-HTTP with stickyness based on the HTTP header. The CAS-RPC-HTTP serverfarm statement above shows that its matched on an Authorization in the header and uses the server farm CAS-FARM-80. The OWA-Stick serverfarm statement establishes the Layer 7 load balancing action. As shown in section in the early part of the configuration, this is the insertion of a cookie.
policy-map multi-match int53 Multi match policy that defines the match order of traffic and fws to according policies.
class OWAREDIRECT
loadbalance vip inservice loadbalance policy SSLREDIRECT
First class defined is for the SSL redirect policy so that when traffic attempts to make a connection on a non-ssl connection, it is forwarded to the SSL proxy
termination.
class OWA-OUTLOOKAHYWHERE-SSL loadbalance vip inservice
loadbalance policy OWA-OUTLOOKANYWHERE loadbalance vip icmp-reply active nat dynamic 1 vlan 53
ssl-proxy server OWA
Next class owa-outlookanywhere-ssl defines what to do now with the redirected traffic; in this regard it is load balanced against the policy
OWA-OUTLOOKAHYWHERE
class IMAPI-RPC
loadbalance vip inservice loadbalance policy IMAPI-RPC nat dynamic 1 vlan 53
Traffic that is not matched in the previous classes is then picked up by the final IMAPI-RPC policy.
interface vlan 53
description to server-side vlan ip address 10.7.53.8 255.255.255.0 alias 10.7.53.7 255.255.255.0
peer ip address 10.7.53.9 255.255.255.0 access-group input all
nat-pool 1 10.7.53.200 10.7.53.200 netmask 255.255.255.0 pat
service-policy input int53 service-policy input mgmt-pm no shutdown
ip route 0.0.0.0 0.0.0.0 10.7.53.1
Server side VLAN of CAS servers.
Configuration Description