Cisco’s ACE appliances and modules are something that I see constantly at customers. Unfortunately, Cisco’s application specific documentation is rather lacking. There’s a rather simplistic sample config at http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/Exchange_VSphere_UCS_NetApp.html#wp345264, but, that doesn’t really have everything you need. The folks at F5 on the other hand have extremely well documented application guides for their hardware and that’s one of the reasons I usually send customers to F5 first. The contents of this post are essentially the same for ACE appliances and ACE modules.
In any case, the rest of this post is a working sample configuration for the topology below. A thread on a discussion alias prompted me to clean this up and post it.
In our sample configuration, we’ll configure the load balancer in a one-armed configuration with Source NAT (SNAT). Clients will access services via the mail.contoso.com and autodiscover.contoso.com URLs. In addition, clients who go to a non SSL URL or go to the root instead of /owa will be redirected.
Before we get started, a few pre-requisites:
- You should have a working context on your ACE appliance/module with resources allocated.
- Your CAS servers should have static ports configured as described here.
- Your SSL certificate and the necessary intermediate and root certificates should be installed on the load balancer.
- A VIP will need to be allocated. We’ll use 192.168.100.200 in this sample
- If you’re expecting more than ~65K client connections, you’ll need to use more than one IP in the SNAT pool. This example assumes one is enough. We’ll use 192.168.100.199 in this sample.
The entire config is posted below, but, first, I wanted to speak to a few specific elements and why they’re here:
crypto chaingroup DigiCert cert DigiCertRootCA cert DigiCertIntermediateCA cert mail_contoso_com |
This creates a valid SSL certificate chain |
serverfarm host Exchange-CAS-RPC
predictor leastconns
probe TCP135
probe TCP60000
probe TCP60001
fail-on-all
rserver CAS01
inservice
rserver CAS02
inservice
|
Here we’re validating the availability of the RPC ports on the CAS server. The “fail-on-all” keyword is key here. This makes sure that if any of the three services are unavailable, the server is removed from the farm |
parameter-map type http Exchange-OWA case-insensitive persistence-rebalance set header-maxparse-length 16384 set content-maxparse-length 8192 |
There are three things going on here:
|
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-RPC timeout 7200 replicate sticky serverfarm Exchange-CAS-RPC |
Here we define source IP stickiness. This is used for the RPC services. Warning: If you have source NAT upstream (such as in a network merger scenario) where many clients are appearing to come from the same IP, this will cause load balancing to not be even.
|
sticky http-cookie Exchange-Sticky Exchange-CAS-HTTPS-Cookie cookie insert browser-expire replicate sticky serverfarm Exchange-CAS-HTTPS |
Here we create a cookie valid for the life of the browser session to ensure that OWA and ECP sessions go to the same CAS server. |
action-list type modify http Exchange-CAS-HTTP header insert request X-Forwarded-For header-value "%is" |
This enables us to insert the client’s original IP as an additional HTTP header so that IIS logs can be correlated to a specific client. |
policy-map type loadbalance first-match Exchange-CAS-HTTPS
match OWA http url /owa.*
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match ECP http url /ecp.*
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match EWS http url /ews.*
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match ActiveSync http url /Microsoft-Server-ActiveSync.*
sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match OutlookAnywhere http header User-Agent header-value "MSRPC"
sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
class Exchange-CAS-HTTPS-RootRequest
serverfarm Exchange-OWA-REDIRECT
class class-default
sticky-serverfarm Exchange-CAS-HTTPS-SourceIP
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
|
This policy map enables SSL decryption, inspection of the URL, and application of the correct load balancing action and stickiness. |
crypto chaingroup DigiCert
cert DigiCertRootCA
cert DigiCertIntermediateCA
cert mail_contoso_com
access-list all line 10 extended permit ip any any
access-list all line 20 extended permit icmp any any
probe https Exchange-OWA
interval 30
ssl version all
request method get url GET /owa/auth/logon.aspx
expect status 400 404
probe tcp TCP135
description RPC Endpoint Mapper
port 135
interval 30
connection term forced
probe tcp TCP60000
description RPC Client Access
port 60000
interval 30
connection term forced
probe tcp TCP60001
description Address Book Service
port 60001
interval 30
connection term forced
rserver host CAS01
ip address 192.168.100.101
inservice
rserver host CAS02
ip address 192.168.100.102
inservice
rserver redirect OWA-SSL-REDIRECT
webhost-redirection https://mail.contoso.com/owa 302
inservice
serverfarm host Exchange-CAS-HTTPS
predictor leastconns
probe Exchange-OWA
rserver CAS01 443
inservice
rserver CAS02 443
inservice
serverfarm host Exchange-CAS-RPC
predictor leastconns
probe TCP135
probe TCP60000
probe TCP60001
fail-on-all
rserver CAS01
inservice
rserver CAS02
inservice
serverfarm redirect Exchange-OWA-REDIRECT
rserver OWA-SSL-REDIRECT
inservice
parameter-map type http Exchange-OWA
case-insensitive
persistence-rebalance
set header-maxparse-length 16384
set content-maxparse-length 8192
parameter-map type ssl SSL_PARAMS
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-RPC
timeout 7200
replicate sticky
serverfarm Exchange-CAS-RPC
sticky http-cookie Exchange-Sticky Exchange-CAS-HTTPS-Cookie
cookie insert browser-expire
replicate sticky
serverfarm Exchange-CAS-HTTPS
sticky http-header Authorization Exchange-CAS-HTTPS-AuthZHeader
timeout 7200
replicate sticky
serverfarm Exchange-CAS-HTTPS
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-HTTPS-SourceIP
timeout 7200
replicate sticky
serverfarm Exchange-CAS-HTTPS
action-list type modify http Exchange-CAS-HTTP
header insert request X-Forwarded-For header-value "%is"
ssl-proxy service Exchange-CAS
key mail_contoso_com
cert mail_contoso_com
chaingroup DigiCert
ssl advanced-options SSL_PARAMS
class-map match-any Exchange-CAS-HTTPS
2 match virtual-address 192.168.100.200 tcp eq https
class-map type http loadbalance match-any Exchange-CAS-HTTPS-RootRequest
2 match http url /
class-map match-any Exchange-CAS-RPC
2 match virtual-address 192.168.100.200 tcp eq 60001
3 match virtual-address 192.168.100.200 tcp eq 60000
4 match virtual-address 192.168.100.200 tcp eq 135
class-map match-any Exchange-OWA-REDIRECT
2 match virtual-address 192.168.100.200 tcp eq www
class-map type management match-any mgmt-cm
2 match protocol https any
3 match protocol snmp any
4 match protocol ssh any
5 match protocol icmp any
policy-map type management first-match mgmt-pm
class mgmt-cm
permit
policy-map type loadbalance first-match Exchange-CAS-HTTPS
match OWA http url /owa.*
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match ECP http url /ecp.*
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match EWS http url /ews.*
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match ActiveSync http url /Microsoft-Server-ActiveSync.*
sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match OutlookAnywhere http header User-Agent header-value "MSRPC"
sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
class Exchange-CAS-HTTPS-RootRequest
serverfarm Exchange-OWA-REDIRECT
class class-default
sticky-serverfarm Exchange-CAS-HTTPS-SourceIP
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
policy-map type loadbalance first-match Exchange-CAS-RPC
class class-default
sticky-serverfarm Exchange-CAS-RPC
policy-map type loadbalance http first-match Exchange-OWA-REDIRECT
class class-default
serverfarm Exchange-OWA-REDIRECT
policy-map multi-match vlan100
class Exchange-OWA-REDIRECT
loadbalance vip inservice
loadbalance policy Exchange-OWA-REDIRECT
class Exchange-CAS-RPC
loadbalance vip inservice
loadbalance policy Exchange-CAS-RPC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
class Exchange-CAS-HTTPS
loadbalance vip inservice
loadbalance policy Exchange-CAS-HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options Exchange-OWA
ssl-proxy server Exchange-CAS
interface vlan 100
ip address 192.168.100.10 255.255.252.0
access-group input all
nat-pool 1 192.168.100.199 192.168.100.199 netmask 255.255.255.255 pat
service-policy input mgmt-pm
service-policy input vlan100
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.1