Cisco ACE 4710 Appliance Integration with MS Exchange 2k7

Unanswered Question
Apr 16th, 2009

We are in process of deploying MS Exchange 2k7. I would like to configure the ACE 4710 to load balance the client access servers. These servers will use port 80 and 443. What is the best practice?

1. Should the ACE pass 443 traffic through?

2. Should the ACE do an end to end SSL termination?

Also, the server will automatically redirect any port 80 traffic to 443. How will the ACE behave with that type of traffic? Do I have to implement any URL rewrite or port redirection on the ACE?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 04/17/2009 - 05:48

You should probably configure the redirect on ACE.

This will spare the server and make sure the redirect is to the expected name/vip and not the server name/ip.

Do you need stickyness ?

Or do you need to insert any data in the http header (like client source ip) ?

Do you need different loadbalancing depending on the server directory ?

If you don't need those things, you do not need to terminate ssl on ACE.

Gilles.

allen.malanda_2 Fri, 04/17/2009 - 06:49

Thank you very much for the reply, I was thinking about configuring ip source sticky, create a SSL URL rewrite and probably create a layer 7 load balance policy. My biggest concern is how the ACE will handle to 443 traffic, and how my VIP and real server will be configured. I will not specify any port on my VIP but I do have to specify port 443 and 80 in my server farm. Please correct me if I am wrong. Below is the sample of my config.

action-list type modify http urlrewrite

ssl url rewrite location "www\.ExchangeWebmail\.com"

rserver host EXCHANGE1

ip address 192.168.0.200

inservice

rserver host EXCHANG2

ip address 192.168.0.201

serverfarm host SF-MSEXCHANGE

rserver EXCHANGE1 80

inservice

rserver EXCHANGE2 80

inservice

rserver EXCHANGE1 443

inservice

rserver EXCHANGE2 443

inservice

sticky ip-netmask 255.255.255.255 address source STICKY_ MSEXCHANGE

timeout 59

serverfarm SF-MSEXCHANGE

class-map type http loadbalance match-any SF-MSEXCHANGE_L7

2 match http url /ExchangeWebmail.*

class-map match-all VIP_ SF-MSEXCHANGE

2 match virtual-address 10.1.0.99 any

parameter-map type http NO_CASE

case-insensitive

no persistence-rebalance

policy-map type loadbalance first-match PM_ MSEXCHANGE_L7

class SF-MSEXCHANGE_L7

sticky-serverfarm SFAUAT_L7_TEST_COOKIE

policy-map multi-match PM_multi_match

class VIP_ SF-MSEXCHANGE

loadbalance vip inservice

loadbalance policy PM_SFA_UAT_L7_TEST

loadbalance vip icmp-reply active

appl-parameter http advanced-options NO_CASE

Gilles Dufour Fri, 04/17/2009 - 07:18

You have to split the serverfarm in 2.

One for HTTP traffic and one for HTTPS traffic.

You should configure the redirect from http to https on ace itself with a redirect host.

No need to loadbalance http traffic it it needs to be redirected.

So save time/resource on ace and servers and configure the redirect on ACE.

Your ssl rewrite can only be done if you terminate SSL on ACE.

You don't need it.

Get 2 vips.

One for HTTP traffic and associate it with the redirect host.

One for https and associated with your serverfarm

You can't use class SF-MSEXCHANGE_L7 with HTTPS traffic since the traffic is encrypted.

So simply use the class class-default.

You can see the redirect config @

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/rsfarms.html#wpmkr1003433

Gilles.

sachinga.hcl Fri, 04/17/2009 - 10:32

Hi Allen,

Just go throught this big link and you will find your complete solution for exchange 2007 with ace and so much more. Hope it will help you.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns377/deployment_guide_DCAP4_9_Exchange_CF.pdf

http://www.cisco.com/en/US/products/ps6906/

few more ACE related help links

1.ACE Client and Servers Hitting the Same VIP

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6ef5.shtml

2. Configure ACE in Routed Mode with L7 Policies

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3048.shtml

3. Configure ACE Module for End to End SSL Termination

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml

4. Configure ACE with Source NAT and Client IP Header Insert

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml

5. Configure ACE with SSL Termination and URL Rewrite

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

6. Integrate Cisco Service Modules with Cisco Catalyst 6500 Virtual Switching System 1440

http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c72b.shtml

7. Product support page for ace module 47xx

http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html

8. Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html

9. Cisco ACE appliance product home page

http://www.cisco.com/en/US/products/ps7027/tsd_products_support_series_home.html

10. Cisco ace config ssample :

http://snippets101.blogspot.com/search/label/ace

1. FTP serverfarm on Cisco ACE

http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html

11. CISCO ACE with SAP

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd80653362.pdf

12. CISCO ACE white papaers with tons of code and design examples

http://www.cisco.com/en/US/products/ps6906/

Please rate if you find it any useful for you.

Kind regards

sachin garg

Please rate if it will help u any.

Actions

This Discussion