Cisco ACE 4710 Appliance Integration with MS Exchange 2k7

Unanswered Question
Apr 16th, 2009
User Badges:

We are in process of deploying MS Exchange 2k7. I would like to configure the ACE 4710 to load balance the client access servers. These servers will use port 80 and 443. What is the best practice?

1. Should the ACE pass 443 traffic through?

2. Should the ACE do an end to end SSL termination?

Also, the server will automatically redirect any port 80 traffic to 443. How will the ACE behave with that type of traffic? Do I have to implement any URL rewrite or port redirection on the ACE?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 04/17/2009 - 05:48
User Badges:
  • Cisco Employee,

You should probably configure the redirect on ACE.

This will spare the server and make sure the redirect is to the expected name/vip and not the server name/ip.


Do you need stickyness ?

Or do you need to insert any data in the http header (like client source ip) ?

Do you need different loadbalancing depending on the server directory ?


If you don't need those things, you do not need to terminate ssl on ACE.


Gilles.

allen.malanda_2 Fri, 04/17/2009 - 06:49
User Badges:

Thank you very much for the reply, I was thinking about configuring ip source sticky, create a SSL URL rewrite and probably create a layer 7 load balance policy. My biggest concern is how the ACE will handle to 443 traffic, and how my VIP and real server will be configured. I will not specify any port on my VIP but I do have to specify port 443 and 80 in my server farm. Please correct me if I am wrong. Below is the sample of my config.

action-list type modify http urlrewrite

ssl url rewrite location "www\.ExchangeWebmail\.com"


rserver host EXCHANGE1

ip address 192.168.0.200

inservice

rserver host EXCHANG2

ip address 192.168.0.201


serverfarm host SF-MSEXCHANGE

rserver EXCHANGE1 80

inservice

rserver EXCHANGE2 80

inservice

rserver EXCHANGE1 443

inservice

rserver EXCHANGE2 443

inservice


sticky ip-netmask 255.255.255.255 address source STICKY_ MSEXCHANGE

timeout 59

serverfarm SF-MSEXCHANGE


class-map type http loadbalance match-any SF-MSEXCHANGE_L7

2 match http url /ExchangeWebmail.*


class-map match-all VIP_ SF-MSEXCHANGE

2 match virtual-address 10.1.0.99 any


parameter-map type http NO_CASE

case-insensitive

no persistence-rebalance


policy-map type loadbalance first-match PM_ MSEXCHANGE_L7

class SF-MSEXCHANGE_L7

sticky-serverfarm SFAUAT_L7_TEST_COOKIE


policy-map multi-match PM_multi_match

class VIP_ SF-MSEXCHANGE

loadbalance vip inservice

loadbalance policy PM_SFA_UAT_L7_TEST

loadbalance vip icmp-reply active

appl-parameter http advanced-options NO_CASE


Gilles Dufour Fri, 04/17/2009 - 07:18
User Badges:
  • Cisco Employee,

You have to split the serverfarm in 2.

One for HTTP traffic and one for HTTPS traffic.


You should configure the redirect from http to https on ace itself with a redirect host.

No need to loadbalance http traffic it it needs to be redirected.

So save time/resource on ace and servers and configure the redirect on ACE.


Your ssl rewrite can only be done if you terminate SSL on ACE.

You don't need it.


Get 2 vips.

One for HTTP traffic and associate it with the redirect host.

One for https and associated with your serverfarm


You can't use class SF-MSEXCHANGE_L7 with HTTPS traffic since the traffic is encrypted.

So simply use the class class-default.


You can see the redirect config @

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/rsfarms.html#wpmkr1003433


Gilles.

sachinga.hcl Fri, 04/17/2009 - 10:32
User Badges:
  • Silver, 250 points or more

Hi Allen,


Just go throught this big link and you will find your complete solution for exchange 2007 with ace and so much more. Hope it will help you.



http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns377/deployment_guide_DCAP4_9_Exchange_CF.pdf


http://www.cisco.com/en/US/products/ps6906/


few more ACE related help links



1.ACE Client and Servers Hitting the Same VIP


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6ef5.shtml




2. Configure ACE in Routed Mode with L7 Policies


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3048.shtml


3. Configure ACE Module for End to End SSL Termination


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml


4. Configure ACE with Source NAT and Client IP Header Insert


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml


5. Configure ACE with SSL Termination and URL Rewrite

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml


6. Integrate Cisco Service Modules with Cisco Catalyst 6500 Virtual Switching System 1440


http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c72b.shtml




7. Product support page for ace module 47xx

http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html



8. Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html



9. Cisco ACE appliance product home page


http://www.cisco.com/en/US/products/ps7027/tsd_products_support_series_home.html



10. Cisco ace config ssample :

http://snippets101.blogspot.com/search/label/ace




1. FTP serverfarm on Cisco ACE

http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html



11. CISCO ACE with SAP


http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd80653362.pdf



12. CISCO ACE white papaers with tons of code and design examples


http://www.cisco.com/en/US/products/ps6906/




Please rate if you find it any useful for you.


Kind regards


sachin garg





Please rate if it will help u any.



Actions

This Discussion