Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Load Balancing Microsoft ActiveSync on Cisco ACE

 

 

Introduction

Exchange ActiveSync offers end users with low bandwidth and high-latency devices such as cell phones a way to access their mailboxes via HTTPS and synchronizes e-mail, contacts, calendar information, and tasks. The Cisco ACE load balancer can be used to distribute requests to the exchange Client Access Server (CAS) array.

 

It is possible to use shared vip addresses on the ACE for multiple Exchange services or you can have a different vip for each service. By matching on the URL /microsoft-server-activesync, it makes it possible to load balance ActiveSync and other Exchange services across a shared vip. Usually ActiveSync traffic uses SSL to encrypt http into https. To properly load balance ActiveSync traffic the ACE will need to terminate the SSL traffic.  This termination can be done either on the ACE only (front-end SSL) or done on the ACE and the sever (End–to-End SSL).

 

Server Load Balancing

Server load balancing (SLB) is the process of deciding to which server a load-balancing device should send a client request for service. For example, a client request may consist of a HyperText Transport Protocol (HTTP) GET for a web page or a File Transfer Protocol (FTP) GET to download a file. The job of the load balancer is to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole. To provide services to clients, you configure real servers (the actual physical servers) on the ACE. Real servers provide client services such as HTTP or XML content, hosting websites, FTP file uploads or downloads, redirection for web pages that have moved to another location, and so on. Real server host configuration mode commands allow you to create and configure host real servers that are used in server load balancing (SLB). To create a host real server and access real server host configuration mode, use the rserver host command in configuration mode.

 

Real Servers and Server Farms

To provide services to clients, you configure real servers (the actual physical servers) on the ACE. Real servers provide client services such as HTTP or XML content, hosting websites, FTP file uploads or downloads, redirection for web pages that have moved to another location, and so on. The ACE also allows you to configure backup servers in case a server is taken out of service for any reason.


Servers are organized into related groups called server farms. Servers within server farms often contain identical content (referred to as mirrored content) so that if one server becomes inoperative, another server can take its place immediately. Also, mirrored content allows several servers to share the load of increased demand.

 

Sticky Load balancing

Although it is possible to load balance ActiveSync and not use a sticky method, this is not recommended.  When an Exchange ActiveSync client is assigned to a new Client Access Server (CAS), that server must re-create the notification subscription against the user's mailbox. This can result in a significant performance penalty. Using a good sticky method will rectify this. If it is known that inbound connection client IP addresses are actually unique to each device being synchronized (e.g. no NAT between the device and the load), then Source IP-based sticky would be a good sticky choice. However, since ActiveSync is typically used over cellular carrier networks, the inbound traffic will often be sourced from the carrier’s NAT infrastructure. This can result in all inbound connections from users on a particular carrier appearing to come from one or a small set of source IP addresses.

 

SSL ID-based sticky is not recommended for ActiveSync as some devices are known to frequently renegotiate SSL security parameters. Cookie insert is not recommended as many mobile devices do not accept cookies.

 

Generally the best method of sticky for ActiveSync is sticking on the Authorization HTTP header. Basic authentication is the default and most commonly used type of authentication for Exchange ActiveSync. This header is uncommon for other protocols and authentication methods. Sticking on the basic authentication authorization header sends all traffic that uses basic authentication and that is from a specific user to the same Client Access Server. This header is also used when Outlook traffic is transmitted from behind a reverse proxy server. For the ACE to perform sticky on an HTTP header on HTTPS traffic, it must terminate the SSL connection.

 

Terminating SSL on ACE for ActiveSync

 

To Configure Exchange ActiveSync to Support SSL termination, first remove the requirement for SSL in IIS on the ActiveSync server. Do the following steps:

 

1) Open the IIS Manager and expand the Default Web Site.

2) Under the Default Web Site select the “Microsoft-Server-ActiveSync” virtual directory.

3) Click on "SSL Settings".

4) Uncheck ”Require SSL” check box and click “Apply” in the Actions pane.

To finalize open a command prompt window and run “iisreset /noforce” so that the changes are applied.

 

Next, the Certificates and keys will need to be imported on to the ACE module. Follow the ACE SSL Guide Managing Certificates and Keys for importing certs and keys.

 

If both front end and backend SSL is required then these above changes to the server are not needed. Instead SSL initiation from the ACE to the end servers will be added to complete the end-to-end SSL config. Follow the ACE SSL Guide for Configuring End-to-End SSL.

 

Sample Config for Front End SSL

probe http HTTP

  interval 30

  faildetect 30

  passdetect interval 30

  expect status 200 200

 

rserver host Cas_sync1

  ip address 1.1.1.10

  inservice

rserver host Cas_sync2

  ip address 1.1.1.12

  inservice

 

serverfarm host ActiveSync

  probe HTTP

  rserver Cas_sync1 80

    inservice

  rserver Cas_sync2 80

    inservice

 

sticky http-header Authorization Auth_Stick

  serverfarm ActiveSync

 

ssl-proxy service Active_Sync_SSL

  key cisco-sample-key

  cert cisco-sample-cert

 

class-map match-all ActiveSync

  2 match virtual-address 2.2.2.10 tcp eq https

class-map type http loadbalance match-any l7Async

  2 match http url /microsoft-server-activesync

 

policy-map type loadbalance first-match ActiveSync-l7slb

  class l7Async

    sticky-serverfarm Auth_Stick

  class class-default

    serverfarm ActiveSync

 

policy-map multi-match EAS

  class ActiveSync

    loadbalance vip inservice

    loadbalance policy ActiveSync-l7slb

    ssl-proxy server Active_Sync_SSL

 

interface vlan 178

  description "client vlan"

  ip address 2.2.2.1 255.255.255.0

  access-group input any

  service-policy input mgt

  service-policy input EAS

  no shutdown

 

interface vlan 1

  description "server vlan"

  ip address 1.1.1.1 255.255.255.0

  service-policy input mgt

 

Sample Config for End to End SSL

probe https HTTPS

  interval 30

  faildetect 30

  passdetect interval 30

  expect status 200 200

 

rserver host Cas_sync1

  ip address 1.1.1.10

  inservice

rserver host Cas_sync2

  ip address 1.1.1.12

  inservice

 

serverfarm host ActiveSync

  probe HTTPS

  rserver Cas_sync1 443

    inservice

  rserver Cas_sync2 443

    inservice

 

sticky http-header Authorization Auth_Stick

  serverfarm ActiveSync

 

ssl-proxy service Active_Sync_SSL

  key cisco-sample-key

  cert cisco-sample-cert

 

ssl-proxy service SSL_PSRVICE_CLIENT

 

class-map match-all ActiveSync

  2 match virtual-address 2.2.2.10 tcp eq https

class-map type http loadbalance match-any l7Async

  2 match http url /microsoft-server-activesync

 

policy-map type loadbalance first-match ActiveSync-l7slb

  class l7Async

    sticky-serverfarm Auth_Stick

    ssl-proxy client SSL_PSERVICE_CLIENT

  class class-default

    serverfarm ActiveSync

    ssl-proxy client SSL_PSERVICE_CLIENT

 

policy-map multi-match EAS

  class ActiveSync

    loadbalance vip inservice

    loadbalance policy ActiveSync-l7slb

    ssl-proxy server Active_Sync_SSL

 

interface vlan 178

  description "client vlan"

  ip address 10.86.178.129 255.255.255.0

  access-group input any

  service-policy input mgt

  service-policy input EAS

  no shutdown

 

interface vlan 1

  description "server vlan"

  ip address 1.1.1.1 255.255.255.0

  service-policy input mgt

  no shutdown

Exchange Setup

parameter-map type http Exchange-OWA
  case-insensitive
  persistence-rebalance
  set header-maxparse-length 16384
  set content-maxparse-length 8192

sticky ip-netmask 255.255.255.255 address source ActiveSync
  timeout 7200
  replicate sticky
  serverfarm ActiveSync

 

Related Information

 

Configure URL Load balancing on Cisco ACE

Configure Firewall Load balancing on ACE

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 05:04 AM
Updated by:
 
Labels (1)
Contributors