Exchange HTTPS high availability with Kemp load balancer

It’s time to configure Exchange Server high availability because we did install a second Exchange Server in the domain. A great way is to set up Exchange HTTPS high available with a load balancer. This article will teach you how to load balance Exchange Servers HTTPS (port 443) with Kemp load balancer.

Table of contents

Information

HTTPS and SMTP are both network layer protocols to transfer information between hosts. SMTP will transfer emails between mail servers, while HTTPS is used to transfer secure communication over a network.

We will load balance Exchange Server for the protocols:

Important: Read the article Exchange high availability namespace design and planning before going further.

An architecture view of load balancing HTTPS connection with Kemp load balancer is shown below in the topology.

Exchange HTTPS high availability with Kemp load balancer architecture

Before you start, read the articles:

Microsoft Exchange template

It’s good that Kemp provides templates to configure the load balancer. It will make it a bit easier than doing it all by yourself.

Visit the Kemp documentation page to download the Exchange template.

Choose the template that suits your Exchange Server version.

We will choose Exchange 2016 because we have Exchange Servers 2016 running in the environment.

Download Core services: MAPI, SMTP and Unified HTTP/HTTPS and save the .tmpl file on the machine.

Sign in to Kemp Loadmaster load balancer.

On the left menu, click on Virtual Services > Manage Templates.

Click Browse and select the template that you downloaded in the previous step.

Click Add New Template.

Exchange HTTPS high availability with Kemp load balancer 2

Kemp LoadMaster did add the templates. You can click the delete button if you want to delete a template.

Exchange HTTPS high availability with Kemp load balancer 3

Create new virtual service

Click on Add New in the menu.

Select from the dropdown menu Exchange 2016 HTTPS Reencrypted.

Specify the Virtual Address. In our example, it’s 192.168.1.54.

Click Add this Virtual Service.

Make sure that the IP address is not taken by another device. If you already have an old load balancer and want to replace it with Kemp LoadMaster, you can keep using the same IP address. The HTTPS connection will go through Kemp LoadMaster.

Exchange HTTPS high availability with Kemp load balancer 4

Click on SubVSs and then on Modify.

Exchange HTTPS high availability with Kemp load balancer 5

Click on Add New.

Exchange HTTPS high availability with Kemp load balancer 6

Add the Exchange Server IP address.

Check the checkbox Add to all SubVSs.

Click on Add This Real Server.

Exchange HTTPS high availability with Kemp load balancer 7

Add the second Exchange Server IP address.

Check the checkbox Add to all SubVSs.

Click on Add This Real Server.

If you have more than two Exchange Servers, add them with the same steps.

Exchange HTTPS high availability with Kemp load balancer 8

You can see which Exchange Servers you added.

Exchange HTTPS high availability with Kemp load balancer 9

Add certificate

Click on View/Modify Services on the menu.

Click on Add New.

The first line shows that port 80 (HTTP) redirects to port 443 (HTTPS).

Note: Kemp automatically redirects HTTP to HTTPS.

Click Import Certificate.

Exchange HTTPS high availability with Kemp load balancer 11

Browse to the Exchange certificate. This will be your SAN certificate or wildcard certificate. We recommend you export the certificate from Exchange Server and browse to that certificate.

Fill in the certificate password.

Give the certificate a name you can remember.

Click Save.

Exchange HTTPS high availability with Kemp load balancer 12

From Available VSs, click the arrow to move the virtual IP address to Assigned VSs.

Click Save Changes.

You can confirm and check that the certificate is installed.

Exchange HTTPS high availability with Kemp load balancer 14

Edit internal DNS

Change the mail internal DNS host record to the virtual address.

Exchange HTTPS high availability with Kemp load balancer 15

Change the autodiscover internal DNS host record to the virtual address.

Read more: Configure internal DNS for Exchange »

Edit firewall VIP

In the firewall, change the VIP with protocol HTTPS (443) to the Kemp virtual address. In our example, the IP address 192.168.1.54.

Check real time statistics

Click Statistics > Real Time Statistics in the menu.

Click Real Servers.

The Exchange Servers status shows that they are up.

Exchange HTTPS high availability with Kemp load balancer 17

First, make sure to ping the hostname or do a NsLookup. It needs to resolve to the virtual address. In our example, it’s 192.168.1.54. It depends on the TTL of these records on how long it will take to resolve.

After you can confirm that it resolves, start Outlook on a computer or browse to Outlook Web Access (OWA). You will see that the connections start to show numbers.

Exchange HTTPS high availability with Kemp load balancer 18

Test and verify that it works

It’s always good to test the load balancer and check if it works as expected. Disable the network card on one of the Exchange Server and check the statistics. The real time statistics will show the Exchange Server status Down.

Have a look at your Outlook client or OWA, and that the connection is still available without any hiccups. Don’t forget to enable the network card on the Exchange Server to bring it back up.

We did successfully configure Exchange HTTPS high availability with Kemp load balancer. In the next article, we will configure Exchange SMTP high availability.

Keep reading: Let’s Encrypt unable to install certificate (0x80070520) »

Conclusion

You learned how to configure Exchange HTTPS high availability with Kemp load balancer. First, download the templates from Kemp’s documentation page. After loading the templates, configure HTTPS load balancing with Kemp LoadMaster by following the steps. Finally, test Exchange HTTPS load balance by connecting with Outlook or OWA, and verify that it works by checking the statistics.

Did you enjoy this article? You may also like Exchange Server setup operation didn’t complete. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

TwitterLinkedIn

What Others Are Reading

This Post Has One Comment

  1. When I initially set my load balancer up, I added my certificate before adding the virtual service for HTTPS and my HTTPS load balancing refused to work. I may have avoided the issue if I had followed the exact order of operations listed above, regardless I wanted to share my fix… I was able to get things working by doing two things. The first item may not have been important, but I wanted to list it anyway just in case.

    1.) I exported my wildcard certificate from my Exchange server, with the private key, and made sure to include Intermediate certificates, then imported that certificate and used it instead of the one I had ‘on file’. I did this because I wasn’t sure the cert I had on file included intermediate certs or not.

    2.) I logged in to the Web GUI for the Kemp Load Balancer, went to Certificates & Security>SSL Certificates, I assigned my new cert to the HTTPS virtual service and saved my changes. Things still did not work. Then I noticed a ‘Reencryption Usage’ button to the right of the new certificate in the ‘Operation’ column. In there I found that the cert was not assigned to the Reencryption Virtual Service. As soon as I assigned it and saved my changes everything started working normally.

    Hopefully this helps someone!

    – Jonathan K.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *