Have a Question?
< All Topics
Print

NetScaler Reverse Proxy for Exchange Server

Posted
Updated
ByYongKW

Tutorial on how to configure NetScaler Reverse Proxy for Exchange Server

Components in this Lab

  1. 1 x NetScaler VPX (NetScaler NS13.0: Build 64.35.nc) with NS IP = 10.10.10.186, SNIP = 10.10.10.187 and VIP = 10.10.10.188

  2. 1 x Exchange 2010 Server with Hostname = LAB-EX10 and IP = 10.10.10.181

Enable NS Features

Enable the following Features Content Switching (CS), Responder (RESPONDER), Load Balancing (LB), SSL Offloading (SSL) and Rewrite (REWRITE)

> enable ns feature CS,RESPONDER,LB,SSL,REWRITE
#Verify the NS Features enabled
> sh ns features

Using GUI Management

Click on System > Settings > Modes and Features > Configure Basic Features

NetScaler Reverse Proxy for Exchange Server

Enable the Features

Create an Object for Exchange Server

Create a Server Object called LAB-EX10

> add server LAB-EX10 10.10.10.181

Using GUI Management

Add the Server in Traffic Management > Load Balancing > Servers

Monitor for Exchange Services

Starting with Exchange 2013, we can check individual Exchange app’s health by running a simple HTTP query with the URL https://<server>/<app>/healthcheck.htm. – How To Configure NetScaler Load Balancing for Exchange 2013

Create the following to monitor Exchange Virtual Directory individually

  • mon_owa, mon_activesync, mon_rpc, mon_ews, mon_autodiscover, mon_oab, mon_mapi and mon_ecp
add lb monitor mon_owa HTTP-ECV -send "GET /owa/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_activesync HTTP-ECV -send "GET /Microsoft-Server-ActiveSync/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_rpc HTTP-ECV -send "GET /rpc/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_ews HTTP-ECV -send "GET /ews/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_autodiscover HTTP-ECV -send "GET /Autodiscover/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_oab HTTP-ECV -send "GET /oab/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_mapi HTTP-ECV -send "GET /mapi/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES
add lb monitor mon_ecp HTTP-ECV -send "GET /ecp/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES

Using GUI Management

Add Monitor in Traffic Management > Load Balancing > Monitors

Service Group

Create Service Group for each of the Exchange Virtual Directories

add serviceGroup svcgrp_owa SSL
add serviceGroup svcgrp_activesync SSL
add serviceGroup svcgrp_rpc SSL
add serviceGroup svcgrp_ews SSL
add serviceGroup svcgrp_autodisover SSL
add serviceGroup svcgrp_oab SSL
add serviceGroup svcgrp_mapi SSL
add serviceGroup svcgrp_ecp SSL

Using GUI Management

Create Service Group in Traffic Management > Load Balancing > Service Group

Bind Service Group with Server and Monitor

Bind Service Group with Server (LAB-EX10) and Monitor (mon_xxxx) created previously

Do NOT bind the Monitor to Service Group for Exchange 2010

bind servicegroup svcgrp_owa LAB-EX10 443
bind servicegroup svcgrp_owa -monitorName mon_owa 
bind servicegroup svcgrp_activesync LAB-EX10 443
bind servicegroup svcgrp_activesync -monitorName mon_activesync
bind servicegroup svcgrp_rpc LAB-EX10 443
bind servicegroup svcgrp_rpc -monitorName mon_rpc
bind servicegroup svcgrp_ews LAB-EX10 443
bind servicegroup svcgrp_ews -monitorName mon_ews
bind servicegroup svcgrp_autodiscover LAB-EX10 443
bind servicegroup svcgrp_autodiscover -monitorName mon_autodiscover
bind servicegroup svcgrp_oab LAB-EX10 443
bind servicegroup svcgrp_oab -monitorName mon_oab
bind servicegroup svcgrp_mapi LAB-EX10 443
bind servicegroup svcgrp_mapi -monitorName mon_mapi
bind servicegroup svcgrp_ecp LAB-EX10 443
bind servicegroup svcgrp_ecp -monitorName mon_ecp

State for all Service Group should turn to GREEN Color now

Load Balancing – Virtual Servers

Create Load Balancing – Virtual Servers for individual Exchange Virtual Directories

add lb vserver lb_owa SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lb_activesync SSL 0.0.0.0 0 -persistenceType SRCIPDESTIP
add lb vserver lb_rpc SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lb_ews SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lb_autodiscover SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lb_oab SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lb_mapi SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lb_ecp SSL 0.0.0.0 0 -persistenceType NONE

Virtual Servers created with State = DOWN for now

Bind Service Group to Load Balancer

Bind the Service Group to Load Balancer – Virtual Servers

bind lb vserver lb_owa svcgrp_owa
bind lb vserver lb_activesync svcgrp_activesync
bind lb vserver lb_rpc svcgrp_rpc
bind lb vserver lb_ews svcgrp_ews
bind lb vserver lb_autodiscover svcgrp_autodiscover
bind lb vserver lb_oab svcgrp_oab
bind lb vserver lb_mapi svcgrp_mapi
bind lb vserver lb_ecp svcgrp_ecp

Bind SSL Certificate to Load Balancer – Virtual Servers

Import PFX Certificate to NetScaler VPX and bind it to Load Balancer – Virtual Servers

#Verify the SSL Cert is imported successfully
> sh certkey | grep Name
1)      Name: ns-server-certificate
2)      Name: AventisDev
3)      Name: LetsEncrypt_Intermediate
4)      Name: LetsEncrypt_Root

#Bind AventisDev to LB
bind ssl vserver lb_owa -certkeyName AventisDev
bind ssl vserver lb_activesync -certkeyName AventisDev
bind ssl vserver lb_rpc -certkeyName AventisDev
bind ssl vserver lb_ews -certkeyName AventisDev
bind ssl vserver lb_autodiscover -certkeyName AventisDev
bind ssl vserver lb_oab -certkeyName AventisDev
bind ssl vserver lb_mapi -certkeyName AventisDev
bind ssl vserver lb_ecp -certkeyName AventisDev

All Virtual Servers State should change to UP for now

Content Switching Server

Add a Content Switch Server object and bind it with SSL Cert

add cs vserver CS-LAB-EX10 SSL 10.10.10.188 443
bind ssl vserver CS-LAB-EX10 -certkeyName AventisDev

Content Switching Policies

Add Rewrite & Content Switching Policies for individual Exchange Virtual Directories

add cs action cs_act_owa -targetLBVserver lb_owa
add cs policy cs_pol_owa -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/owa")' -action cs_act_owa

add cs action cs_act_ews -targetLBVserver  lb_ews
add cs policy cs_pol_ews -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/ews")' -action cs_act_ews

add cs action cs_act_autodiscover -targetLBVserver  lb_autodiscover
add cs policy cs_pol_autodiscover -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/autodiscover")' -action cs_act_autodiscover

add cs action cs_act_activesync -targetLBVserver  lb_activesync
add cs policy cs_pol_activesync -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("Microsoft")' -action cs_act_activesync

add cs action cs_act_oab -targetLBVserver  lb_oab
add cs policy cs_pol_oab -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/oab")' -action cs_act_oab

add cs action cs_act_mapi -targetLBVserver  lb_mapi
add cs policy cs_pol_mapi -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/mapi")' -action cs_act_mapi

add cs action cs_act_rpc -targetLBVserver  lb_rpc
add cs policy cs_pol_rpc -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/rpc")' -action cs_act_rpc

add cs action cs_act_ecp -targetLBVserver  lb_ecp
add cs policy cs_pol_ecp -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/ecp")' -action cs_act_ecp

#OWA Fix https://support.citrix.com/article/CTX209060
add cs policy cs_pol_cgi -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/cgi")' -action cs_act_owa
#Redirect to OWA if only https://mail.aventis.dev will be entered
add cs policy cs_pol_owa_redirect -rule 'HTTP.REQ.HOSTNAME.EQ("mail.aventis.dev")' -action cs_act_owa

Bind Content Switching Policies to CS Server

Bind Content Switching Policies to Content Switching Server Object

bind cs vserver CS-LAB-EX10 -policyName cs_pol_owa -priority 100
bind cs vserver CS-LAB-EX10 -policyName cs_pol_ews -priority 110
bind cs vserver CS-LAB-EX10 -policyName cs_pol_autodiscover -priority 120
bind cs vserver CS-LAB-EX10 -policyName cs_pol_activesync -priority 130
bind cs vserver CS-LAB-EX10 -policyName cs_pol_oab -priority 140
bind cs vserver CS-LAB-EX10 -policyName cs_pol_mapi -priority 150
bind cs vserver CS-LAB-EX10 -policyName cs_pol_rpc -priority 160
bind cs vserver CS-LAB-EX10 -policyName cs_pol_ecp -priority 170
bind cs vserver CS-LAB-EX10 -policyName cs_pol_cgi -priority 180
bind cs vserver CS-LAB-EX10 -policyName cs_pol_owa_redirect -priority 190

PowerShell Virtual Directory

Create a Content Switching Policy to allow PowerShell Remoting to Exchange Server

add lb monitor mon_powershell HTTP-ECV -send "GET /powershell/healthcheck.htm" recv 200 -LRTM DISABLED -secure YES

add serviceGroup svcgrp_powershell SSL
bind servicegroup svcgrp_powershell LAB-EX10 443
bind servicegroup svcgrp_powershell -monitorName mon_powershell

add lb vserver lb_powershell SSL 0.0.0.0 0 -persistenceType NONE
bind lb vserver lb_powershell svcgrp_powershell
bind ssl vserver lb_powershell -certkeyName AventisDev

add cs action cs_act_powershell -targetLBVserver lb_powershell
add cs policy cs_pol_powershell -rule 'HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/powershell")' -action cs_act_powershell

bind cs vserver CS-LAB-EX10 -policyName cs_pol_powershell -priority 90

Select Ignore Client Certificate in IIS – Default Web Site – PowerShell

You can manage Exchange via Remote PowerShell now

$Username = "lab\administrator"
$Password = ConvertTo-SecureString -String "XXXXXXXXXX" -Force -AsPlainText
$URL = "https://mail.aventis.dev/powershell"

#Specify Credential with password 
$Credential = new-object -typename System.Management.Automation.PSCredential -ArgumentList $UserName,$Password

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $URL `
-Credential $Credential -Authentication  Basic -AllowRedirection

Import-PSSession $Session

SMTP Service for Exchange

Create a Application Level Monitor for SMTP called mon_smtp

add lb monitor mon_smtp SMTP -scriptName nssmtp.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -interval 30 -resptimeout 5

Create a Service Group called svcgrp_smtp

add serviceGroup svcgrp_smtp TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO

Bind the Service Group & Monitoring to Server (LAB-EX10) on TCP Port 25

bind serviceGroup svcgrp_smtp LAB-EX10 25
bind serviceGroup svcgrp_smtp -monitorName mon_smtp

Create a new Load Balancing Virtual Server called lb_smtp

add lb vserver lb_smtp TCP 10.10.10.188 25 -persistenceType NONE -cltTimeout 9000

Bind Service Group to Load Balance Virtual Server

bind lb vserver lb_smtp svcgrp_smtp

Verify NetScaler Reverse Proxy for Exchange Server

You should be able to access https://mail.aventis.dev via NetScaler VPX now

Verify all the Exchange Services is running fine via Microsoft Remote Connectivity Analyzer

You will get C when you run the SSL test via https://www.ssllabs.com and please refer to How to Make A+ Result in NetScaler VPX for more information

Reference Links

  1. Citrix NetScaler Deployment Guide for Microsoft Exchange 2010

  2. Citrix Netscaler – Loadbalancing Exchange 2013/2016

Table of Contents
Scroll to Top