We have successfully managed to deploy HAProxy as a Layer-4 load balancer for all our Exchange 2013 SP1 HTTP based traffic (Autodiscover, OWA, EXP, EWS, MAPI, etc.)
For various reasons, however, we are looking to move to a Layer-7 "SSL Offloading" architecture.
We have based most of our configuration on the excellent ALOHA guide : https://www.haproxy.com/static/media/uploads/eng/resources/aloha_load_balancer_appnotes_0065_exchange_2013_deployment_guide_en.pdf
The good news is that almost everything is working absolutely fine. Our only problem is with MAPI i.e. the replacement for RPC that was introduced in Exchange 2013 SP1.
From what I have read SSL offloading of MAPI is supported by Exchange 2013 - see http://blogs.technet.com/b/rmilne/archive/2014/02/25/exchange-2013-sp1-released.aspx. The ALOHA document advises against using Layer-7 SSL Offloading for MAPI but purely due to performance issues and not any technical reason.
If we try and load balance MAPI then the symptoms we are seeing are
- the /mapi/HealthCheck.htm URL can be returned fine in a web browser
- However, Outlook clients repeatedly ask for credentials
The relevant bits of HAProxy config are below (Its not the whole file)
frontend ft_exchange_2013_https
bind 1.1.1.3:443 ssl crt /blah/blah.pem
capture request header Host len 32
capture request header User-Agent len 64
capture response header Content-Length len 10
maxconn 10000
acl ssl_connection ssl_fc
acl host_mail hdr(Host) -i mail.company.com
acl path_slash path /
acl path_mapi path_beg -i /mapi
http-request deny if path_check
http-request redirect scheme https code 302 unless ssl_connection
http-request redirect location /owa/ code 302 if path_slash host_mail
use_backend bk_exchange_2013_https_mapi if path_mapi
backend bk_exchange_2013_https_mapi
option httpchk GET /mapi/HealthCheck.htm
http-check expect string 200\ OK
timeout server 600s
server SERVER1 1.1.1.1:443 maxconn 2000 weight 10 check ssl verify none
server SERVER2 1.1.1.2:443 maxconn 2000 weight 10 check ssl verify none
The things we have tried to resolve the issue are
- Use HTTP rather than HTTPS on the backend by removing the "Require SSL" flag on the MAPI IIS Virtual directory and using port 80 rather than 443 onm the SERVER1 and SERVER2 lines
- Remove one of the backend servers so all requests go to a single server
- Change the authentication settings for the MAPI Virtual directory from the default "Negotiate" to "NTLM"
However, none of these have fixed the problem. If anyone has any ideas on how to diagnose further or has a working configuraiton they could share e.g. HAProxy config + Exchange MAPI Virtual directory config that would be great !!
Edit 1
I've also managed to reproduce the Outlook behaviour by going to https://mail.company.com/mapi/emsmdb which repeatedly prompts for credentials the same as Outlook
0 Answers