Load Balancing TMG 2010

Similar Messages

• Load Balance TMG with Cisco CSS

  I am working with a Customer that is using Cisco CSS to load balance Microsoft TMG 2010.
  From the Microsoft TMG, I can see the https probes hitting the TMG Servers. The TMG 2010 recongnizes that the Cisco is trying to establish a 3-way handshake and is dropping every 3rd connection with the following error: "non-SYN packet was dropped because it was sent by a source that does not hane an established connection with the Forefron TMG computer." Since the Microsoft Forefront TMG 2010 Server is Stateful packet inspection firewall, what is the best load balance method for this service? TCP or even worst ICMP.
  Below is a snipet of the configuration:
  Thank You
  Avery
  CSS-A# show service Server1-ssl
  Name: Server1-ssl  Index: 70   
    Type: Local            State: Alive
    Rule ( x.x.x.x  TCP  443 )
    Session Redundancy: Enabled
    Redundancy Global Index: 206
    Redirect Domain: 
    Redirect String:
    Keepalive: (SSL-443   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 03/05/2012 16:33:14
    Mtu:                       1500        State Transitions:            4
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0           Weight Reporting:             None
    Weight:                    1           Load:                         2
  CSS-A#
  CSS-A# show service Server2-ssl 
  Name: Server2-ssl  Index: 71   
    Type: Local            State: Alive
    Rule ( x.x.x.x  TCP  443 )
    Session Redundancy: Enabled
    Redundancy Global Index: 207
    Redirect Domain: 
    Redirect String:
    Keepalive: (SSL-443   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 03/05/2012 16:53:49
    Mtu:                       1500        State Transitions:            6
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0           Weight Reporting:             None
    Weight:                    1           Load:                         2

  Hi,
  It would good to have a capture from the server itself, the TCP keepalive is really simple, as you explained, it is just a 3-way-handshake on port 443.
  The CSS is going to use it's vlan IP to generate this keepalive.
  So if the server is dropping the connection, it would be good to se the actual behavior of the keepalive.
  ICMP is just a ping, and lets say port 443 is not longer open on the server, at the point that the CSS gets the ICMP reply back from the server, the service is going to remain as alive, but the traffic is not going to work, so ICMP is not a good option.
  Thanks!

• Load Balancing Exchange 2010 with Citrix Netscaler

  Hi All,
  I have two exchange multirole server(cas/ht/mb) EXCH1 and EXCH2 both are configured in DAG (dag1.example.com) and also both are configured with CAS array (casarray.example.com)
  We have Cirtix Netscaller hardware load balancer. I have to configure Load balancing for CAS array, ActiveSync, OWA, Outlook Anywhere.
  Please guide me through the configuration for citrix netscaler as i am new with Citrix Netscaler.
  Regards,
  Pravin

  Hi,
  In order to resolve this issue more efficiently, I recommend you contact support from Citrix, you might get a better answer there. Thanks for your understanding.
  https://www.citrix.com/community.html
  Best regards,
  Belinda
  Belinda Ma
  TechNet Community Support

• Whats the best way to go about load balancing Exchange 2010 CAS

  My server guys want to LB the Exchange 2010 client access servers, this will be the 7th Context on my Ace 4710.
  see table for ports that are used
  Port
  Usage
  25
  smtp
  80
  http various
  110
  POP3 clients
  135
  RPC end point mapper
  143
  imap4 clients
  443
  SSL various
  993
  secure imap 4 clients
  995
  secure pop3 clients
  6001
  rpc related outlook anywhere
  6002
  rpc related outlook anywhere
  6003
  rpc related outlook anywhere
  60200
  rpc CAS
  60201
  exchange address book service
  whats the best way of going about this?
  do I just LB the IP addresses of the Servers and ignore the ports?
  do i have to do anything special for ports 993 and 995 secure imap and pop?
  I am sure there are more questions I shold be asking!

  OK
  so If I have a single serverfarm with all services do I filter on  the virtual
  address something like below?
  class-map match-any EXCH_vip
  match virtual-address 172.16.93.2 tcp eq 25
  match virtual-address 172.16.93.2 tcp eq 80
  match virtual-address 172.16.93.2 tcp eq 110
  match virtual-address 172.16.93.2 tcp eq 135
  match virtual-address 172.16.93.2 tcp eq 143
  match virtual-address 172.16.93.2 tcp eq 443
  match virtual-address 172.16.93.2 tcp eq 993
  match virtual-address 172.16.93.2 tcp eq 995
  match virtual-address 172.16.93.2 tcp eq 6001
  match virtual-address 172.16.93.2 tcp eq 6002
  match virtual-address 172.16.93.2 tcp eq 6003
  match virtual-address 172.16.93.2 tcp eq 60200
  match virtual-address 172.16.93.2 tcp eq 60201

• TMG load balance and publishing issues

  Dear Experts,
  I have some questions about publishing multiple services with TMG's ISP redundacny with load balancing:
  We are using a single TMG 2010 server to protect our network and providing Internet connection to them. We manage our own domain providing the name service with the DNS server component installed on the TMG box and published it outside. We are using Exchange
  for mail service, as well we publish web sites too and terminal services via RDP. There wasn't any problem till today, when we got an other, separate Internet connection via a new different ISP. When I set ISP Redundancy to Load Balance I faced to a problem.
  The Internet connection works fine, but the partner SMTP's drop our letters, because they can not complete the reverse DNS check.
  How can I set the TMG and/or the DNS to provide a correct mail publishing service? How should I set our DNS to provide access to our web sites and other services when one of the Internet connections brake down?
  Thank you in advance!
  Thomas

  Dear Quan,
  Yes, this is the problem.
  Would you tell me, how should I configure my DNS for working properly if I publish my services to all my IPs/Internet connections? Do I have to double all my A and MX records?
  Is it possible to publish services on all IPs/Internet connections or should I publish on only one an use NLB only for to provide Internet connection to our computers?
  What is the good solution to make a fail-safe internet-gateway which publishes multiple services fail-safe too?
  Thank you
  Thomas

• HA and Load Balancing in Exchange Server 2010

  Hi
  My office just have 2 servers Exchange Standard 2010 (Licensed). I installed 3 roles on 2 servers (called Ex1 & Ex2). I configured Windows NLB for Hub Transport and Client Access. That 's fine.
  But the maibox is seperated each server. Ex1 is main mailbox, so when Ex1 down, mailbox database will down too.
  I 've read DAG solution but I just have 2 servers and it 's running WNLB. My office not enough cost to buy Hardware Load Balancer.
  Does anyone have a solution for my problem ?
  Thank you

  Hi,
  If you want to use DNS round robin, it is recommended to lower the TTL values of DNS records to 5 minutes.
  DNS Round Robin has no automatic server failure detection. If a host goes down, Administrator will need to realize it, remove the DNS Record for the server that went down, and then clients will have to wait for the TTL value on the old DNS record to
  expire. 
  Here is an article about DNS round robin for your reference.
  http://www.shudnow.net/2010/03/17/exchange-2010-rtm-high-availability-load-balancing-options/
  Best regards,
  Belinda Ma
  TechNet Community Support

• Multiple roles load balancing on Ms Exchange 2010

  Dear list member !
  Currently. I installed Ms Exchange SP3 Multiple roles on a single server. I have been planning deploy add a member exchange 2010 SP3 for redundancy DAG but these are
  people also IT operation told to me so install CAS, HUB, MB Roles will  Load balancing CAS, DAG based on TWO Server "Ex 2010 SP3:". Following  Microsoft document, then almost do not that.<o:p></o:p>
  Please feedback to able or unable
  very appreciate

  Hi,
  To load balance CAS servers, you need to use the Windows Network Load Balancing or the Hardware Load Balancing. For more details about this, you can refer to the following article.
  Understanding Load Balancing in Exchange 2010
  http://technet.microsoft.com/en-gb/library/ff625247(v=exchg.141).aspx#options
  If you want to deploy DAG in your environment and you also want to load balance your CAS servers, it is recommended to install Mailbox server role and CAS role on different servers. Because DAG members utilize Windows Failover Clustering, which can’t co-exist
  with WNLB. Of course, you can choose to use HLB to load balance CAS servers.
  Best regards,
  Belinda
  Belinda Ma
  TechNet Community Support

• Lync 2010 and ACE load balancing

  Hi there,
  Has anyone deployed [or will be deploying] Lync 2010 utilising the ACE as a hardware load balancer. The ACE is not {yet] on the Microsoft list of supported devices for this product, but I am told this because of lack of documentation from Cisco.
  The consensus from a few colleagues is that it should work as it did for OCS, which we have already deployed, so assuming that the set up and operation is similar, there shouldn't be much difference in the configurations.
  regards,
  Glenne.

  Hey Glenne,
  It seems you got that working already but I wanted to share this simple sample:
  parameter-map type http PARAMETER
    set header-maxparse-length 65535
    set content-maxparse-length 65535
  ============================================
  interface vlan 112
    ip address 10.198.16.71 255.255.255.192
    alias 10.198.16.124 255.255.255.192
    peer ip address 10.198.16.72 255.255.255.192
    mac-sticky enable
    access-group input anyone
    nat-pool 25 10.198.16.125 10.198.16.125 netmask 255.255.255.0 pat
    service-policy input ANS-MGT
    service-policy input VIPS
    no shutdown
  ============================================
  policy-map multi-match VIPS
    class LYNC_VIP
      loadbalance policy  LYNC_POLICY
      ssl-proxy server SSL_LYNC_TERMINATION
      loadbalance vip icmp-reply active
      nat dynamic 25 vlan 112
      appl-parameter http advanced-options  PARAMETER
  ============================================
  class-map match-all LYNC_VIP
    2 match virtual-address 10.198.16.125 tcp eq https
  ============================================
  ssl-proxy service SSL_LYNC_TERMINATION
    key tac-key
    cert tac-cert
    chaingroup tac-chaingroup
  ============================================
  policy-map type loadbalance first-match LYNC_POLICY
    class class-default
      sticky-serverfarm LYNC_COOKIE
  ============================================
  sticky http-cookie ACE_COOKIE LYNC_COOKIE
    timeout 30
    replicate sticky
    serverfarm LYNC_FARM
  ============================================
  serverfarm host LYNC_FARM
    rserver LYNC_SERVER1 80
      inservice
    rserver LYNC_SERVER2 80
      inservice
  ============================================
  rserver host LYNC_SERVER1
  ip address 10.198.16.93
  inservice
  rserver host LYNC_SERVER2
  ip address 10.198.16.113
  inservice
  ===========================================
  Jorge

• BizTalk 2010 Load Balancing Not So Balanced

  Ok here's our scenario.
  1. One Orchestration running under HostInstanceProcess on 3 servers in the same Groupe using 3 different domain accounts
  2. That Orchestration has a reference to Utilities dll, which in turns calls a stored procedure using ADO.net code
  3. We run that orchestration, it gets around 2000 de-batched messages and for those 2000 messages it calls that ADO.net code
  4. Back in that database we run sp_who to check how many connections are made from each machine, and we find that over 60% connections are always made from one particular BizTalk machine and it's not one off, I've seen it atleast 7 to 8 times, that machine
  always has most number of connections, for example if there are 120 connections in total, 80 connections are from Server 1 while rest from others.
  5. We put a Max Pool connections in the connection string to 250 (default is 100) but that doesn't make any difference.
  6. This interface is facing a lot of connection time outs from the database, hence this investigation is done
  7. The same interface works perfectly fine on BizTalk 2006 R2, it's connecting to the same database (so can't be a database issue), it has 2 servers, which make almost same number of connections to the DB when I check with sp_who, so load balancing seems
  to working as expected in BizTalk 2006 R2.
  So my question, I know BizTalk is supposed to do load balancing in a round robin fashion which should equally distribute the load but in my example in BizTalk 2010, it's not doing that clearly, it's overloading one server with almost 70% of the requests,
  what could be the reason for this? Host instances are set-up similarly in all servers. Any help greatly appreciated.
  Regards
  Syed

  BizTalk load balancing works in Round Robin fashion only for the new messages, while in case of instance subscription message will be routed to server holding dehydrated orchestration instance. 
  So the server having dehydrated instances will receive the correlated response along with the new incoming message.
  So you can see one server slightly overloaded.
  Thanks,
  Prashant
  Please mark this post accordingly if it answers your query or is helpful.

• Exchange 2010 ACE30 Load Balancer Configuration

  Afternoon Everybody,
  Does anybody have any good documentation, or example configurations on how to load balance client traffic inbound to distrbuted Exchange 2010 Client Access Servers they could share please?
  We have a basic configuration in place that is troblesome that is using sticky based persistence for all services, with basic health probes looking at ports 25, 80, 443 and RPC specific ports on 135, 6000, 60001.  We are seeing major packet drops/loss as well as resets of the connections between the health probes and the servers that in turn take the servers out of the farm causing major downtime.
  I would very much appreciate any pointers or guidance.
  Thanks in advance.
  Darrel

  Hi Darrel,
  Is there any specific requirement from the application side?
  Can you go through the below links and see if they help you?
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/hypervexchange.html
  https://supportforums.cisco.com/thread/2123412
  Regards,
  Kanwal

• Is apache reverse proxy server/F5 Load Balancer support to Sharepoint 2010

  Hi ,
  I have two tool for implement reverse proxy
  -Apache reverse proxy
  -F5 load balancer
  Kindly let me know sharepoint 2010 support this,if support then how to configured.
  Hasan Jamal Siddiqui(MCTS,MCPD,ITIL@V3),Sharepoint and EPM Consultant,TCS
  |
  | Twitter

  Thanks Sebastian,
  Please let me know,I have only NTLM Authentication,we are not using FBS.
  For NTLM authentication what we need to do. 
  Hasan Jamal Siddiqui(MCTS,MCPD,ITIL@V3),Sharepoint and EPM Consultant,TCS
  |
  | Twitter

• Site not accessible from the Load balanced web front end server - sharepoint 2010

  I have a production environment with 2 WFE's(sp-wfe1 & sp-wfe2), 2 APP's and 2 SQL clustered VM's.
  2 WFE's are load balanced using hardware load balancer.
  An A-Record(PORTAL) is created in DNS for the virtual IP of the load balancer which points to the 2 WFE's.
  A web application is created on the WFE's on port 80.
  alternative access mapping is configured and the load balanced record "http://PORTAL" is used under the default zone.
  Under IIS I have edited the bindings for the sharepoint site at port 80 and added the HOSTNAME as PORTAL.
  Result: The site is accessible from outside the server and works fine.
  ISSUE: The site is not accessible within the WFE's(sp-wfe1 & sp-wfe2).
  When I browse the site from the WFE's server it ask for the credentials and when I enter the credentials and click OK it ask the credentials again and again and in the end displays a blank page.
  Kindly help me in this issue because I am clueless and couldn't find anything helpful on the internet. 
  Regards,
  Mudassar
  MADDY-DEV Forum answers from Microsoft Forum

  Loop back check.
  http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

• SharePoint 2010 Kerberos on Load balance farm

  I have a SharePoint Load balance farm and my site address is https://sharepoint.com(SharePoint alias creates in ADDS which resolves to virtual IP address VIP), do I need to setup spns for https://sharepoint.com or to all the ip adresses of the webservers
  used or to VIP?
  Thanks,
  D

  Hi,
  you need to set up Kerberos for the URL your users are typing in the browser and for which you have IIS listening. In your case that is
  https://sharepoint.com. This address will be registered with IIS on all load-balanced Servers and the application pool should run under the same service account on all servers.
  Regards,
  Andrei

• Configure Barracuda Load Balancer with Exchange 2010

  I have following scenario:
  1 x DB
  1 x Exchange multi role server on VLAN1 on site 1
  1 x Exchange multi role Server on VLAN2 on site 2
  1 x cas array on site 1
  1 x cas array on site 2
  1 x Barracuda at site 1.
  How barracuda will load balance my 2 exchange servers located on different subnets and sites? Do i need to make them SINGLE SITE? and make them part of single array or i can do it without bringing them into single site. Barracuda can access both exchange servers.
  I cannot move servers, all i have to do is in the same scenario and that is to load balance CAS services.
  Hasan

  If your network supports(i.e. Bandwidth between Vlan1 and Vlan2) and if it is single ADsite you can. You have to add both Vlan1 server and Vlan2  server to the load balancer. 
  Enable DAC on both servers http://technet.microsoft.com/en-us/library/dd979790(v=exchg.150).aspx
  Cconfigure alternatewitness on DAG properties. http://technet.microsoft.com/en-us/library/dd297934(v=exchg.150).aspx
  One server with all roles in Vlan1  IP 192.168.1.101  
  One server with all roles in Vlan2  IP 192.168.2.101
  Assume you configured 192.168.1.100 as Barracuda VIP and pointed the names to this IP.
  If your Vlan1 network goes down your Exchange will go offline till you point the CAS Array FQDN to the IP of the Vlan2 server in Vlan2 DNS server. (i.e point CAS array FQDN to 192.168.2.101 as per above example)
  If you are not sure about the configuration on Barracuda I suggest you take help from Barracuda support to configure as per the above scenario. 
  If you want to reduce the traffic between Vlans you can switchoff shadow redundancy. Please read about
  shadow redundancy before switching off
  Set-TransportConfig -ShadowRedundancyEnabled $false
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
  I got you. Now if i make both Vlans server part of single array and that array FQDN IP will obviously be one of VLANs IP, so if that VLAN goes down then i need to change the IP of CAS array FQDN from local DNS (Pick one IP from another VLAN) and also on
  Barracuda... right? 
  Also correct me that VLAN IP on Barracuda will be the IP of CAS Array FQDN right? 
  Hasan

• Lync 2013 Enterprise load balancing on the front end and edge pool

  Hi,
  I am setting up a Lync 2013 Enterprise deployment consisting of a Front End pool (x2 FE servers) and an Edge pool (x2 Edge servers).  I'm seeing some conflicting advice regarding load balancing using hardware or DNS for the front end and the edge.
  On the front end I have 2 internal DNS records 'lyncfepool1.contoso.local' each of which map to one of the IPs of the FE servers.  I've used my details to populate the Detailed Design Planner excel spreadsheet and am told that I require a HLB to load
  balance my front end pool.  I'm aware of the need to load balance HTTPS traffic internally (which will be done by TMG) however other traffic to the front end (SIP, etc) can be balanced by DNS only, and not require a HLB?
  Can someone clarify the front end requirement?
  Also - looking now at the edge pool - this site again have two edge servers in a pool.  We are using a total of six private IP addresses, two per edge service (2 x av.contoso.com, 2 x sip.contoso.com and 2 x webcon.contoso.com).  These will be
  NAT'ed by the external firewall and directed to the respective external (DMZ) IP addresses on the Edge servers on port 443.  I know this isn't true roundrobin due to the intelligence of the Lync client when connecting (in that the Lync client will connect
  to one of the public IPs and if it can't connect, it will know to connect to the other service IP), however I want to clarify this set up, particularly the need to direct the external public IP traffic at the DMZ Edge IP specified in the topology builder.
  I've attached a basic diagram of the external/DMZ/Edge side which hopefully helps with this question
  Persevere, Persevere, Per..

  That is because you will always need HLB for a front-end server since it hosts the Lync webservices which use HTTP/HTTPS traffic.
  The description on the calculation tool also describes this correctly:
  Supports Standard and Enterprise pools (up to 12 nodes), with pure device-based load balancing or a combination of DNS load balancing and device-based load balancing (for
  Lync web services)
  You can use either Hardware or DNS loadbalancing for SIP traffic only, but you will always need a HLB for the webservices.  Both are applicable for the Front-End so you have either
  full HLB for both SIP and HTTP(S) traffic
  DNS LB for SIP traffic and HLB for HTTP(S) traffic
  Hope this is more clear :-)
  Lync Server MVP | MCITP Lync Server 2010 | If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it.