MailMarshal SMTP in a Load Balanced Array of Servers Technical White Paper September 29, 2003

Contents Introduction... 1 Network Load Balancing... 2 Example Environment... 5 Microsoft Network Load Balancing (Configuration)... 6 Validating your NLB configuration... 13 MailMarshal Specific Configuration... 15 Summary... 17 MailMarshal SMTP in a Load Balanced Array of Servers Technical White Paper September 29, 2003 This document is a general guide to configuring load balancing within an array of MailMarshal SMTP servers. It focuses on the configuration of Microsoft Network Load Balancing for this purpose. The concepts used should assist in the configuration of load balancing in any environment. This document is not intended to be a complete or definitive guide to configuring load balancing with MailMarshal SMTP. In fact the configuration of load balancing is, in most cases, completely outside the scope of the configuration of MailMarshal SMTP. By its very nature network level load balancing is transparent to the application that is the target of such load balancing techniques. All recent versions of MailMarshal SMTP can be used in array installations. Support for centralized management of configuration and Rules across the members of an array, as mentioned in this paper, is included in MailMarshal 5.5 SMTP..

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, MARSHAL LIMITED PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Marshal Limited, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Marshal Limited. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Marshal Limited may make improvements in or changes to the software described in this document at any time. 1995-2006 Marshal Limited, all rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. Firewall Suite, MailMarshal, Security Reporting Center, and WebMarshal are trademarks or registered trademarks of Marshal Limited. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

Introduction This paper provides an overview of how to configure network load balancing to work with MailMarshal SMTP (hereafter referred to as MailMarshal). The concepts described will generally apply to any network load balancing environment employed, regardless of whether the technology is delivered through software or a network switch/router. The paper presents a specific example using the Microsoft Network Load Balancing services delivered with Windows 2000 Advanced Server and Windows 2000 Datacenter Server. Target Audience For the purpose of this document it is assumed that the reader is familiar with Windows 2000 Server and general networking environments. The reader should also have a good understanding of messaging systems, networking architecture and TCP/IP. It is also assumed that the reader has an understanding of MailMarshal, or at the very least SMTP gateways. Document Purpose The intended purpose of this document is to provide information and guidelines on load balancing inbound SMTP connections across an array of MailMarshal servers. This document does not describe every possible technique. Various options will be presented that may or may not be relevant to every possible environment. Preparation Ensure that adequate backups of system(s) on which the changes are to be made have been performed before any of the changes suggested in this document are undertaken. It is assumed that MailMarshal has been correctly installed on all nodes that will be members of the array. For a summary of specific configuration options for the MailMarshal Servers see the section entitled MailMarshal Specific Configuration. NetIQ MailMarshal SMTP in a Load Balanced Array of Servers 1

Network Load Balancing General Concepts Network Load Balancing, in the context of its use with MailMarshal, is the configuration of an environment employing more than one MailMarshal server, where processing of inbound SMTP connections is shared by all the MailMarshal servers. This type of environment would normally be created to allow for performance scalability. Scalability is achieved by sharing the outbound TCP load across a number of servers. This type of environment also provides for a degree of redundancy. The outbound connections go to a reduced number of servers in the event of a server failure. The MailMarshal servers themselves are not involved in load balancing. Each MailMarshal server simply processes inbound SMTP connections allocated to it by whatever mechanism is deployed to distribute a defined proportion of the connections to each server. In many cases network load balancing is implemented as a software solution that is deployed on all participating members of an array of servers. Each member of the array is configured with a set of rules that define the TCP traffic to be load balanced, and what proportion of traffic any particular server is responsible for. In much larger environments the task of load balancing may be delivered through configurable network switching equipment or purpose built network load balancing appliances. The concepts employed in all situations are similar. Environment IP Addressing In most cases each member of the array of servers will be assigned a dedicated IP address. Connections to an individual array member can be made using this IP address or by the name (defined in the DNS) associated with this IP address. There is generally an additional IP address that is associated with the array as a whole. This is often referred to as a Virtual IP address. All members of the array will use this address. The network load balancing technology will accept connections on this address and re-allocate them to individual array members. DNS Within the DNS of the site, records must be created for each of the individual members of the array, with their associated IP addresses. A record must also be created with the Virtual IP address of the array. This name will be the one used by gateways establishing SMTP connections to the array. Usually an MX record must also be created to allow for email delivery. This record should point to the name associated with the Virtual IP address of the array. 2 Technical White Paper

An example DNS configuration is illustrated below. The Virtual IP address of the array is associated with the host name MailMarshal. The nodes of the array are named ArrayNode01 and ArrayNode02. The MX record for the email gateway has the name MailMarshal.demo.marshalsoftware.com. Ports The network load balancing configuration will include options to determine what TCP ports will be load balanced across the array. In many cases this will be a single port if the array is hosting only a single application. In the case of MailMarshal the only port required are 25. Protocols The network load balancing configuration will include options to determine what IP protocols will be load balanced across the array. In many cases this will only be a single protocol. Some applications may require more than one set of protocol/port assignments. In the case of MailMarshal the only protocol required is TCP. Affinity Affinity in the network load balancing configuration determines how the traffic on a particular protocol/port combination is allocated. Generally affinity relates to the stickiness of connections from an external address to an individual server in the array. In the case of MailMarshal load balancing the affinity should generally be set to none. This means that each new connection made to the array from a particular external address can be allocated to any MailMarshal server in the array. This gives the best option for load balancing, since multiple connections from the same host (even concurrent connections) will be distributed evenly across the array. MailMarshal can have the affinity set to none because no SMTP connection has any relationship to any other SMTP connection. The Value of Network Load Balancing With the growth of the web as an information component of the corporate environment, the need for dynamic scalability of web access has never been greater. With Network Load Balancing, you have the ability to build an infrastructure for supporting your critical, on-demand web access in a distributed, load-balanced manner. Network Load Balancing helps ensure your web access can scale to handle the heaviest of traffic loads, while also guarding against both planned and unplanned server downtime. NetIQ MailMarshal SMTP in a Load Balanced Array of Servers 3

Microsoft Network Load Balancing (Described) The Microsoft TCP load balancing service load balances incoming IP (Internet Protocol) traffic across clusters of up to 32 nodes. Network Load Balancing enhances both the availability and scalability of Internet serverbased programs such as Web servers, streaming media servers, and Terminal Services. By acting as the load balancing infrastructure and providing control information to management applications built on top of Windows Management Instrumentation (WMI), Network Load Balancing can seamlessly integrate into existing Web server farm infrastructures. Network Load Balancing will also serve as an ideal load balancing architecture for use with the Microsoft release of the upcoming Application Center in distributed Web farm environments. 4 Technical White Paper

Example Environment To demonstrate the configuration of MailMarshal in a load balancing environment, the following example details how MailMarshal can be configured in a two server array, using the network load balancing services offered by Microsoft Windows 2000 Advanced Server. This environment was chosen because it is readily available and demonstrates the configuration concepts. These concepts could be applied to any other network load balancing environment for use with MailMarshal. A diagram illustrating the example environment is presented below. Basically the environment consists of two MailMarshal servers (ArrayNode01 and ArrayNode02). Each has MailMarshal installed and the two servers have fixed IP addresses of 192.168.254.31 and 192.168.254.32 respectively. The shared array (Virtual) IP address is 192.168.254.30. There is a separate SQL server on the network. The SQL server is used by all of the array members to log transaction information for the purposes of reporting on email traffic and filtering activity. NetIQ MailMarshal SMTP in a Load Balanced Array of Servers 5

Microsoft Network Load Balancing (Configuration) Microsoft Load Balancing must be configured on each server that will be a node of the array. First Node On the ArrayNode01 server, open Network And Dial-up Connections, right-click on the interface you want to use for load balancing (usually one of the Local Area Connections), and select Properties. Highlight the Network Load Balancing item. Then click Properties to access the options for configuring Network Load Balancing on this interface. You will be presented with the Network Load Balancing Properties dialog. 6 Technical White Paper

Cluster Parameters To properly configure NLB, you must first select the Cluster Parameters tab. Enter the following information: 1. Primary IP Address: The Primary IP Address is the Virtual IP address of the Network Load Balancing configuration (as opposed to the physical interface IP address). All servers in this load balanced array will use this IP address. This is shown in the example diagram as the Array IP (192.168.254.30). 2. Subnet Mask: Enter an appropriate subnet mask for your environment. A default mask will be provided based on the IP address entered above. 3. Full Internet Name: Enter the fully qualified domain name (FQDN) configured in the DNS for the IP address entered as the Primary IP Address. Remember to configure your DNS with this name and resolve it to the IP address before going live with your load-balancing machines. 4. Network Address: This hardware (MAC) address is automatically configured and cannot be changed. 5. Multicast Support: Check this box if you want to enable multicast support. If you are using a server with only one network card, this option is required. 6. Remote Password: If you want to use remote administration, enter and confirm a remote password and select the Remote Control check box. With this feature enabled, you can, for example, start and stop the cluster services or display diagnostics from a remote machine. NetIQ MailMarshal SMTP in a Load Balanced Array of Servers 7

Host Parameters After configuring Cluster Parameters, click the Host Parameters tab. Enter the following configuration parameters: 1. Priority (Unique Host ID): You must select a unique number for every server in your array. The example environment includes two servers. Set ArrayNode01 Priority to 1 and ArrayNode02 Priority to 2. 2. Initial Cluster State: Select this check box if you want to enable this server in the array immediately. 3. Dedicated IP Address: Enter the static IP address of the server's network interface card prior to enabling Network Load Balancing. In the example this is 192.168.254.31. Note In the Primary IP Address in Cluster Parameters, you entered the virtual IP address for the cluster. Here, you enter the server's individual IP address. 4. Subnet Mask: Enter the appropriate subnet mask for the server's static IP address. 8 Technical White Paper

Port Rules After configuring your Host Parameters, click the Port Rules tab. This tab allows you to configure your TCP/IP traffic by selecting the appropriate protocols and port ranges. These port rules must be identical on each member server of the array. For example, you might configure TCP to work on only a certain range of ports. By default, the port range is 0 to 65535 on both TCP and UDP ports. After configuring your rule, click the Add button. For a simple MailMarshal configuration create the rules as pictured above. This will set single server affinity for all traffic except for SMTP, which will have affinity set to none. Tip If you are hosting other applications on the same array, you may need to generate specific rules for each protocol, particularly if they have differing affinity requirements. Click OK. NetIQ MailMarshal SMTP in a Load Balanced Array of Servers 9

Cluster IP Address The last step for this node is to enter the Array IP address in the Advanced Settings of your TCP/IP configuration. 1. Open Network And Dial-up Connections, and right-click on the interface for which you have configured Network Load Balancing. 2. Choose Properties, highlight Internet Protocol (TCP/IP), click Properties, and then click Advanced. 3. Choose Add and enter the Array IP address as a secondary IP address associated with this interface. In the example this is 192.168.254.30. You have now successfully created the first server in your array for use with MailMarshal. 10 Technical White Paper

Second Node On the ArrayNode02 server, configure all parameters to be the same as those configured for the first node, with the exception of the following: Host Parameters 1. Priority (Unique Host ID): Within the Example this is ArrayNode02. Set the Priority to 2. NetIQ MailMarshal SMTP in a Load Balanced Array of Servers 11

Cluster IP Address The last step for this node is to enter the Array IP address in the Advanced Settings of your TCP/IP configuration. 1. Open Network And Dial-up Connections, and right-click on the interface for which you have configured Network Load Balancing. 2. Choose Properties, highlight Internet Protocol (TCP/IP), click Properties, and then click Advanced. 3. Choose Add and enter the Array IP address as a secondary IP address associated with this interface. In the example this is 192.168.254.30. You have now successfully created the second server in your array for use with MailMarshal. 12 Technical White Paper

Validating your NLB configuration After you have completed the NLB array configuration, you can verify that the configuration is correct. Open a Windows Command Prompt window on any server in the array, and enter: wlbs query You can also ping the virtual IP address to see whether it is responding. An additional insurance step to take once configuration is complete is to enter the following commands: wlbs stop (to stop the load balancing service), then wlbs start (to re-start it the load balancing service). This will refresh all connections and ensure all members have re-loaded the load balancing configuration. Another useful test is to use telnet from a non array member and make several connections to port 25 of the DNS name associated with the array. For example: telnet MailMarshal.demo.marshalsoftware.com 25 Leave each connection open when making subsequent connections. This will ensure that the Load Balancing services allocate the new connections to different members. NetIQ MailMarshal SMTP in a Load Balanced Array of Servers 13

If Load Balancing is correctly configured, you should be allocated a connection to a different array member as illustrated: 14 Technical White Paper

MailMarshal Specific Configuration As has already been mentioned, there is no specific configuration required when MailMarshal is used in a Network Load Balancing environment. MailMarshal can be installed on each server in the array as usual. Additional configuration options to support array operations may be available, depending on the version of MailMarshal installed. MailMarshal 5.5 When you install and configure MailMarshal, you can specify that MailMarshal will be used in an array with one server as the master. Configuration information can be replicated automatically to other servers. Configuration and management of MailMarshal 5.5 SMTP for use in arrays is covered in detail in the MailMarshal SMTP User Guide. For details of configuration, see the section Configuration Wizard in Chapter 3, Installation. For details of management, and more information on the settings that are replicated, see Chapter 20, Arrays. MailMarshal 4.X and 5.0 MailMarshal 4.X and 5.0 support unique logging identifiers for each server in an array. In most cases where there is an array of MailMarshal servers all logs of message traffic will be maintained using a single Microsoft SQL Server database. The individual MailMarshal servers must be uniquely identified in the log records. To configure unique identifiers, in the MailMarshal Configurator, choose Server Properties from the Tools menu. Select the Logging tab. Check the box MailMarshal is used in an array. NetIQ MailMarshal SMTP in a Load Balanced Array of Servers 15

For each member in the array choose a unique Server Instance (or name). This will force the message numbers generated by the individual MailMarshal Servers to be unique and allow centralized reporting of all email traffic across the array. 16 Technical White Paper

Summary This white paper has provided a short introduction to Network Load Balancing in Windows 2000 and its application to MailMarshal. You should now have the concepts necessary to deploy MailMarshal into an array of servers for load balancing and/or redundancy, using the Microsoft Network Load Balancing services. The concepts shown should enable you to use any other form of Network Load Balancing to provide similar functionality to that illustrated. Further information about Microsoft Network Load Balancing can be found in TechNet or on the Microsoft Web site: http://www.microsoft.com/windows2000/techinfo/reskit/en-us/distrib/dsdc_cls_ynnk.asp Further information about MailMarshal in load balanced arrays can be obtained by contacting NetIQ Support: www.netiq.com/support MailMarshal support is also available through your local NetIQ Partner. NetIQ MailMarshal SMTP in a Load Balanced Array of Servers 17