Alteon Application Switch And Microsoft Exchange 2010 Integration Guide Products: Alteon Application Switch Software: Alteon v.27.0-1 -
Microsoft Exchange 2010 Table of Contents Joint Solution Overview... 3 Microsoft Exchange 2010 Overview... 3 Exchange 2010 Definitions... 4 Exchange 2010 Architecture... 6 Deployment Notes... 13 Radware Alteon... 14 Alteon and Microsoft Exchange 2010 Server Architecture... 16 Diagram 1.0 - Alteon and Microsoft Exchange 2010 Reference Architecture... 16 Primary Front-End Alteon Configuration... 17 Network configuration... 17 VRRP Configuration... 18 SSL Configuration... 18 SLB Configuration... 19 Secondary Front-End Alteon Configuration... 21 Network configuration... 21 VRRP Configuration... 22-2 -
Joint Solution Overview The Alteon and Microsoft Exchange 2010 joint solution ensures Exchange 2010 customers solution resilience, efficiency and scale. Radware s Alteon guarantees Exchange 2010 services maximum availability, scalability, performance and security. Managing the advanced messaging functionality in Exchange 2010, Alteon provides advanced health monitoring to avoid system down time and advanced traffic management to deliver a best of breed subsystem. With a pay as you grow platform licensing model, Alteon ensures long term investment protection facilitating incremental growth demanded by today s business. Microsoft Exchange 2010 Overview Preliminary changes include: Storage Groups are being eliminated and incorporated into the Information Store. Clustering is now at the Database level, not Server level. LCR and SCC clustering no longer offered. CCR now at Datastore level, not Server Level although the terminology has changed. Clustering functionality is now known as DAG (Database Availability Group). Exchange 2010 is also only available in 64-bit as part of Microsoft's drive for all its future products to be solely 64-bit based. Exchange 2010 will run on Windows Server 2008 x64 with SP2 at least and Windows Server 2008 R2 (also only released in a 64-bit edition). Compared to previous releases of Exchange Server, some architectural changes in Exchange 2010 have resulted in network load balancing becoming increasingly important, both for large-scale and small-scale deployments. It is possible that a hardware load balancer might be required for as few as two servers deployed in a branch office scrio due to performance/scalability and advanced load balancing functionality requirements. One particular change of interest is the addition of the RPC Client Access Service and the Exchange Address Book Service, both of which run on the Client Access Server (CAS) role. These services improve the user s experience during Mailbox role failovers by moving the connection endpoints for Outlook (and other MAPI clients) to the CAS role rather than the Mailbox role. In previous versions of Exchange, Outlook would connect directly to the mailbox server responsible for the data being accessed, and directory connections would either be proxied via the Mailbox role or referred directly to a particular Active Directory Global Catalog (GC). Now that these connections are handled by the CAS role, - 3 -
Outlook connections (both internal and external) must be load balanced across the array of CAS servers in a deployment. Exchange 2010 Definitions Microsoft Outlook Microsoft Outlook is a personal information manager from Microsoft. It can be used as a stand-alone application, or can work with Microsoft Exchange Server and Microsoft Office SharePoint Server for multiple users in an organization, such as shared mailboxes and calendars, Exchange public folders, SharePoint lists and meeting schedules. There are third-party add-on applications that integrate Outlook with devices such as BlackBerry mobile phones and with other software like Office & Skype internet communication. Developers can also create their own custom software that works with Outlook and Office components using Microsoft Visual Studio. In addition, Windows Mobile devices can synchronize almost all Outlook data to Outlook Mobile. Outlook Anywhere Outlook Anywhere utilizes the RPC Proxy component in Windows to proxy RPC calls to the RPC Client Access Service and Exchange Address Book Service. Outlook Web App (OWA) Outlook Web App is a webmail service of Microsoft Exchange Server 5.0 and later. The web interface of Outlook Web App resembles the interface in Microsoft Outlook. Outlook Web App comes as a part of Microsoft Exchange Server. Outlook Web App lets you access your e-mail from any Web browser. Outlook Web App (known as Outlook Web Access in earlier versions of Microsoft Exchange) has been redesigned in Exchange 2010. Features such as Chat, Text Messaging, mobile phone integration, and Conversation View provide an enhanced user experience from any computer that has a Web browser. In Exchange Server 2010, these features can be accessed from an expanded set of Web browsers including versions of Internet Explorer later than 6.0, Firefox, Safari, - 4 -
and Google's Chrome. Exchange ActiveSync (EAS) Exchange ActiveSync is used by mobile devices to synchronize mailbox content with an Exchange server 2010. You can synchronize e-mail, contacts, calendar information, and tasks. If you use a phone that has Windows Mobile 5.0 with the Messaging Security and Feature Pack (MSFP) installed or a later version, your mobile phone will support Direct Push. Direct Push technology is built into Exchange ActiveSync and keeps a mobile phone continuously synchronized with an Exchange mailbox. Exchange Web Services (EWS) Exchange Web Services is a web services application programming interface (API) that can be used by 3rd party applications to access mailbox data. It is also used by various Microsoft produced applications and devices for integration with Exchange, for example Outlook 2007 and later, Entourage 2008 for Macintosh (Web Services Edition), Office Communicator, and the Office Communicator Phone. Exchange Control Panel (ECP) Exchange Control Panel - Administrators can use the Exchange Control Panel for Outlook Web App to manage some on-premises tasks. The following is a list of the administrative features available: Text messaging integration Voice messaging integration Multiple mailbox search Additional proxy addresses for mailboxes Moderation and approval for distribution list submission In addition, users have self-service capabilities in that they can perform administrative tasks via the Exchange Control Panel. The ECP bles users to perform common tasks without having to call the help desk. Remote Powershell Remote Powershell is the administrative interface that bles you to manage your Microsoft Exchange Server 2010 organization from the command line. - 5 -
Exchange 2010 Architecture Exchange 2010 Enterprise Topology Enterprise Network Phone system (PBX or VOIP) Edge Transport Routing & AV/AS Hub Transport Routing & Policy External SMTP servers Mobile phone Mailbox Storage of mailbox items Unified Messaging Voice mail & voice access Web browser Client Access Client connectivity Web services Outlook (remote user) Outlook (local user) Line of business application Exchange 2010 includes the following server roles: Mailbox Server In Microsoft Exchange Server 2010, the Mailbox server role is one of several server roles that you can install and configure on a server running Windows Server 2008. The Mailbox server role is the most common server role and is at the core of an Exchange organization. Servers on which the Mailbox server role is installed are called Mailbox servers. Mailbox servers perform the following functions: Host mailbox databases Provide e-mail storage Host public folder databases Calculate e-mail address policies Generate address lists and offline address books (OABs) Conduct Multi-Mailbox Searches Provide high availability and site resiliency Provide content indexing - 6 -
Provide messaging records management (MRM) and retention policies Client Access Server The Client Access server role supports the following client connectivity services for mailboxes, public folders, calendar items, the Global Address list and related data: Outlook Web App (previously known as Outlook Web Access) provides access for web browsers such as Microsoft Internet Explorer, Mozilla Firefox, or Apple Safari; the related Outlook Web App Light is a web interface optimized for mobile or other slow connections. Outlook Anywhere allows Exchange access via the Microsoft Outlook 2010 client by tunneling Outlook s MAPI protocol over an HTTP connection. ActiveSync provides access, primarily to mobile devices, that implement the ActiveSync client libraries, also using HTTP as a transport. RPC Client Access, new to Exchange Server 2010, provides traditional native access to Exchange mailboxes via MAPI (Messaging API), but moves the connectivity point from the Mailbox server role to Client Access. POP3 (Post Office Protocol version 3) and IMAP4 (Internet Message Access Protocol version 4rev1) are available for email clients that do not support any of the previous protocols. Unified Messaging Server This is the server that connects a Private Branch exchange (PBX) system to Exchange 2010. Unified Messaging combines voice messaging and e-mail into one Inbox, which can be accessed from the telephone and the computer. Unified Messaging integrates Exchange Server 2010 with the telephony network in your organization and brings the features found in Unified Messaging to the core of the Exchange Server product line. Hub Transport Server This is the mail routing server that routes mail within the Exchange organization. Deployed inside your Active Directory forest, the Hub Transport server role handles all mail flow inside the organization, applies transport rules, applies journaling policies, - 7 -
and delivers messages to a recipient's mailbox. Messages that are sent to the Internet are relayed by the Hub Transport server to the Edge Transport server role that's deployed in the perimeter network. Messages that are received from the Internet are processed by the Edge Transport server before they're relayed to the Hub Transport server. If you don't have an Edge Transport server, you can configure the Hub Transport server to relay Internet messages directly or utilize a third-party smart host. You can also install and configure the Edge Transport server agents on the Hub Transport server to provide anti-spam and antivirus protection inside the organization, although this isn't recommended. You can install the Hub Transport server role on the same hardware with any other internal server role or on a server that's dedicated to the Hub Transport server role. You must deploy a Hub Transport server role in each Active Directory site that contains a Mailbox server role. Deploying more than one Hub Transport server per site provides redundancy. When you install more than one Hub Transport server in an Active Directory site, the connections are distributed. Edge Transport Server This is the mail routing server that typically sits at the perimeter of the topology and routes mail in to and out of the Exchange organization. In Microsoft Exchange Server 2010, the Edge Transport server role is deployed in your organization's perimeter network. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow, which provides SMTP relay and smart host services for the Exchange organization. Additional layers of message protection and security are provided by a series of agents that run on the Edge Transport server and act on messages as they're processed by the message transport components. These agents support the features that provide protection against viruses and spam and apply transport rules to control message flow. The computer that has the Edge Transport server role installed doesn't have access to Active Directory. All configuration and recipient information is stored in Active Directory Lightweight Directory Services (AD LDS). To perform recipient lookup tasks, the Edge Transport server requires data that resides in Active Directory. This data is synchronized to the Edge Transport server using EdgeSync. EdgeSync is a collection of processes that - 8 -
are run on a computer that has the Hub Transport server role installed to establish one-way replication of recipient and configuration information from Active Directory to the AD LDS instance on an Edge Transport server. The Microsoft Exchange EdgeSync service copies only the information that's required for the Edge Transport server to perform anti-spam configuration tasks and the information about the connector configuration that's required to ble end-to-end mail flow. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in AD LDS remains current. You can install more than one Edge Transport server in the perimeter network. Deploying more than one Edge Transport server provides redundancy and failover capabilities for your inbound message flow. You can load-balance SMTP traffic to your organization between Edge Transport servers by defining more than one mail exchange (MX) resource record with the same priority in the Domain Name System (DNS) database for your mail domain. You can achieve consistency in configuration between multiple Edge Transport servers by using cloned configuration scripts. Exchange Components (EWS, ActiveSync, UM, OWA, Mailbox Agents, Transport Agents) Outlook, other MAPI clients Exchange Business Logic Entourage, 3 rd party apps MAPI RPC Store DAV - 9 -
Entourage, 3 rd party apps Exchange Components (EWS, ActiveSync, UM, OWA, Mailbox Agents, Transport Agents) Outlook, other MAPI Exchange clients RPC Business Logic Exchange Core Business Logic MAPI RPC Store All roads go through the middle tier - 10 -
Outlook Clients Exchange CAS Array MBX GC Client Access server (CAS) The Client Access server role is one of five distinct server roles for Microsoft Exchange Server 2010. It supports the Outlook Web App and Microsoft Exchange ActiveSync client applications, and the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) protocols. The Client Access server role also provides access to free/busy data by using the Availability service and bles certain clients to download automatic configuration settings from the Autodiscover service. The Client Access server role accepts connections to your Exchange 2010 server from different clients. Software clients such as Microsoft Outlook Express and Eudora use POP3 or IMAP4 connections to communicate with the Exchange server. Hardware clients, such as mobile phones, use ActiveSync, POP3, or IMAP4 to communicate - 11 -
with the Exchange server. You must install the Client Access server role in every Exchange organization and every Active Directory site that has the Mailbox server role installed. POP3 and IMAP In addition to supporting MAPI and HTTP clients, Exchange 2010 also supports POP3 and IMAP4 clients. By default, POP3 and IMAP4 are installed, but the services are disabled when you install the Client Access server role. The Availability Service The Exchange 2010 Availability service provides secure, consistent and up-to-date free/busy data to computers that are running Microsoft Office Outlook 2007 and later versions of Outlook. These versions of Outlook use the Autodiscover service to obtain the URL of the Availability service. Essentially, the Autodiscover service helps capable Outlook clients locate different Web services, such as the Microsoft Exchange Unified Messaging service, the Offline Address Book, and Availability services. The Autodiscover Service The Autodiscover service bles Outlook clients and some mobile phones to receive their necessary profile settings directly from the Exchange server by using the client's domain credentials. These settings automatically update the client with the information that's needed to create the user's profile. Active Directory Global Catalog (GC) The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. For more information, please visit: http://technet.microsoft.com/en-us/library/bb124558.aspx - 12 -
Deployment Notes The recommendations presented here are specific to a pure Exchange 2010 topology. Many of the recommendations may work with Exchange 2007 or in a mixed 2007/2010 deployment, but the caveats to this are beyond the scope of this document. In general, you should avoid using any of this guidance for Exchange 2007, and if you must do so, be prepared to perform extensive validation in a lab prior to production deployment. Configuration can be deployed with dynamic RPC ports or static ports, to force static ports please refer to Microsoft paper: http://social.technet.microsoft.com/wiki/contents/articles/configuring-static-rpc-por ts-on-an-exchange-2010-client-access-server.aspx - 13 -
Radware Alteon Alteon Application Switch Series 4-5 provide breakthrough performance, advanced application acceleration capabilities and on demand scalability needed to effectively meet contemporary network and business needs. Specifically designed for the majority of enterprises and carriers that operate in dynamic, ever-changing environments and face diverse requirements, the Alteon Application Switch provides the extendable throughput they need from 0 to 20Gbps for unparalleled scalability, business availability and performance. Breakthrough Performance Delivering best Quality of Experience Powered by state-of-the-art, custom-designed hardware platforms, the Alteon Series 4-5 ensure the best user experience and fastest response time for your mission-critical applications, resulting in effective, continuous business operation. The Alteon 4008 & 4416 provide up to 4Gbps of scalable throughput capacity while delivering breakthrough performance including 215K Layer 4 and 135K Layer 7 Transactions per Second (TPS). The Alteon 5412, targeting large data centers and carrier environments packed with four 10GE ports, supports up to 20Gbps of throughput capacity, 2.5 Million DNS queries per second, 535K Layer 4 and 300K Layer 7 Transactions per Second. The beating heart of Alteon Series 4-5 is the Virtual Matrix Architecture (VMA), a one-of-a-kind technology that unleashes the power of Alteon s next-generation proprietary platforms. VMA is a fast, robust, and flexible architecture that leverages the entire system s capacity while providing the parallel performance of distributed processing. Integrated Application Acceleration Capabilities Alteon Application Switch Series 4-5 deliver a wide set of application acceleration capabilities including SSL offloading, web compression, caching, HTTP multiplexing and TCP optimization. These capabilities are designed to offload servers, address server performance issues, enhance response-time for best QoE and mitigate security risks. By offloading processor intensive operations from servers, Alteon frees the servers CPUs to handle additional requests, eliminating the need to buy additional hardware in order to support application processing requirements and reducing CAPEX and OPEX. The Alteon Application Switch is validated and certified by leading application vendors such as Microsoft, Oracle, SAP, IBM and others. When operating Alteon Application Switch Series 4-5 with Microsoft SharePoint for example, the response time of SharePoint servers is accelerated by 350% and the servers - 14 -
CPU load is reduced by 40%. Similar benefits are achieved with other popular applications. Application acceleration capabilities have greater importance in virtual data centers where applications suffer from increased latency caused by virtualization infrastructure. Alteon reduces applications latency and improves QoE of virtual applications. Intelligently Embedding Radware s On Demand Infrastructure Approach By embracing Radware s Pay-as-you-Grow approach, you only pay for the exact capacity currently required and prevent over-spending on the initial solution. Throughput capacity, acceleration capabilities and application-aware services can be added on demand to meet new business requirements with no forklift upgrade of the device and without even restarting it. The Pay-as-you-Grow approach bles you to overcome capacity planning challenges and reduces the risk associated with data center growth for best investment protection. Thanks to platform standardization and simplicity, there are two platforms to cover all of your application needs resulting in fewer spare parts, and less training and operations, to dramatically reduce OPEX. - 15 -
Alteon and Microsoft Exchange 2010 Server Architecture Diagram 1.0 - Alteon and Microsoft Exchange 2010 Reference Architecture - 16 -
Primary Front-End Alteon Configuration Network configuration /c/port 1 pvid 204 /c/port 2 pvid 205 /c/l2/vlan 1 learn def 0 /c/l2/vlan 204 name "TAG.192.168.3.x" learn def 1 /c/l2/vlan 205 name "TAG.192.168.1.x" learn def 2 /c/l2/stg 1/clear /c/l2/stg 1/add 1 204 205 /c/l3/if 1 addr 192.168.3.2 vlan 204 /c/l3/if 2 addr 192.168.1.2 vlan 205 /c/l3/gw 1 addr 192.168.3.254-17 -
VRRP Configuration /c/l3/vrrp/on /c/l3/vrrp/vr 5 vrid 135 if 2 addr 192.168.1.215 track ifs e ports e /c/l3/vrrp/vrgroup 1 name "" prio 101 add 5 track ifs e ports e SSL Configuration /c/slb/ssl/certs/key 1 name "radware" /c/slb/ssl/certs/srvrcert 1 name "radware" /c/slb/ssl/certs/import srvrcert "1" text -----BEGIN CERTIFICATE----- MIICuDCCAiGgAwIBAgIBATANBgkqhkiG9w0BAQUFADAwMQ8wDQYDV QQDEwZhbHRl b24xczajbgnvbaytanvzmrawdgydvqqkewdsywr3yxjlmb4xdtewm TExNDE5MTQ1 MVoXDTExMTExNDE5MTQ1MVowMDEPMA0GA1UEAxMGYWx0ZW9uMQ swcqydvqqgewj1 czeqma4ga1uechmhumfkd2fyztcbnzanbgkqhkig9w0baqefaaobjq AwgYkCgYEA zibfe14jbs51mehudbohxwa3qx9uz4pgstptgcpbvxwsi/zln+kjshnwe wyanu4l F3TEhWSF1ik0foChLjPXsHinjVs4jFYQ6KIu+oJfrrjMAJ7N7GGmXC1t2G6 1yfBg om/jt89yud7nrckcdux8xpmeedirpsan6xjf76wk880caweaaaob4tc - 18 -
B3jAPBgNV HRMBAf8EBTADAQH/MBEGCWCGSAGG+EIBAQQEAwICRDAyBglghkgBh vhcaq0ejryj QWx0ZW9uL05vcnRlbCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD VR0OBBYEFNyH qklighrrgg2kqsj38pnsdpoumfgga1udiwrrme+afnyhqklighrrgg2k qsj38pns dpouotskmjawmq8wdqydvqqdewzhbhrlb24xczajbgnvbaytanvzm RAwDgYDVQQK EwdSYWR3YXJlggEBMAsGA1UdDwQEAwIC5DANBgkqhkiG9w0BAQUFAA OBgQCBNfF/ PVgp/T/tuW9PB7q1WpC44mo332HDEwjVFwFoq+O4O/B//MPooHW14n hl2nhrpuur TukImp0hVZUS/v5Kbzi3fi1Hx35pDDseTm+oKjrsdg+m28eJmcHiZJ6oze cjxsmy DeaepCevVZmZcjrahHm9LmGr+San09iFe19rYg== -----END CERTIFICATE----- SLB Configuration /c/slb on /c/slb/adv direct /c/slb/adv submac "" /c/slb/sync pips e certs e state e /c/slb/sync/peer 1 addr 192.168.1.3 /c/slb/real 10 rip 192.168.1.35 name "Exchange.SMTP.server.1" /c/slb/real 11 rip 192.168.1.36-19 -
name "Exchange.SMTP.server.2" /c/slb/real 12 rip 192.168.1.31 name "Exchange.CAS.Server.1" /c/slb/real 13 rip 192.168.1.32 name "Exchange.CAS.Server.2" /c/slb/group 10 health http add 12 add 13 name "Exchange.CAS" /c/slb/group 11 health smtp add 10 add 11 name "Exchange.SMTP" /c/slb/port 1 client /c/slb/port 2 server /c/slb/virt 20 vip 192.168.1.215 vname "Exchange.CAS" /c/slb/virt 20/service 25 basic-slb group 11 pbind clientip norport tmout 60 /c/slb/virt 20/service 443 https group 10 rport 80 pbind clientip norport dbind tmout 60 /c/slb/virt 20/service 443 https/ssl srvrcert 1-20 -
sslpol 1 /c/slb/virt 20/service 80 http group 10 pbind clientip norport tmout 60 /c/slb/virt 20/service 110 basic-slb group 10 pbind clientip norport tmout 1 /c/slb/virt 20/service 135 basic-slb group 10 pbind clientip norport tmout 60 /c/slb/virt 20/service 995 basic-slb group 10 pbind clientip norport tmout 1 /c/slb/virt 20/service 143 basic-slb group 10 pbind clientip norport tmout 1 /c/slb/virt 20/service 993 basic-slb group 10 pbind clientip norport tmout 1 Secondary Front-End Alteon Configuration Network configuration /c/port 1 pvid 204 /c/port 2 pvid 205 /c/l2/vlan 1 learn def 0 /c/l2/vlan 204 name "TAG.192.168.3.x" learn def 1-21 -
/c/l2/vlan 205 name "TAG.192.168.1.x" learn def 2 /c/l2/stg 1/clear /c/l2/stg 1/add 1 204 205 /c/l3/if 1 addr 192.168.3.3 vlan 204 /c/l3/if 2 addr 192.168.1.3 vlan 205 /c/l3/gw 1 addr 192.168.3.254 VRRP Configuration /c/l3/vrrp/on /c/l3/vrrp/vr 5 vrid 135 if 2 addr 192.168.1.215 track ifs e ports e /c/l3/vrrp/vrgroup 1 name "" prio 50 add 5 track ifs e - 22 -
ports e - 23 -
Technical Support Radware offers technical support for all of its products through the Radware Certainty Support Program. Please refer to your Certainty Support contract, or the Radware Certainty Support Guide available at: http://www.radware.com/content/support/supportprogram/default.asp For more information, please contact your Radware Sales representative or:u.s. and Americas: (866) 234-5763 International: +972(3) 766-8666 2008 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks or trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. - 24 -