Learn Exchange the Guru way !!!


Load Balancing Exchange Server 2013 – Good to know stuff

Load Balancing is the distribution of workload across different available servers, so as to accomplish optimal resource utilization, maximized throughput, minimized response time and avoidance of overload. They are referred to as Application Delivery Controller.

With Load Balancing we can increase the capacity by allocating more servers under the load balancing thereby enhancing the traffic handling capacity. This will also result in High availability. When a server failure occurs, the load balancer will redirect traffic to other servers under the load balancer.

SSL Offloading is not supported in Exchange 2013  

SSL Offloading is supported in Exchange 2013 post service pack 1. – update 7/4/2014

Additional Options Available Under Load Balancing

  • SSL Offloading- Through SSL offloading, the load balancer will re-crypt/decrypt the SSL traffic from clients. This thus offloads the task of decryption/re-cryption from the application server saving essential application server resources.
  • Maintenance Mode- When a server is marked under maintenance mode, no traffic is sent to that server. This can be particularly useful in cache servers.
  • Caching- Facilitates cache application items that are required frequently eliminating the need to reload them.
  • Compression- Enables traffic Compression
  • Pre-Authentication- As the name suggests, with this option exchange can pre authenticate users before allowing them access to servers.
  • Service Aware- With this feature, the load balancer checks the availability status of a server before sending traffic to it.

SSL Offloading is not supported in Exchange 2013 update 7/4/2014

Essential Components

Service has its own Persistence settings, Distribution Settings, Time Out Settings and SSL Offloading settings. Multiple services can be configured in the load balancer to publish the exchange services. Virtual IP Address (VIP) is attached to the service. Each service will have a unique VIP. It is through this VIP that applications connect to its attached service. Behind the service are the Server/Nodes/Members. These can be given to more than one service.


We shall now look into the different principles involved in Load Balancer in Exchange 2013.

Persistence / Affinity / Stickiness

Since there are multiple servers available when using load balancer, traffic may not always be sent to the same server which will result in increased network traffic. But to avoid this, persistence is used in load balancer which ensures that traffic is sent to the same server.

Different Types of Persistence Are:

  • Source IP
  • HTTP Cookie
  • SSL ID
  • Hash Persistence

In Source IP, persistence is based on the source IP address.

In HTTP Cookie based persistence, an http cookie is generated to track the server by identifying the session.

In SSL ID based persistence, an SSL ID is used to track the session.

In Hash Persistence a Hash is used to track the server.


Load balancing of traffic among servers is done by distribution. Different types of distribution are:

  • Round Robin- It uses basic round robin technique to choose the server.
  • Weighted Round Robin- In weighted round robin, the weight pulled on the server is also considered while performing round robin calculations.
  • Least Connections- It routes the traffic to the server with least connections. This mechanism however shows issues while rebooting the cache server as cache server will use many connections while rebooting.
  • Least Response Time- It routes traffic to the server with quickest response time.

SSL Offloading

Through SSL offloading, the load balancers will re-crypt/decrypt the SSL traffic from clients. This thus offloads the task of decryption/re-cryption from the application server saving essential application server resources. Thus the CAS is now free from performing decryption and encryption, hence freeing considerable amount of processor utilization from it. Also, SSL can be applied between Load Balancer and Exchange. Here, exchange will send SSL encrypted data to load balancer. Load balancer encrypts it, re crypts it and sends it to exchange. And finally system without Offloading only permits 2 types of persistence- Source IP and SSL Session whereas a system with SSL Offloading permits all persistence schemes.

Layer 4

Layer 4 is the external network layer. It works on the data in the network and transport layer. They require lesser resources and have a better performance.

Layer 7

Layer 7 acts in the application layer of the server model. It is application aware, requiring decryption of the traffic.

Routing Options

  • Source Address Network Translation (SNAT)

    The Source address of the incoming packet is modified. The IP address of the client is hidden. This however poises issues while trouble shooting.

  • Load Balancer Default Gateway

    In this technique, the default gateway of the server is pointed to the VIP of load balancer.

  • Direct Server Return

    In this schema, all incoming requests are passed through the load balancer. This requires a local loopback interface on server, which does not answer to ARP requests. The loopback interface is configured with the VIP of the load balancer.

Possible Configurations

  • One Armed

    In ONE ARMED configurations both clients/servers and VIP are housed in the same subnet. The available routing options are:

    • SNAT
    • Direct Server Return
  • Two Armed

    A two armed configuration requires 2 networks and separate VLAN for each exchange servers. The routing options available are:

    • Load Balancer Default Gateway
    • Direct Server Return.

What’s New In Exchange 2013 Load balancing

  • Session Affinity No Longer required
  • SSL Offloading not supported
  • Layer 7 Load balancing no longer required
  • Only CAS needs to be load balanced
  • Health Check for Workloads

Features Retained

Can load balance same workloads

Available Configurations

  • Single VIP

    In single VIP a single VIP is used to publish all protocols and they share the same settings. Layer 7 of the network model will be used to find out the destination.

  • Multiple VIP

    A separate VIP can be assigned to each protocol. Each protocol can hence be assigned specific settings.

While single VIP is easier to configure as it has only one rule, features like scale out and scale up, logging options, client traffic segmentation are not available in single VIP. Multiple VIP has all these features and enhanced persistence capabilities and multiple availability protocols. But it requires multiple IP address.

Ratish Nair

Microsoft MVP | Exchange Server

Team @ MSExchangeGuru

18 Responses to “Load Balancing Exchange Server 2013 – Good to know stuff”

  1. NeWay Technologies – Weekly Newsletter #46 – June 6, 2013 | NeWay Says:

    […] Load Balancing Exchange Server 2013 – Good to know stuff – […]

  2. NeWay Technologies – Weekly Newsletter #46 – June 7, 2013 | NeWay Says:

    […] Load Balancing Exchange Server 2013 – Good to know stuff – […]

  3. Blog Posts of the Week (2nd - 8th June 2013) - The South Asia MVP Blog - Site Home - TechNet Blogs Says:

    […] Load Balancing Exchange Server 2013 […]

  4. Susie Kent Says:

    There are several benefits of enabling SSL offloading when using a hardware load balancer (HLB). When you enable SSL offloading you terminate the incoming SSL connections on the HLB instead of on the CAS servers. By doing so you move the SSL workload (encryption and decryption tasks) which are CPU intensive from the CAS servers to the HLB device(s). With CAS servers getting more and more responsibility with the introduction of new features such as MailTips, Move Request Service (MRS) and because it now also is the endpoint for MAPI clients, it makes even more sense to let the HLB take care of the SSL workload compared to earlier versions of Exchange Server.

  5. sajid Says:

    can we use windows 2012 NLB for exchange 2013 ?

  6. Ratish Sekhar Says:

    Windows NLB isnt preferred to be honest…
    Look at the limitations and make a business decision.
    Windows Network Load Balancing:

  7. Exchange 2010/2007 to 2013 Migration and Co-existence Guide « Says:

    […] Load Balancing Exchange Server 2013 – Good to know stuff: Public Folders Migration from Exchange 2007/2010 to Exchange 2013: […]

  8. SAT Says:

    Interesting that as of November 2013, SSL offloading (for Exchange 2013) is still not supported on NetScalers, according to official documentation published October 2013…

  9. Rani Says:

    Hello all,

    Can some one please share the steps to configure CAS Server load balancing.


  10. Prabhat Nigam Says:


    Please feel free to post your issues here:

    Then share the link to us and we will answer the concerns as and when we will have time. This will have more people visibility. The best thing is you may get answers from someone else if we are busy.

    Regarding you current concern check the below mentioned blog if you don’t want to invest in load balancer. The other option is windows NLB which is explain here.

  11. DAK Says:

    SSL Offloading is now supported from Exchange 2013 SP1 (CU4).

  12. Prabhat Nigam Says:

    Thank you for pointer.
    This is a blog which was written post the release of CU1 in year 2013 so we had highlighted SSL offloading is not supported.

    I have updated couple of lines. Please read new blogs for latest info and changes.

    I hope rest of the blogs are helping you in finding you goal.
    Happy Reading and visiting us.

  13. Greg Sites Says:

    What are the recommended hardware load balancers? I have had poor experience with one brand and what to move forward with another. Exchange 2013 1200 users.

  14. Prabhat Nigam Says:

    Hey Greg,

    Hope things are well there.
    I can understand. I would recommend to go for the best when you are managing critical customers. The best load balancer is F5 but it is costly.

    I would recommend a hardware LB in compare to virtual which will have its own hardware to process the load.
    Feel free to let me know if you need me to connect with F5 team.

  15. Khalid Says:

    Hey there
    You mention that multiple VIP will requires multiple IP address.
    But as per my understanding that we can use one IP address and assign this IP to each record
    Please correct me if i am wrong.

  16. Ryan Says:

    We have a situation were when we put a exchange server into maintenance mode traffic is still sent to the server by the vip. So we need to mark the server as disabled on the vip so traffic isn’t sent to it. Is this normal behavior or is there something that we need to have changed on the vip?

  17. Prabhat Nigam Says:

    I would wonder why wouldn’t you follow our patching blogs mentioned below.

    Exchange 2013/2016 –
    Exchange 2010 –

  18. Ryan Says:

    Thanks for the response.
    We are doing pretty much what is suggested in the patching blog. The one thing we don’t do is restart the transprot services. See below. This is the script that is run.

    Written by Justin Beeden
    V2.0 11.16.2013
    2.0 Added logic to confirm DAG File Share Witness is operational to maintain quorum
    Added logic to confirm QueueTargetFQDN is a FQDN, will attempt to resolve to FQDN if hostname is entered
    Added logic to confirm mail queues have been moved to QueueTargetFQDN
    Added logic to confirm all active database copies have been moved to another DAG member
    1.1 Corrected Spelling error in one of the parameters
    1.0 Initial
    Puts Exchange 2013 DAG nodes into maintenance mode.
    Puts Exchange 2013 DAG nodes into maintenance mode.
    .PARAMETER Server
    Specifies the DAG node Server name to be put into maintenance mode.
    .PARAMETER QueueTargetFQDN
    Specifies the target Exchange 2013 mailbox server FQDN to move the mail queue to from the Server to be put into maintenance mode.
    PS> .\Start2013DagServerMaintenance.ps1 -Server Server1 -QueueTargetFQDN
    Puts Server1 into maintenace mode and moves all queued mail to Server2 for delivery

    #Requires -version 3.0

    [Parameter(Position=0, Mandatory = $true,
    HelpMessage=”Enter the name of the DAG Server to put into Maintenance mode.”)]

    [Parameter(Position=1, Mandatory = $true,
    HelpMessage=”Enter FQDN of server to move mail queue to.”)]
    #If QueueTargetFQDN is not enterend as a FQDN will attempt to resolve it to a FQDN
    $TargetServer = ([System.Net.Dns]::GetHostByName($QueueTargetFQDN)).Hostname
    #If above does not resolve to a valid FQDN script will throw error and quit script
    Throw “Could not resolve ServerFQDN: $QueueTargetFQDN hostname needs to be resolvable FQDN.”}
    #Function to check all transport queues except Poison and Shadow queues are empty
    function CheckQueues(){
    $MessageCount = Get-Queue -Server $Server | Where {$_.Identity -notlike “*\Poison” -and $_.Identity -notlike”*\Shadow\*”} |
    Select MessageCount | Where {$_.MessageCount -ne 0}
    Write-Host “$Server still has messages in transport queue, will check again in 30 seconds…” -ForegroundColor Yellow
    Start-Sleep -s 30
    Write-Host “Transport queues are empty.” -ForegroundColor Green

    #Function to check all active database copies have been moved to another member of the DAG
    function CheckActiveDatabase(){
    $ActiveDatabase = Get-MailboxDatabaseCopyStatus -Server $Server | Where {$_.Status -eq ‘Mounted’}
    Write-Host “$Server is still hosting active database copies, will check again in 30 seconds…” -ForegroundColor Yellow
    Start-Sleep -s 30
    Write-Host “All active database copies have been moved.” -ForegroundColor Green

    #Function to check on DAGs File Share Witness if needed by DAG
    function CheckFSW(){
    $FSW = Get-DatabaseAvailabilityGroup -Identity $Server.DatabaseAvailabilityGroup -Status | Where {$_.WitnessShareInUse -eq ‘InvalidConfiguration’}
    Throw “There is an issue with this DAGs File Share Witness, fix BEFORE doing node maintenance.”
    Write-Host “DAG File Share Witness OK or not in use.” -ForegroundColor Green

    Write-Verbose “Checking DAG File Share Witness”

    Write-Verbose “Begining the process of draining the transport queues”
    Set-ServerComponentState $Server -Component HubTransport -State Draining -Requester Maintenance

    Write-verbose “Begining the process of draining all Unified Messaging calls”
    Set-ServerComponentState $Server -Component UMCallRouter –State Draining –Requester Maintenance

    Write-Verbose “Redirecting messages pending delivery in the local queues to $QueueTargetFQDN”
    Redirect-Message -Server $Server -Target $TargetServer -Confirm:$false

    Write-Verbose “Pausing the cluster node, which prevents the node from being and becoming the PrimaryActiveManager”
    Suspend-ClusterNode $Server

    Write-Verbose “Moving all active databases currently hosted on $Server to other DAG members”
    Set-MailboxServer $Server -DatabaseCopyActivationDisabledAndMoveNow $True

    Write-Verbose “Preventing $Server from hosting active database copies”
    Set-MailboxServer $Server -DatabaseCopyAutoActivationPolicy Blocked

    Write-Verbose “Placing $Server into maintenance mode”
    Set-ServerComponentState $Server -Component ServerWideOffline -State Inactive -Requester Maintenance


    Write-Host “$Server is fully in maintenance mode and ready for maintenance.” -ForegroundColor Green

Leave a Reply




Do NOT follow this link or you will be banned from the site!