Exchange CAS high availability with Windows NLB
Application availability is getting super critical these days. Most of them can be clustered but there are still few applications which can’t be clustered. So we have Network load balance hardware devices but not every organization is happy to invest in NLB device just for Exchange CAS. For these organizations the solution is windows NLB and Microsoft fully support it. Let us see how we configure Windows NLB for 2 nodes.
Infrastructure Configuration for this article:
Yes, prepare the below values for your NLB.
- Server Names: CAS1 and CAS1
- CAS1 NLB NIC IP Address: 10.10.10.10
- CAS2 NLB NIC IP Address: 10.10.10.20
- NLB IP Address: 10.10.10.40
- Subnet mask: 255.255.255.0
- CAS URL/NLB NAME: mail.msexchangeguru.com
Configure NLB Cluster – Follow the below steps on both the Servers.
- This should be the Secondary NIC for NLB but in the same production network.
- Configure the IP address and subnet mask only. No DNS and WINS.
- In Advanced’s DNS tab, confirm checkbox for Register this connection’s addresses in DNS is unchecked
- In Advanced’s WINS tab, ensure Disable NetBIOS over TCP/IP is checked
- NLB Configuration Steps:
- Validate required NICbinding order onCAS1 andCAS2
- Otherwise, reorder the NICs so they occupy the first and second positions
- Save settings by clicking OK and close Network Connections Applet
Install Network Load – Follow the below steps on both the Servers
- Click on Start | Administrative Tools | Server Manager Balancing Service on Click on Features | Add Features In the Add Features wizard, check Network Load Balancing checkbox Click Install
- Close once installed.
Create a new NLB
- On CAS1, click on Start | Administrative Tools | Network Load Balancing Manager
- From the NLB console, right‐click Network Load Balancing Clusters
- Click New Cluster
- In Host field, enter CAS1 FQDN; cas1.msexchangeguru.com click Connect
- Choose the NLB NIC (Interface IP 10.10.10.10); click Next | Add
- In Add IP Address dialog box, enter 10.10.10.40 on IPv4 address
- For Subnet mask, enter 255.255.255.0; click OK | Next
- In New cluster: Cluster Parameters dialog box, confirm cluster IP address
- On Full Internet name, enter OWA URL “mail.msexchangeguru.com”
- On Client operations mode, choose unicast; click Next
- In Add/Edit Port Rule dialog box, allow all port then Click Finish
- Allow the new NLB cluster to converge; after convergence, the cluster status should say Success and with a GREEN icon next to it.
- From CAS2, confirm OWA URL “mail.msexchangeguru.com” responds with the cluster IP 10.10.10.40; otherwise determine dns issue and resolve the issue.
- Add the second node On NLB Manager console.
- Right‐click OWA URL Cluster Name
- Click Add Host to Cluster
- Type in Server 2 FQDN cas2.msexchangeguru.com in the Host field then click Connect
- Choose the NLB NIC (interface IP 10.10.10.20) then click Next and Next
- Leave all settings at default; click Finish
- Allow CAS2 to converge with the cluster; after convergence, the cluster status should say Success and with a GREEN icon next to it
Verify NLB:
- Stop Windows NLB service on CAS1 then From CAS2, confirm OWA URL responds with the cluster IP 10.10.10.40 and owa page is opening; otherwise determine and resolve the issue.
- Restart Windows NLB service on CAS1 and allow the cluster nodes to converge successfully.
- Stop Windows NLB service on CAS2 then From CAS1, confirm OWA URL responds with the cluster IP 10.10.10.40 and owa page is opening; otherwise determine and resolve the issue.
- Restart Windows NLB service on CAS2 and allow the cluster nodes to converge successfully.
Configure the MAC address to the VM NLB NIC
If you have virtualized CAS then follow this step
- Go to NLB Manager à Cluster Properties à Clusters Parameters Tab and write down the Network address for the NLB cluster. Which is like 02-BF-0A-0A-0A-28
- Shut down the NLB cluster VMs one by one (make sure you don’t shutdown both CAS at a time) then in Hyper-V Manager, manually configure the network adapters that you added to the VMs for the NLB cluster to use a static MAC address that matches the NLB network address: 02-BF-0A-0A-0A-28.
- Check the checkbox “Enable Spoofing of MAC Addresses”
- Restart the CAS Server VMs in Hyper-V Manager.
- Confirm successful NLB cluster convergence status one more time.
NIC Forwarding
Run the below command on both the servers so that NLB can forward OWA request to Prod NIC
This is a very important step, if you have missed this then NLB will not be able to forward the CAS request to Production NIC and no app will open.
- Open the cmd prompt with Run as Administrator and run the below cmd.
netsh interface ipv4 set interface “NLB Interface” forwarding=enabled
NLB should be working fine at this moment.
Recently I was helping a customer who decided to stick to only 2 servers with all the roles in it. Then he end up asking high availability for CAS as well on the same setup. I decide to explain the unsupported configuration which I am mentioning here but Microsoft/MsExchangeGuru will not support any issue or loss caused by this. So use this configuration at your own risk.
For such setup we can change their CAS/Transport internal NAT IP to the DAG Cluster IP/Name (CNO).
Prabhat Nigam
Microsoft MVP | Exchange Server
team@msexchnageguru
August 14th, 2013 at 1:13 am
[…] https://msexchangeguru.com/2013/08/14/windowsnlb/ […]
August 14th, 2013 at 8:42 am
[…] https://msexchangeguru.com/2013/08/14/windowsnlb/ […]
August 19th, 2013 at 10:56 am
[…] Exchange CAS high availability with Windows NLB […]
August 20th, 2013 at 12:29 pm
Hi,thanks for the great post.Accrding to the configuration,now you have OWA running on NLB. May I know what about autodiscover and etc? Can I create a DNS entry autodicover.msexchangeguru.com and point the the same NLB IP?
Thanks and hope to hear from you soon.
August 20th, 2013 at 12:36 pm
@Joe
Yes, you have to create a DNS entry autodicover.msexchangeguru.com and point the the same NLB IP.
August 24th, 2013 at 9:54 am
Why I need to make the mac static in the virtualized CAS? Is this step required in the other hypervisor also or only hyper-v
August 24th, 2013 at 10:04 am
I would recommend for every Virtual environment hyper-v or vmware or other.
This should be done to keep same MAC as NLB so that Mac registration should be same for the ARP table from any server.
September 21st, 2013 at 10:44 am
Hi Folks
After installing CAS and mailbox role (both role) on two server, can I configure on these 2 server NLB for CAS role and DAG network.
Can coexist CAS NLB and Cluster DAG on two machine with cas and mailbox role installed?
Many thanks
Maximilian
September 21st, 2013 at 4:43 pm
@Max
I am sorry, you can’t do windows NLB with DAG Cluster.
September 21st, 2013 at 5:38 pm
With the NLB enabled, I just get a webpage saying “Oulook Web Access” and a spinning blue circle. After a couple of minutes it times out. Is this because I am using self-signed certificates?
I tried to use an internal CA cert, but when I completed the CSR, the cert is always listed as invalid. 🙁
September 22nd, 2013 at 12:17 am
@Rob
Try if iisreset helps.
If not try to restart the server.
September 22nd, 2013 at 12:36 pm
Thanks Prabhat, but iisreset and reboots did not help. The behaviour above is in Chrome. In IE10, it just says, “Waiting for response from mail.domain.com”.
Any other ideas? This is Windows 2012 and Exchange 2013 CU2.
September 22nd, 2013 at 1:26 pm
@Rob
Check this blog if it helps: https://msexchangeguru.com/2012/07/24/edge-server-tls/
September 22nd, 2013 at 2:45 pm
@Prabhat. Thanks, that was useful. I’m using a private CA cert. I’ve installed the root CA cert on all clients. I’ve also disabled the IE setting “Check for server certificate revocation”.
This is the behaviour I get now:
1) From a client within the datacenter (but not a member of the same AD domain as Exchange and the CA), OWA now loads fine. However, externally I still get timeouts.
2) If I remove the NLB cluster and change the IP of CAS01 to the address of the VIP, OWA works both internally and externally.
I’m wondering if there’s a problem with my datacenter firwall. I’ll talk to our networking guys. Thanks.
September 22nd, 2013 at 3:00 pm
Timeout will be surely different issue.
It will be great if you share the exact resolution which might help others…
November 3rd, 2014 at 1:58 pm
Are there any log files associated with the wnlb that records the ip of the incoming traffic into the load balancer?
Thanks
November 12th, 2014 at 2:56 pm
No, you need to use IIS logs
January 25th, 2015 at 12:29 am
I have 2 CAS Server, CAS1 and CAS2. After i put CAS1 and CAS2 in Window NLB. We found that some client can connect and some client cannot connect. The Problem on CAS2 that can’t provide function to all type of client. do anyone used to face this problem. please advise. thanks
January 25th, 2015 at 12:42 am
So when you connect to the CAS2 is directly, does it reject the connection?
If you have not tested then on your clients hostfile configure the IP of CAS2 and try to connect then if it fails check the IIS logs.
You can also run the tests like mentioned below.
Test-webservicesconnectivity
Test-outlookwebservices
January 25th, 2015 at 7:04 am
When i connect direct to cas2 without join NLB, we can use as usual. We use owa and ecp on web. But after join NLB we have problem. We useit as VM run on vmware. I use only one NIC for NLB and client access.
January 25th, 2015 at 12:18 pm
Did you enable MAC address spoofing and nic forwarding
January 25th, 2015 at 6:42 pm
We not yet enable it, how can we do that on VMware as your article are hyper v.
January 31st, 2015 at 6:26 am
I have configure follow the instruction on vmware esxi, then i found out that when i connect it always connect to CAS2 and show below message.
”
Server Error in ‘/ecp’ Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a “web.config” configuration file located in the root directory of the current web application. This tag should then have its “mode” attribute set to “Off”.”
February 4th, 2015 at 2:46 pm
On the NLB setup, what affinity should be used? (None/Single/Network)
February 4th, 2015 at 4:42 pm
Default Single.
March 7th, 2015 at 12:42 pm
Hi
After configure the NLB, Still NLB status showing converged.
OWA or ECP page is not opening.
I have one doubt, earlier my A record (webmail.test.com) was pointing to CAS(CAS1.test.com) server but after configure the NLB, I changed the A record to NLB IP. NLB name and owa name both are same. (webmail.test.com).
Please suggest for the same.
March 7th, 2015 at 1:21 pm
Check this if it helps – http://support.microsoft.com/kb/812870
July 9th, 2015 at 6:19 am
Hello Prabhat,
We are currently using Cluster DAG on two servers, Is there a way to remove the Cluster DAG so that we can use the NLB??? if there is a way please share the steps on how to do it..
awaiting for your reply…
July 9th, 2015 at 1:07 pm
Boyet,
There is no way you can configure wnlb on Dag node.
July 10th, 2015 at 3:58 am
Hi prabhat,
Thanks for the reply…What i mean is to remove totally the Windows Failover clustering in exchange 2013 sp1 and use WNLB in exhange 2013 sp1..is these possible??
What is recommended in exchange 2013 sp1, Failover clustering or WNLB??
We install 2 exchange 2013 sp1(DAG in Failover clustering) to co-exist with exchange 2007 sp3…owa is working while connecting outlook to exchange 2013 sp1 these error will pop out “The name cannot be resolved. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.”
Autodiscover is also setup and pointing to exchange 2013 …
Any help will be very much appreciated…
Thanks
July 10th, 2015 at 4:36 am
If you need dag then prerequisite is failover clustering.
Cas role should be installed separately from mailbox role to use window nlb so can either go for virtual/hardware load balancer or use DNS round robin other option is mentioned at the end of the blog which is for a dag which has an IP assign but it is not recommended or supported.
Outlook issue may also occur if you have not enabled outlook anywhere.
Outlook anywhere hostname should be pointing to exchange 2013.
August 4th, 2015 at 5:43 am
[…] Today I was configuring windows NLB for a customer and figure out how to configure MAC spoofing in VMware so I am sharing the details in addition to the previous WNLB configuration blog. […]
October 29th, 2015 at 3:13 am
Only one network card per CAS server?
October 30th, 2015 at 5:25 pm
Add one more.
December 6th, 2015 at 8:16 am
in this configuration
Server Names: CAS1 and CAS2
CAS1 NLB NIC IP Address: 10.10.10.10
CAS2 NLB NIC IP Address: 10.10.10.20
NLB IP Address: 10.10.10.40
Subnet mask: 255.255.255.0
CAS URL/NLB NAME: mail.msexchangeguru.com
If the User Open the OWA https://mail.msexchangeguru.com and the NLB Forward the Traffic To CAS1 and the user1 already login and read the mail >>
Suddenly the CAS1 become unavailable/Down >>>What will happen for the user1 that already login before using NBL and his session and connection initiated from CSA01
December 6th, 2015 at 12:53 pm
User might see a disconnect when user will try to click on any folder or click send to an email and it may require to refresh the browser.
WNLB is not a best recommendation. I just explain how do we configure it. I would still recommend to go for a virtual Load Balancer or hardware load balancer.
February 16th, 2016 at 3:31 pm
I implemented the WNLB but now need to remove it from my environment.How do you recommend this to be done.
February 16th, 2016 at 4:07 pm
1. Point the CAS traffic to CAS IP.
2. From Network Load Balancing Clusters – remove the servers.
July 27th, 2016 at 6:44 pm
Hi Folks,
Slight Struggle on the track…
Version – Exchange server 2013
Issue – Unable to use NLB cluster name (contoso.com’>mail.contoso.com) for autodiscover
I have a test environment called contoso.com, I have installed two Client Access servers (EX1 – CAS1, EX2 – CAS2).
CAS1 – 10.0.0.10 ex1.contoso.com
CAS2 – 10.0.0.20 ex2.contoso.com
NLB Virtual IP – 10.0.0.100 mail.contoso.com
I have added two CAS servers into NLB server, now I can access my mailbox through mail.contoso.com in owa, Suppose if I configure my outlook in my domain client, it should configure automatically for my mailbox through autodiscover service. Now my question is whether the client outlook(autodiscover) will try to reach ex1.contoso.com or ex2.contoso.com or mail.contoso.com ? If ex1,ex2.cotoso.com means how can I change the address to mail.cotoso.com ?
July 27th, 2016 at 7:07 pm
There are more configuration of URLs required. Check our other blogs. We also have a URL configuration script.
July 27th, 2016 at 7:21 pm
could you please explain in short form to configure ? Let me try
July 27th, 2016 at 8:08 pm
There is no short form. You have to update the URLs and create dns host records which will point to NLB.
July 27th, 2016 at 8:15 pm
Yes I have configured autodiscover url. Also have created host record & srv record & mx record in dns but still the outlook will point to ex1.contoso.com also getting error like “The name cannot be resolved. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.”
(Set-ClientAccessServer -Identity -AutoDiscoverServiceInternalURI https://mail.contoso.com/AutoDiscover/AutoDiscover.xml )
(Set-ClientAccessServer -Identity -AutoDiscoverServiceInternalURI https://mail.contoso.com/AutoDiscover/AutoDiscover.xml )
July 27th, 2016 at 8:17 pm
This is the wrong configuration. Study more
July 27th, 2016 at 8:21 pm
I have tried but unable to move, can you please guide ?
July 27th, 2016 at 8:24 pm
I already told you, You have to search correct blog. This is windows NLB blog and not exchange CAS config blog.
July 27th, 2016 at 8:27 pm
Ok thank you
July 28th, 2016 at 8:13 pm
What are all the ways are there Secure Internet Access for Client Access Server ?
July 28th, 2016 at 8:23 pm
Mostly hardware or virtual Load Balancer. TMG and ISA is the old story now.
July 28th, 2016 at 8:38 pm
Thank you