Learn Exchange the Guru way !!!


Exchange CAS high availability with Windows NLB

Application availability is getting super critical these days. Most of them can be clustered but there are still few applications which can’t be clustered. So we have Network load balance hardware devices but not every organization is happy to invest in NLB device just for Exchange CAS. For these organizations the solution is windows NLB and Microsoft fully support it. Let us see how we configure Windows NLB for 2 nodes.

Infrastructure Configuration for this article:

Yes, prepare the below values for your NLB.

  1. Server Names: CAS1 and CAS1
  2. CAS1 NLB NIC IP Address:
  3. CAS2 NLB NIC IP Address:
  4. NLB IP Address:
  5. Subnet mask:


Configure NLB ClusterFollow the below steps on both the Servers.    

    1. This should be the Secondary NIC for NLB but in the same production network.
    2. Configure the IP address and subnet mask only. No DNS and WINS.
      1. In Advanced’s DNS tab, confirm checkbox for Register this connection’s addresses in DNS is unchecked
      2. In Advanced’s WINS tab, ensure Disable NetBIOS over TCP/IP is checked
    3. NLB Configuration Steps:
        1. Validate required NICbinding order onCAS1 andCAS2
        2. Otherwise, reorder the NICs so they occupy the first and second positions
        3. Save settings by clicking OK and close Network Connections Applet

Install Network LoadFollow the below steps on both the Servers

      1. Click on Start | Administrative Tools | Server Manager Balancing Service on Click on Features | Add Features  In the Add Features wizard, check Network Load Balancing checkbox Click Install
      2. Close once installed.

Create a new NLB

      1. On CAS1, click on Start | Administrative Tools | Network Load Balancing Manager        
      2. From the NLB console, right‐click Network Load Balancing Clusters
      1. Click New Cluster
      2. In Host field, enter CAS1 FQDN; click Connect
      3. Choose the NLB NIC (Interface IP; click Next | Add
      4. In Add IP Address dialog box, enter on IPv4 address
      5. For Subnet mask, enter; click OK | Next
      6. In New cluster: Cluster Parameters dialog box, confirm cluster IP address
      7. On Full Internet name, enter OWA URL “
      8. On Client operations mode, choose unicast; click NextNLB1
      1. In Add/Edit Port Rule dialog box, allow all port then Click Finish
      2. Allow the new NLB cluster to converge; after convergence, the cluster status should say Success and with a GREEN icon next to it.
      3. From CAS2, confirm OWA URL “ responds with the cluster IP; otherwise determine dns issue and resolve the issue.
      4. Add the second node On NLB Manager console.
      5. Right‐click OWA URL Cluster Name
      6. Click Add Host to Cluster
      7. Type in Server 2 FQDN in the Host field then click Connect
      8. Choose the NLB NIC (interface IP then click Next and Next
      9. Leave all settings at default; click Finish
      10. Allow CAS2 to converge with the cluster; after convergence, the cluster status should say Success and with a GREEN icon next to it

Verify NLB:

      1. Stop Windows NLB service on CAS1 then From CAS2, confirm OWA URL responds with the cluster IP and owa page is opening; otherwise determine and resolve the issue.
      2. Restart Windows NLB service on CAS1 and allow the cluster nodes to converge successfully.
      3. Stop Windows NLB service on CAS2 then From CAS1, confirm OWA URL responds with the cluster IP and owa page is opening; otherwise determine and resolve the issue.
      4. Restart Windows NLB service on CAS2 and allow the cluster nodes to converge successfully.


Configure the MAC address to the VM NLB NIC

If you have virtualized CAS then follow this step

      1. Go to NLB Manager à Cluster Properties à Clusters Parameters Tab and write down the Network address for the NLB cluster. Which is like 02-BF-0A-0A-0A-28
      2. Shut down the NLB cluster VMs one by one (make sure you don’t shutdown both CAS at a time) then in Hyper-V Manager, manually configure the network adapters that you added to the VMs for the NLB cluster to use a static MAC address that matches the NLB network address: 02-BF-0A-0A-0A-28.
      3. Check the checkbox “Enable Spoofing of MAC Addresses”NLB
      4. Restart the CAS Server VMs in Hyper-V Manager.
      5. Confirm successful NLB cluster convergence status one more time.


NIC Forwarding

Run the below command on both the servers so that NLB can forward OWA request to Prod NIC

This is a very important step, if you have missed this then NLB will not be able to forward the CAS request to Production NIC and no app will open.

  1. Open the cmd prompt with Run as Administrator and run the below cmd.

                netsh interface ipv4 set interface “NLB Interface” forwarding=enabled



NLB should be working fine at this moment.


Recently I was helping a customer who decided to stick to only 2 servers with all the roles in it. Then he end up asking high availability for CAS as well on the same setup. I decide to explain the unsupported configuration which I am mentioning here but Microsoft/MsExchangeGuru will not support any issue or loss caused by this. So use this configuration at your own risk.

For such setup we can change their CAS/Transport internal NAT IP to the DAG Cluster IP/Name (CNO).


Prabhat Nigam

Microsoft MVP | Exchange Server



61 Responses to “Exchange CAS high availability with Windows NLB”

  1. Exchange 2010/2007 to 2013 Migration and Co-existence Guide « Says:

    […] […]

  2. Exchange CAS high availability with Windows NLB – Windows Brasil Says:

    […] […]

  3. Blog Posts of the Week (4th - 17th August 2013) - The South Asia MVP Blog - Site Home - TechNet Blogs Says:

    […] Exchange CAS high availability with Windows NLB […]

  4. Joe Says:

    Hi,thanks for the great post.Accrding to the configuration,now you have OWA running on NLB. May I know what about autodiscover and etc? Can I create a DNS entry and point the the same NLB IP?

    Thanks and hope to hear from you soon.

  5. Prabhat Nigam Says:

    Yes, you have to create a DNS entry and point the the same NLB IP.

  6. Ay Says:

    Why I need to make the mac static in the virtualized CAS? Is this step required in the other hypervisor also or only hyper-v

  7. Prabhat Nigam Says:

    I would recommend for every Virtual environment hyper-v or vmware or other.
    This should be done to keep same MAC as NLB so that Mac registration should be same for the ARP table from any server.

  8. Maximiian Says:

    Hi Folks

    After installing CAS and mailbox role (both role) on two server, can I configure on these 2 server NLB for CAS role and DAG network.

    Can coexist CAS NLB and Cluster DAG on two machine with cas and mailbox role installed?

    Many thanks

  9. Prabhat Nigam Says:

    I am sorry, you can’t do windows NLB with DAG Cluster.

  10. Rob Says:

    With the NLB enabled, I just get a webpage saying “Oulook Web Access” and a spinning blue circle. After a couple of minutes it times out. Is this because I am using self-signed certificates?

    I tried to use an internal CA cert, but when I completed the CSR, the cert is always listed as invalid. 🙁

  11. Prabhat Nigam Says:

    Try if iisreset helps.
    If not try to restart the server.

  12. Rob Says:

    Thanks Prabhat, but iisreset and reboots did not help. The behaviour above is in Chrome. In IE10, it just says, “Waiting for response from”.

    Any other ideas? This is Windows 2012 and Exchange 2013 CU2.

  13. Prabhat Nigam Says:


    Check this blog if it helps:

  14. Rob Says:

    @Prabhat. Thanks, that was useful. I’m using a private CA cert. I’ve installed the root CA cert on all clients. I’ve also disabled the IE setting “Check for server certificate revocation”.

    This is the behaviour I get now:
    1) From a client within the datacenter (but not a member of the same AD domain as Exchange and the CA), OWA now loads fine. However, externally I still get timeouts.
    2) If I remove the NLB cluster and change the IP of CAS01 to the address of the VIP, OWA works both internally and externally.

    I’m wondering if there’s a problem with my datacenter firwall. I’ll talk to our networking guys. Thanks.

  15. Prabhat nigam Says:

    Timeout will be surely different issue.

    It will be great if you share the exact resolution which might help others…

  16. DL Says:

    Are there any log files associated with the wnlb that records the ip of the incoming traffic into the load balancer?


  17. Prabhat Nigam Says:

    No, you need to use IIS logs

  18. Sam Says:

    I have 2 CAS Server, CAS1 and CAS2. After i put CAS1 and CAS2 in Window NLB. We found that some client can connect and some client cannot connect. The Problem on CAS2 that can’t provide function to all type of client. do anyone used to face this problem. please advise. thanks

  19. Prabhat Nigam Says:

    So when you connect to the CAS2 is directly, does it reject the connection?
    If you have not tested then on your clients hostfile configure the IP of CAS2 and try to connect then if it fails check the IIS logs.

    You can also run the tests like mentioned below.

  20. Sam Says:

    When i connect direct to cas2 without join NLB, we can use as usual. We use owa and ecp on web. But after join NLB we have problem. We useit as VM run on vmware. I use only one NIC for NLB and client access.

  21. Prabhat Nigam Says:

    Did you enable MAC address spoofing and nic forwarding

  22. Sam Says:

    We not yet enable it, how can we do that on VMware as your article are hyper v.

  23. Sam Says:

    I have configure follow the instruction on vmware esxi, then i found out that when i connect it always connect to CAS2 and show below message.

    Server Error in ‘/ecp’ Application.

    Runtime Error
    Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

    Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a “web.config” configuration file located in the root directory of the current web application. This tag should then have its “mode” attribute set to “Off”.”

  24. James Says:

    On the NLB setup, what affinity should be used? (None/Single/Network)

  25. Prabhat Nigam Says:

    Default Single.

  26. Vish Says:


    After configure the NLB, Still NLB status showing converged.

    OWA or ECP page is not opening.

    I have one doubt, earlier my A record ( was pointing to CAS( server but after configure the NLB, I changed the A record to NLB IP. NLB name and owa name both are same. (

    Please suggest for the same.

  27. Prabhat Nigam Says:

    Check this if it helps –

  28. boyet Says:

    Hello Prabhat,
    We are currently using Cluster DAG on two servers, Is there a way to remove the Cluster DAG so that we can use the NLB??? if there is a way please share the steps on how to do it..

    awaiting for your reply…

  29. Prabhat Nigam Says:

    There is no way you can configure wnlb on Dag node.

  30. boyet Says:

    Hi prabhat,
    Thanks for the reply…What i mean is to remove totally the Windows Failover clustering in exchange 2013 sp1 and use WNLB in exhange 2013 these possible??

    What is recommended in exchange 2013 sp1, Failover clustering or WNLB??

    We install 2 exchange 2013 sp1(DAG in Failover clustering) to co-exist with exchange 2007 sp3…owa is working while connecting outlook to exchange 2013 sp1 these error will pop out “The name cannot be resolved. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.”

    Autodiscover is also setup and pointing to exchange 2013 …

    Any help will be very much appreciated…


  31. Prabhat Nigam Says:

    If you need dag then prerequisite is failover clustering.

    Cas role should be installed separately from mailbox role to use window nlb so can either go for virtual/hardware load balancer or use DNS round robin other option is mentioned at the end of the blog which is for a dag which has an IP assign but it is not recommended or supported.

    Outlook issue may also occur if you have not enabled outlook anywhere.
    Outlook anywhere hostname should be pointing to exchange 2013.

  32. Exchange 2010: Configure MAC spoofing on VMware « Says:

    […] Today I was configuring windows NLB for a customer and figure out how to configure MAC spoofing in VMware so I am sharing the details in addition to the previous WNLB configuration blog. […]

  33. Dany Says:

    Only one network card per CAS server?

  34. Prabhat Nigam Says:

    Add one more.

  35. amostafa Says:

    in this configuration
    Server Names: CAS1 and CAS2
    CAS1 NLB NIC IP Address:
    CAS2 NLB NIC IP Address:
    NLB IP Address:
    Subnet mask:

    If the User Open the OWA and the NLB Forward the Traffic To CAS1 and the user1 already login and read the mail >>
    Suddenly the CAS1 become unavailable/Down >>>What will happen for the user1 that already login before using NBL and his session and connection initiated from CSA01

  36. Prabhat Nigam Says:

    User might see a disconnect when user will try to click on any folder or click send to an email and it may require to refresh the browser.

    WNLB is not a best recommendation. I just explain how do we configure it. I would still recommend to go for a virtual Load Balancer or hardware load balancer.

  37. Paul Says:

    I implemented the WNLB but now need to remove it from my environment.How do you recommend this to be done.

  38. Prabhat Nigam Says:

    1. Point the CAS traffic to CAS IP.
    2. From Network Load Balancing Clusters – remove the servers.

  39. sekar Says:

    Hi Folks,

    Slight Struggle on the track…

    Version – Exchange server 2013

    Issue – Unable to use NLB cluster name (’> for autodiscover

    I have a test environment called, I have installed two Client Access servers (EX1 – CAS1, EX2 – CAS2).

    CAS1 –
    CAS2 –

    NLB Virtual IP –

    I have added two CAS servers into NLB server, now I can access my mailbox through in owa, Suppose if I configure my outlook in my domain client, it should configure automatically for my mailbox through autodiscover service. Now my question is whether the client outlook(autodiscover) will try to reach or or ? If ex1, means how can I change the address to ?

  40. Prabhat Nigam Says:

    There are more configuration of URLs required. Check our other blogs. We also have a URL configuration script.

  41. sekar Says:

    could you please explain in short form to configure ? Let me try

  42. Prabhat Nigam Says:

    There is no short form. You have to update the URLs and create dns host records which will point to NLB.

  43. sekar Says:

    Yes I have configured autodiscover url. Also have created host record & srv record & mx record in dns but still the outlook will point to also getting error like “The name cannot be resolved. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.”

    (Set-ClientAccessServer -Identity -AutoDiscoverServiceInternalURI )

    (Set-ClientAccessServer -Identity -AutoDiscoverServiceInternalURI )

  44. Prabhat Nigam Says:

    This is the wrong configuration. Study more

  45. sekar Says:

    I have tried but unable to move, can you please guide ?

  46. Prabhat Nigam Says:

    I already told you, You have to search correct blog. This is windows NLB blog and not exchange CAS config blog.

  47. sekar Says:

    Ok thank you

  48. Sekar Says:

    What are all the ways are there Secure Internet Access for Client Access Server ?

  49. Prabhat Nigam Says:

    Mostly hardware or virtual Load Balancer. TMG and ISA is the old story now.

  50. Sekar Says:

    Thank you

Leave a Reply