Deploying Microsoft Outlook Web Access with Stingray Traffic

DEPLOYMENT GUIDE
Deploying Microsoft Outlook Web Access
with Stingray Traffic Manager
Deploying Microsoft Outlook Web Access with Stingray Traffic Manager
Table of Contents
Introduction ...................................................................................................................................................................................
A reliable, scalable email solution ...........................................................................................................................................
Configuring Stingray Traffic Manager to manage traffic to Outlook Web Access .................................................................
Additional steps .......................................................................................................................................................................
Easy Access to Outlook Web Access .....................................................................................................................................
Introducing TrafficScript ...........................................................................................................................................................
Conclusion ....................................................................................................................................................................................
© 2011 Riverbed Technology. All rights reserved.
2
2
3
6
7
8
8
1
Deploying Microsoft Outlook Web Access with Stingray Traffic Manager
Introduction
Increasingly, our modern-day workforce requires upward-mobility. It follows that a businesses’ infrastructure requirements are
radically changing to suit their employees' needs. Riverbed® Stingray™ Traffic Manager was designed to co-exist in a mobile
environment; sustaining, securing and accelerating the infrastructure a work-force requires to reliably conduct business
day-to-day.
One such example of infrastructure software widely deployed to assist with a business' work-mobility is Microsoft's Outlook Web
Access.
Figure 1: Outlook Web Access
A reliable, scalable email solution
Like other web-based applications, achieving reliability and scalability – the ability to cope with growing traffic levels – can be a
challenge. Furthermore, the application can be susceptible to network attacks, it may exhibit bugs with different client applications,
and routine maintenance, such as Windows updates, can cause downtime.
A Traffic Manager like Stingray Traffic Manager can overcome these problems. Stingray Traffic Manager is used by organizations
to load-balance traffic across clusters of similar servers, improving the service reliability, performance, security and ease-ofmanagement. Stingray Traffic Manager can:
• Improve the reliability of the Outlook Web Access service by load-balancing traffic across redundant servers, and using
health checks to determine when a server has failed.
• Make it easier to manage clusters of application servers by giving full control over where requests are routed. When a
server is due to be upgraded, Stingray Traffic Manager can drain connections from it, so that it can be taken out of the
cluster without any interruption in service.
© 2011 Riverbed Technology. All rights reserved.
2
Deploying Microsoft Outlook Web Access with Stingray Traffic Manager
• Secure the application environment by protecting the servers from malformed HTTP or HTTPS requests, buffer overrun
attacks, spikes of traffic and requests with known signatures that cause problems.
• Improve the performance by a range of means. HTTP multiplexing reduces the connection load on the servers; optimized
SSL offload and content compression frees up server resources for other tasks; Content Caching remembers common
requests such as images, CSS and javascript files and reduces the transaction load on the servers.
Configuring Stingray Traffic Manager to manage traffic to Outlook Web Access
Outlook Web Access can be quickly, easily and securely integrated into Stingray Traffic Manager. Because access to Outlook
Web Access is generally secured using HTTPS, we recommend that you allow Stingray Traffic Manager to handle the SSL
decryption; reducing the CPU load on your Exchange back-end(s). An HTTP protocol server, listening on port 443 and decrypting
traffic, should be configured to handle traffic to your Exchange server. Stingray Traffic Manager will now take care of the rest!
Figure 2: Clustered Outlook Web Access configuration
© 2011 Riverbed Technology. All rights reserved.
3
Deploying Microsoft Outlook Web Access with Stingray Traffic Manager
To configure the load-balanced cluster, follow these steps:
1. Configure your OWA servers to listen for plaintext (HTTP) traffic on port 80 (the standard HTTP port).
2. Configure Stingray Traffic Manager with a service that listens on port 80 (HTTP) and load-balances traffic to the cluster of
OWA servers.
You can use the ‘Manage a New Service’ wizard in the Stingray Traffic Manager UI to do this:
© 2011 Riverbed Technology. All rights reserved.
4
Deploying Microsoft Outlook Web Access with Stingray Traffic Manager
3. Set up session persistence so that users’ sessions are each pinned to the same OWA server. Go to the Session Persistence
catalog and create a ‘Transparent Session Affinity’ persistence class.
Then, edit the pool that represents the OWA servers and configure it to use that class for session persistence.
At this point, you should be able to access your email through the Stingray Traffic Manager gateway, but traffic will not be
encrypted.
© 2011 Riverbed Technology. All rights reserved.
5
Deploying Microsoft Outlook Web Access with Stingray Traffic Manager
4. Import the SSL certificate you wish to use into Stingray Traffic Manager. If it is not in PEM-encoded format, you will need to
translate it first. The document Deploying IIS with Stingray Traffic Manager gives detailed instructions on how to import
certificates from IIS into Stingray Traffic Manager.
5. Reconfigure your Stingray Traffic Manager virtual server to listen on port 443 (the standard port for HTTPS traffic) and to
decrypt all incoming traffic using the certificate you uploaded in the previous step.
You need to edit the virtual server, go to the ‘SSL decryption’ settings and select the certificate, then enable the ‘ssl_decrypt’
option:
At this point, you should be able to access your email through the Stingray Traffic Manager gateway using an https:// URL.
Your Outlook Web Access cluster is now secure and reliable. If one of the servers were to fail for any reason,
Stingray Traffic Manager would detect this and stop attempting to send traffic to it.
Additional steps
You can configure a Monitor to check the health of each server node. When you use the wizard to create a service and pool, it
assigns a PING monitor that simply checks that the server is running. In this case, an HTTP monitor would be more appropriate –
it can verify that the OWA service is running and returning correct results (for example, rather than a 500 Server Error response).
You can enable Content Caching. Stingray Traffic Manager’s content caching will respect and obey the ‘Cache-Control’
responses that the OWA servers send, so it will not cache any sensitive information and accidentally send it to a different use.
You can use the Request Rate Shaping capability in Stingray Traffic Manager to limit the number of login attempts that each
user can make per minute. This is an effective protection against brute force attacks that depend on trying hundreds of thousands
of username and password combination in the hope that one is accepted.
You can use Service Level Monitoring to observe the response times that your end users are getting, giving you the information
you need to diagnose and understand any performance problems that are reported to you.
© 2011 Riverbed Technology. All rights reserved.
6
Deploying Microsoft Outlook Web Access with Stingray Traffic Manager
Easy Access to Outlook Web Access
Typically, you access the Outlook Web Access service using a URL like https://mail.site.com/exchange/.
Users may forget to use the https part of the URL, or omit the ‘/exchange/’ component. With a simple rule, you can configure
Stingray Traffic Manager so that if it gets a request for mail.site.com, it transparently redirects the user to the correct https URL.
The easiest way to achieve this is to create a virtual server that listens for requests to mail.site.com, and use the RuleBuilder to
create a rule that issues the redirect.
1.
If you do not already have a Virtual Server listening on port 80 (i.e. for HTTP traffic), create one. This virtual server can use
the internal ‘discard’ pool, so that all incoming traffic is dropped rather than sent to a back-end server.
2.
Use the RuleBuilder to create a rule that sends the redirect if the host header is mail.site.com:
Figure 3: The Stingray Traffic Manager RuleBuilder
Add that rule as a request rule for the virtual server handling HTTP traffic.
Now, your end users do not have to remember to include the ‘https’ or ‘/exchange/’ parts of the URL to access Outlook Web
Access. They can just enter the URL ‘mail.site.com’ into their browser location bar to access their email, contacts and calendar.
© 2011 Riverbed Technology. All rights reserved.
7
Deploying Microsoft Outlook Web Access with Stingray Traffic Manager
Introducing TrafficScript
The Stingray Traffic Manager RuleBuilder is a simple GUI tool for creating TrafficScript rules. TrafficScript is a full programming
language that lets you implement all sorts of sophisticated traffic management policies, inspecting, rewriting, routing and handling
your application traffic.
The equivalent TrafficScript rule would look like this:
if( http.getHostHeader() == "mail.site.com" ) {
http.redirect( "https://mail.site.com/exchange/" );
}
You can use TrafficScript to drive all of the functionality of Stingray Traffic Manager in a very detailed way. The Riverbed
Community Forums (http://community.riverbed.com/) contains many helpful examples of TrafficScript in practice.
Conclusion
Stingray Traffic Manager is a powerful load balancer that allows you to cluster and manage applications like Outlook Web Access,
but the power of Stingray Traffic Manager goes far beyond that.
Capabilities like content caching, bandwidth management, request rate shaping and session persistence can all be used to
improve the level of service you provide, and the unique TrafficScript language allows you to create all sorts of policies that
inspect, transform and route traffic, and selectively apply the various Stingray Traffic Manager features to each request.
A Stingray Traffic Manager cluster can manage multiple web-based services at the same time, as well as other services and
protocols. The benefits that you can achieve with Stingray Traffic Manager when managing and OWA cluster are just as
applicable to other applications – intranets, extranets, portals, web sites, mail, DNS to name but a few. Whatever challenges may
exist with your infrastructure, Stingray Traffic Manager provides the tools to meet them.
About Riverbed
Riverbed delivers performance for the globally connected enterprise. With Riverbed, enterprises can successfully and intelligently
implement strategic initiatives such as virtualization, consolidation, cloud computing, and disaster recovery without fear of
compromising performance. By giving enterprises the platform they need to understand, optimize, and consolidate their IT,
Riverbed helps enterprises to build a fast, fluid and dynamic IT architecture that aligns with the business needs of the
organization. Additional information about Riverbed (NASDAQ: RVBD) is available at www.riverbed.com.
Riverbed Technology, Inc.
199 Fremont Street
San Francisco, CA 94105
Tel: (415) 247-8800
www.riverbed.com
© 2011 Riverbed Technology. All rights reserved.
Riverbed Technology Ltd.
The Jeffreys Building
Cowley Road
Cambridge CB4 0WS
United Kingdom
Tel: +44 (0) 1223 568555
Riverbed Technology Pte. Ltd.
391A Orchard Road #22-06/10
Ngee Ann City Tower A
Singapore 238873
Tel: +65 6508-7400
Riverbed Technology K.K.
Shiba-Koen Plaza Building 9F
3-6-9, Shiba, Minato-ku
Tokyo, Japan 105-0014
Tel: +81 3 5419 1990
8