Additional Optional Functionality on Brocade Virtual Traffic Manager. Brocade 2013, Virtual Traffic Manager
Below you will find brief information for Virtual Traffic Manager, Microsoft Exchange 2013. This document describes how to configure Brocade Virtual Traffic Manager and how to load-balance and optimize Microsoft Exchange 2013 Client Access Servers (CASs).
Advertisement
Advertisement
4. In the next screen, under Listening on, select Traffic IP Groups, and check the appropriate traffic IP group that was created earlier.
5. Set Enabled to Yes.
6. Click the Update button to apply changes.
Repeat Step 1 through Step 6 to create a virtual server for IMAP4 using Protocol: IMAP4 and Port: 993.
SSL Decryption
In order to perform SSL decryption, the certificate and the private key used for the virtual server created earlier must be imported into Virtual Traffic Manager.
1. Select Catalogs > SSL > SSL Certificates.
2. Click Import Certificate to import the appropriate certificate.
After importing the certificate, enable SSL decryption on the virtual server created:
1. Select Services > Virtual Servers, and select the virtual server created for POP3 that will be performing SSL decryption.
2. Scroll down and click SSL Decryption.
3. Set ssl_decrypt to Yes.
4. Select the certificate imported earlier.
5. Scroll down to the bottom of the page and click Update.
Repeat Step 1 through Step 5 to enable SSL decryption on the virtual server for IMAP4.
Configuration Summary
By accessing Services > Config Summary on the WebGUI, a complete snapshot of all configured services is provided. This is a very useful table to glance through to get a good understanding of how the services are configured.
Additional Optional Functionality on Brocade Virtual Traffic Manager
Brocade Virtual Traffic Manager has additional capabilities beyond a legacy load balancer to enhance the performance and manageability of your Microsoft Exchange 2013 environment. Here are some common capabilities and best practices for deploying Brocade Virtual Traffic Manager to enhance your Microsoft Exchange 2013 deployment.
Service Level Monitoring
Service Level Monitoring continually checks the responses of your CAS servers and can send alerts should these fall below an expected threshold of performance. In addition to sending alerts, TrafficScript can be used to remove the service or server from the pool until the performance issue has been fixed. TrafficScript can also be used to reprioritize traffic and even reallocate bandwidth. This capability increases the availability and service level of Microsoft Exchange.
Configuring Virtual Traffic Manager for Service Level Monitoring of Exchange 2013 is outside the scope of this document. For more information, please contact Brocade.
Page 22 Brocade Virtual Traffic Manager and Microsoft Exchange 2013 Deployment Guide
53-1003936-02
Global Load Balancing
Global Load Balancing enables Client Access Servers to be distributed across multiple locations, either for business continuity/disaster recovery or for locating the servers geographically closer to end users. This enables seamless failover if a data center has an outage and greater performance for users distributed geographically.
Configuring Virtual Traffic Manager for Global Load Balancing is outside the scope of this document. For more information, please contact Brocade.
Limiting Access for ECP and PowerShell HTTP Services
In Exchange 2013, all services are SSL-based and are hosted on a single website; therefore, other administrative services such as Exchange Control Panel and PowerShell can be accessed through the same URL. For greater security, it is often desirable to control access to these services.
Brocade Virtual Traffic Manager offers flexibility in securing access ECP and PowerShell services, with one of the following techniques:
•
Authentication—Using authenticators and a TrafficScript rule to perform authentication
•
Restricting access based on IP—Source IPs can be monitored to allow only certain IPs or subnets to have access to these services
•
Accessing different services through a specific URL—As discussed earlier, Exchange services are hosted on a single website, and thus accessing different services can be done through the same URL. For example,
owa.company.com/owa is used to access Outlook Web Access, and the same website owa.company.com/ecp can be used to access Exchange Control Panel. Brocade Virtual Traffic Manager can be configured through a TrafficScript rule to ensure that ECP service can be accessed only via the ecp.company.com/ecp URL.
As an example, the following is a sample TrafficScript that provides access to ECP through a specific URL. Assign this
TrafficScript to virtual services that provide Exchange HTTP service.
$hostheader = http.getHostHeader();
$debug = 0; // Change value to 1 if debug needed if( ($hostheader != "ecp.company.com") && (http.getPath() == "/ecp"))
{
http.sendResponse( "400 Bad Request", "text/plain","Bad Request", "");
if ($debug > 0) { log.info("Request classified as Bad");}
}
For more information on securing access to ECP and PowerShell, please contact Brocade.
Removing ActiveSync Access from Specific Device Types
Mobile device ActiveSync traffic can be optimized by removing access from unapproved device types, meaning that only approved device types can access Microsoft Exchange 2013. Brocade Virtual Traffic Manager can be configured to block access via specific devices over ActiveSync by using a TrafficScript rule like the following.
$phone = http.getHeader( "user-agent" );
$debug = 0; // Change value to 1 if debug needed if(string.contains( $phone, "Apple" ) && (http.getPath() == "/Microsoft-Server-
ActiveSync") )
{
Brocade Virtual Traffic Manager and Microsoft Exchange 2013 Deployment Guide
53-1003936-02
Page 23
http.sendResponse( "400 Bad Request", "text/plain","Bad Request", "");
if ($debug > 0) { log.info("Request classified as Bad");}
}
Removing Access from Specific Device Types
Not only can access to ActiveSync be limited to specific devices, specific device types can be blocked entirely from accessing
Exchange. This is useful if a certain device type is identified as having a security vulnerability. The following is a sample
TrafficScript rule to filter a device type using Exchange services. Assign this TrafficScript to virtual services associated with the
Exchange 2013 service pool.
$device = http.getHeader( "user-agent" );
$debug = 0; // Change value to 1 if debug needed if(string.contains( $device, "iPhone" ))
{
http.sendResponse( "400 Bad Request", "text/plain","Bad Request", "");
if ($debug > 0) { log.info("Request classified as Bad");}
}
For more information on securing access for specific device types, contact Brocade.
Digital Certificates and SSL
All communication between the client and server is done through SSL. Brocade Virtual Traffic Manager can use certificates to decrypt incoming services such as POP3 and IMAP4. In addition, vTM provides SSL offloading for earlier versions of Exchange such as Exchange 2010. To provide SSL decryption and offloading, the certificates should be imported into Brocade Virtual Traffic
Manager.
Microsoft best practices recommend the use of trusted third-party SAN certificates that can represent multiple domain names, and
Brocade recommends that you follow these suggestions and best practices provided by Microsoft on TechNet: http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
Redirecting OWA HTTP Requests to SSL
Brocade Virtual Traffic Manager can be easily configured to help clients accessing OWA through the nonencrypted port 80 to be redirected automatically to connect on SSL.
This section contains step-by-step instructions for configuring Virtual Traffic Manager to redirect all HTTP requests to SSL:
• Create a Virtual Server with the Traffic Pool Set to Discard
• Create and Associate a TrafficScript to Redirect to the Proper SSL URL
Creating a Virtual Server with the Traffic Pool Set to Discard
Create a virtual server to handle all OWA traffic. To create a new virtual server:
1. Enter the following:
• Virtual Server Name: A descriptive name for the virtual server
• Protocol: HTTP
•
Port: 80
•
Default Traffic Pool: Discard
Page 24 Brocade Virtual Traffic Manager and Microsoft Exchange 2013 Deployment Guide
53-1003936-02
2. Click Create Virtual Server.
3. In the next screen, set Enabled to Yes.
4. Click the Update button to apply changes.
Creating and Associating a TrafficScript to Redirect to the Proper SSL URL
1. Select Catalogs > Rules.
2. Create a new rule:
• Name: A descriptive name for the rule (e.g., OWA_Redirect_SSL).
• Select Use TrafficScript Language.
3. Click Create Rule.
4. Use the TrafficScript in Appendix A for the syntax.
5. Click the Update button.
6. Select Services > Virtual Servers, and choose the virtual server that will be performing the TrafficScript created.
7. Scroll down and click Rules.
8. Assign the TrafficIP script to the request rules by clicking Add Rule.
Configuring Clustering for Brocade Virtual Traffic Manager
To provide high availability and fault tolerance for Brocade Virtual Traffic Manager, multiple vTMs can be joined into a cluster and configured to load-balance or act in active-passive mode for fault tolerance.
Use the following steps to join a Brocade Virtual Traffic Manager to an existing cluster:
1. Select System > Traffic Managers.
2. Scroll down to Add or Remove Traffic Managers, and click Join a Cluster.
3. Click Next on Getting Started.
4. Select the cluster to join, and click Next.
5. Check the certificate used for the cluster, provide a username and password for the cluster, and click Next to continue.
6. Select Yes, and allow it to host Traffic IPs immediately, and click Next.
7. In the Summary page, click Finish to join the vTM to the cluster.
Brocade Virtual Traffic Manager and Microsoft Exchange 2013 Deployment Guide
53-1003936-02
Page 25
![](http://s1.manualzz.com/store/data/008103479_1-131107b5ccb680644112159113a52e4a-210x147.png)
Advertisement
Key features
- Load Balancing
- Application Delivery Controller (ADC)
- Application-Layer Security
- Application Acceleration