Last post Aug 26, 2008 09:40 PM by Benderover
Aug 21, 2008 10:45 AM|fnuky|LINK
I'm looking for some advice for the best way configure our HMC 4.0 network for SSL certificates, load balancing and public access. At thist stage we are are only offering Hosted Exchange services without unified messaging, and no sharepoint.
At the edge of our network we have a firewall which comprises of 2 x ISA 2006 (standard edition) servers. It was out intention to run Windows Network Load Balancing service on the public interface on the ISA servers (which will be configured with identical
rules) to ensure that clients could access services if one of the ISA servers goes offline.
The services that need to be accessible from the outside world through our ISA servers are:
SMTP --> to be directed to 2 x Hub Transport Servers
POP3 --> to be directed to 2 x Client Access Servers
IMAP --> to be directed to 2 x Client Access Servers
OWA (SSL) --> to be directed to 2 x Client Access Servers
Outlook Anywhere (SSL) --> to be directed to 2 x Client Access Servers
AutoDiscover (SSL) --> to be directed to 2 x Client Access Servers
Company Website (HTTP) --> to be directed to 2 x Provisioning Front End Servers
Billing System / Control Panel (SSL) --> to be directed to 2 x Provisioning Front End Servers
Where I need advice is in the best way to setup public IP addresses and SSL certificates for efficiency and high availability across the network.
It is my understanding the Windows Network Load Balancing only supports one IP address, in which case one single public IP address would not be sufficient to run all the services above. To resolve this problem, do I need to install an additional network
adapter in each of the ISA servers for each public IP address that requires high availability, or is there another way around this?
Is it feasible (or recommended) to have one public IP address that is Load balanced across the two ISA servers where SMPT, POP3, IMAP, OWA, Outlook Anywhere and AutoDiscover are bound to this single Public IP ? If we configure the network in this method,
I take it we would need a single SAN / Unified Communications SSL certificate that can be setup on both of the client access servers?
We have made the investment of having double up of each of the server roles in our network, for example we have 2 x Hub Transport Servers (all SMTP Traffic), 2 x Client Access Servers (all OWA / Outlook Anywhere / AutoDiscover / POP3 / IMAP traffic ), 2
x Provising Front End Web Servers (all website / billing system traffic). To ensure that these servers are configured for high availability such that if a Hub Transport server died the other would coninue to accept all incoming SMTP traffic for the network
etc, do we need to setup Network Load Balancing between each of these servers on the internal network, or can this be configured and managed entirely using only the ISA servers?
I hope I have clearly explained what I need help with, any help greatly appreciated.
Aug 26, 2008 09:40 PM|Benderover|LINK
Its not true that you can only use one IP for WNLB; You can (have to use) use multiple IP addresses (autodiscover, autodiscoverredirect, CASNLB (https, pop,imap))
Same goes for the external NICs to your ISA servers, in ISA NLB you can add as many public IPs as you want/need. So, have all external DNS entries point to the NLB address of the external interface of ISA. You don't need more than two NICs on the outside
and two NICs on the inside. And.....don't add NICs just to team them, it won't work and isn't supported.