WIXLIB

FortiBalancer Exchange2010 Deployment Guidefor FortiBalancer 8.0 MR2 and higherCarl Windsor

Revision HistoryDateRevisionNumberChange Description2012-03-28 Revision 1Initial revision.2012-04-03 Revision 2Template changeExchange 2010 Deployment Guide for FortiBalancer Revision 228 March 2012Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , and FortiGuard , are registeredtrademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All otherproduct or company names may be trademarks of their respective owners.Performance metrics contained herein were attained in internal lab tests under ideal conditions, andperformance may vary. Network variables, different network environments and other conditions may affectperformance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims allwarranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed byFortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will performaccording to the performance metrics herein. For absolute clarity, any such warranty will be limited toperformance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full anyguarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication withoutnotice, and the most current version of the publication shall be applicable.Support will be provided to customers who have purchased a valid support contract. All registered customerswith valid support contracts may enter their support tickets via the Fortinet Technical Support web site:https://support.fortinet.comFortiBalancer Exchange 2010 Deployment Guidehttp://docs.fortinet.com/ Document feedback2

ContentsIntroduction . 5Prerequisites & Assumptions . 5Exchange Server 2010 .5FortiBalancer Appliance .5Introduction to Exchange Server 2010 .6Exchange Server 2010 Architecture .6FortiBalancer Application Delivery Controller Benefits . 7Deployment for Exchange Server 2010 Roles . 9FortiBalancer Solution for Exchange Server 2010 Deployments . 10Verification Tools . 10FortiBalancer Configuration Summary . 10Configuring FortiBalancer for Outlook Web App . 12Configuration Steps . 12Create Outlook Web App Service Health Check (Optional) . 12Create Outlook Web App Real Service . 14Create Outlook Web App Service Group . 16Create Outlook Web App Virtual Service . 18Enable Outlook Web App SSL Offloading . 20Enable Outlook Web App Rewrite/Redirect . 23Configuring FortiBalancer for Outlook Anywhere . 27Configuration Steps . 27Create Outlook Anywhere Service Health Check . 27Create Outlook Anywhere Real Service. 27Create Outlook Anywhere Service Group. 28Create Outlook Anywhere Virtual Service. 29Enable Outlook Anywhere SSL Offloading . 30Configuring the FortiBalancer Appliance for ActiveSync . 32Configuration Steps . 32Create ActiveSync Service Health Check . 32Create ActiveSync Real Service . 34Create ActiveSync Service Group . 34Create ActiveSync Virtual Service . 35Enable ActiveSync SSL Offloading . 36Misc – Change TCP Idle Timeout. 37Configuring the FortiBalancer Appliance for RPC Client Access . 39FortiBalancer Exchange 2010 Deployment Guidehttp://docs.fortinet.com/ Document feedback3

Dynamic Port Configuration Steps . 40Create RPC Client Access Service Health Check . 40Create RPC Client Access Real Service . 40Create RPC Client Access Service Group . 41Create RPC Client Access Virtual Service . 42Configuring the FortiBalancer Appliance for POP3 . 44Configuration Steps . 44Create POP3 Service Health Check . 44Create POP3 Real Service. 44Create POP3 Service Group . 45Create POP3 Virtual Service. 46Enable POP3 SSL Offloading . 47Configuring the FortiBalancer Appliance for IMAP4 . 48Configuration Steps . 48Create IMAP4 Service Health Check . 48Create IMAP4 Real Service . 48Create IMAP4 Service Group . 49Create Secures IMAP4 Virtual Service. 50Enable IMAP4 SSL Offloading . 50Configuring the FortiBalancer Appliance for SMTP (Edge Transport) 52Configuration Steps . 52Create SMTP (Edge Transport) Service Health Check . 52Create SMTP (Edge Transport) Real Service. 52Create SMTP (Edge Transport) Service Group. 53Create SMTP (Edge Transport) Virtual Service . 54Enable SMTP (Edge Transport) SSL Offloading . 55Misc SMTP Outbound Support . 55Configuring the FortiBalancer Appliance for Link Redundancy UsingLLB . 57Configuration Steps . 57Add additional port for WAN-2 access . 58Add Duplicate Virtual Service for WAN 2 access . 58Create LLB Links information . 59Create LLB DNS record for inbound traffic . 60Configuring the FortiBalancer Appliance for Exchange 2010 SiteResilience Using GSLB . 62Fault Tolerance Configuration . 63Configuration Steps . 63Define GSLB/SDNS Members. 63Creating GSLB Records . 64GSLB/SDNS Disaster Recovery Site Location . 65Creating DR Group with DNS domain name . 66Setup GSLB/SDNS with BIND 9 . 67GSLB/SDNS DR Deployment Verification. 68Log Information . 69Summary . 72FortiBalancer Exchange 2010 Deployment Guidehttp://docs.fortinet.com/ Document feedback4

IntroductionPrerequisites & AssumptionsExchange Server 2010This document is written with the assumption that you are familiar with Microsoft Exchange Server 2010 products. For more information on planning and deploying the Exchange Server 2010 please reference the appropriate documentation 4558.aspxFortiBalancer ApplianceThe FortiBalancer appliance must be running version FBLOS TM 8.2 or later. For moreinformation on deploying the FortiBalancer appliance please refer to the FortiBalancerWeb UI Guide which is included in the product CD or access it through the product Webuser interface.We assume that the FortiBalancer appliance is already installed in the network withmanagement IP, interface IP, VLANs and default gateway configured.Learn about your Exchange Server 2010 deployment in your network and note downVLAN information, IP addresses, and port numbers for various Client Access Servers(CAS) and Edge Transport Servers (ETS) and their roles. You will need them for configuring virtual sites and load balancing policies on the FortiBalancer appliance.FortiBalancer Exchange 2010 Deployment Guidehttp://docs.fortinet.com/ Document feedback5

Introduction to Exchange Server 2010The Exchange Server 2010 is a new architecture that is designed to provide users with thefreedom to securely access all of their communications—email, voice mail, instantmessaging, and more—from virtually any platform, Web-browser or device regardless ofwhere they are.Exchange Server 2010 ArchitectureThe Exchange Server 2010 architecture consists of different server roles:Enterprise NetworkPhone system(PBX or VOIP)Edge TransportRouting &AV/ASExternalSMTPserversHub TransportRouting & PolicyETSMailboxStorage ofmailbox itemsMobilephoneUnified MessagingVoice mail &voice accessClient AccessClient connectivityWeb servicesCASOutlook(remote user)CAS: Client Access ServersETS: Edge Transport ServersLine of businessapplicationOutlook (local user)Figure 1:- Exchange Server 2010 Architecture Client Access Server: This is the server that receives mail requests fromremote and internal users from a variety of end user devices Edge Transport Server: This is the mail routing server that typically sitsat the perimeter of the topology and routes mail in to and out of the Exchange Server 2010 environment. Mailbox Server: This server hosts mailboxes and public folders. Unified Messaging Server: This is the server that connects a PrivateBranch eXchange (PBX) system to Exchange 2010. Hub Transport Server: This is the mail routing server that routes mailwithin the Exchange organization.FortiBalancer Exchange 2010 Deployment Guidehttp://docs.fortinet.com/ Document feedback6

Exchange Server 2010 Load Balancing RequirementsMicrosoft recommends a hardware load balancer for the purposes ofincorporating high availability, site resiliency, scalability and security to theExchange Server environment. Also due to various Exchange Server rolesand services, session persistence support on the load balancers is animportant requirement.FortiBalancer Application Delivery Controller BenefitsThe FortiBalancer delivers all required application delivery functions for optimizingapplication delivery for Exchange Server 2010 environments, such as Layer 4-7 serverload balancing, high availability, SSL acceleration and offloading, DDoS protection, TCPconnection multiplexing, caching and compression – all in a single, easy-to-manageappliance.Availability & ScalabilityThe FortiBalancer’s server load balancing ensures 99.999% uptime for ExchangeServer 2010 deployments. Customers can scale their Exchange environment tomeet capacity and performance needs with FortiBalancer server load balancers.Site ResilienceThe FortiBalancer’s global server load balancing directs traffic away from faileddata centers and intelligently distributes services between sites based onproximity, language, capacity, load and response times for maximumperformance and availability.ISP Link AvailabilityThe FortiBalancer’s link load balancing with advanced link failover and bandwidthmanagement optimizes the availability, security, cost and performance ofExchange Server 2010 deployments across multiple WAN connections.SSL OffloadingThe FortiBalancer appliance offloads 1024-bit and 2048-bit SSLencryption/decryption from Exchange 2010 Servers to improve performance andreduce the number of Exchange 2010 servers required to support high volumesecure mail processing.TCP Connection MultiplexingThe FortiBalancer appliance multiplexes several client TCP connections intofewer Exchange Server 2010 TCP connections for increase throughput andperformance. The FortiBalancer appliance also reuses existing serverconnections.Session PersistenceThe FortiBalancer appliance performs session persistence for Exchange Server2010 user traffic and ensures that users are directed to same servers for theduration of their session.Cache OffloadFortiBalancer Exchange 2010 Deployment Guidehttp://docs.fortinet.com/ Document feedback7

The FortiBalancer appliance serves frequently requested content from cache forincrease performance and scales the capacity of the Exchange 2010 Serverenvironment.HTTP CompressionThe FortiBalancer appliance compresses and delivers Exchange Server 2010mail attachments and messages over LAN and WAN networks.Network and Server ProtectionThe FortiBalancer appliance protect Exchange Server 2010 components (serversand services) from malicious network and server attacks like DDoS attacks, SYNfloods, TCP port scans, UDP floods and UDP port scans, etc.FortiBalancer Exchange 2010 Deployment Guidehttp://docs.fortinet.com/ Document feedback8