Monday, 27 October 2014

Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 4

Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 1 - Introduction and lab description
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 2 - Deploy and configure the PKI infrastructure
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 3 - Configure and test the Exchange 2013 Client Access role
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 4 - Install CentOS 7 (this page)
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 5 - Install and configure HAProxy
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 6 - Make HAProxy highly available
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 7 - Demo



In Part 3 we configured our Exchange servers’ CAS role, issued and installed the SAN certificate, and performed a basic client access validation using OWA.

In Part 4 we will start building our HAProxy systems. This part will focus on the installation and configuration of the operating system. I chose CentOS 7. If you feel like you are up to the task, use any Linux distro you are comfortable with, but you will have to adapt the commands, and possibly some of the procedures. If you want to keep it simple and just follow my post, then download the minimal installation ISO of CentOS 7 from http://mirror.anl.gov/pub/centos/7.0.1406/isos/x86_64/CentOS-7.0-1406-x86_64-Minimal.iso.

We create a virtual machine and connect the ISO to the virtual CD-ROM. Stating the obvious: we must ensure that the virtual CD is our first boot option. When our VM boots, we select Install CentOS 7.
















Then we press Enter to begin the installation.













Select your language. Mine is English, Australia.
















Click on Date & Time to configure the time zone.
















Mine is Sydney, Australia.
















Click on INSTALLATION DESTINATION to select where CentOS 7 will be installed.
















Nothing to change: accept the default settings and click Done in the top-left corner. Even if we didn’t change anything, we had to instructed the installer to use defaults – the “Begin Installation” button in the screenshot above is grayed out, as opposed to two screenshots below.
















Click NETWORK & HOSTNAME to configure networking.
















In the Hostname field type a name for this server. Mine is lab-hap01.localdomain.

IMPORTANT: Do NOT use a single label name such as lab-hap01!

In the top-right corner, notice that the network card is in a disconnected state. That’s alright for now. Click Configure.
















On the General tab, make sure that the network is started automatically and that all users are allowed to use the connection.


















On the IPv4 Settings tab, set the configuration method to Manual, then configure the IP address, netmask, gateway and DNS. Make sure that the DNS server is pointing to LAB-DC01 (10.30.1.10 in my lab) as that is the DNS server holding all the DNS records which make things work. Click Save.


















Click “ON” to turn networking on. The state of the network card will change to Connected. Click Done.

















Click Begin Installation.
















While the files are being installed, click ROOT PASSWORD.

















Type a password for the root user. Mine is a generic, weak password that I always use in my lab. I am not concerned about it as long as it works – it’s only a lab. In real life, I would pick a strong password.
















I use P@ssw0rd all across my lab. It is a dictionary word, known to be commonly used in labs. It is weak, therefore I need to click Done for the second time to indicate to the system that I think I know what I am doing.
















We aren’t creating any users, so I didn’t bother going into the USER CREATION section. Meanwhile the server has finished installing, so click Reboot.
















Once rebooted, we log on as root/P@ssw0rd.












Time to install some supporting software.

IMPORTANT: The lab *must* have Internet connectivity. Otherwise things will fail and you will have to find alternative ways to download all the required software and transfer them to the CentOS 7 box. In my article I assume that Internet connectivity is available.

Since this is a minimal installation, we need to install a couple of things that will enable us to make it work. Bear in mind that Linux is CaSE sENsitiVe, so type the commands exactly as I typed. Sorry, no screenshots. Most commands will run off the screen really quickly, so no point clogging this post with screenshots of fast scrolling output.

Install wget. We need it to download stuff:

yum install wget –y

Install the development tools. We need them to compile stuff from source:

yum groupinstall ‘Development Tools’ -y

The same goes for the FTP client. Although it isn’t strictly necessary because we aren’t using it in this lab, it is good to have it anyway. You can skip this step if you like.

yum install ftp –y

Also, I always find it handy to easily locate files in folders. While not strictly necessary, I make extensive use of the locate command, so let’s install it. Side note: if you have just installed a package and you want to find where its files have been placed, you must run updatedb first before locate can find it, or wait until the updatedb task runs as scheduled. More on updatedb here. Updatedb is installed along with locate as part of the mlocate package.

yum install mlocate –y

Then we need openssl. This is mandatory because HAProxy will work as an SSL bridge, and we also need the developer package too to compile sources. While openssl is already installed, it is good to update it anyway:

yum install openssl –y
yum install openssl-devel –y

We need the openssl perl module to manipulate certificates:

yum install openssl-perl.x86_64 –y

Zlib is another mandatory package. However you’ll find that by the time we need it, it will have been installed along other packages as a dependency. We needn’t worry about it.

Then I want the traditional network tools (notice “want” as opposed to “need”). The CentOS 7 minimal installation comes with no ifconfig (we can still use ip instead). I love ifconfig, although I can (and will in this lab) use ip as an alternative. Ip is already there, comes with the minimal Centos 7 package. So I also run this:

yum install net-tools –y

Now I have ifconfig too.

It is time now to make things a bit easier for the administrator (me). My intention is to use Putty, but I have no low-privileged user. All I have is root, and by default root access via SSH is disabled. I am going to give remote SSH access to root so that I can benefit from the enhanced interface offered by Putty. As I said repeatedly, this is a test lab so it’s OK to bend the rules. It is NOT best practice. Don’t do it in production!

Now that the big red flashing warning is out, let’s do it anyway. But before we make any changes, let’s check whether we really need to.

Download Putty. It is a stand-alone application, no installation required.

Run Putty.exe. Enter the Linux server’s IP address, select SSH, and click Open.




















We are presented with a security alert. Expected and completely normal. Click Yes.
















Enter the root credentials. Access denied. Bummer! We DO need to relax security! Not in production though – find another way.






To relax security, we’ll access the CentOS 7 console the way we did when installed the operating system. Open the /etc/ssh/sshd_config file. I prefer to use vi, but you can use nano or other text editors if you like.




Uncomment the PermitRootLogin yes line and save the file.







Finally type the following command to restart the sshd service:

/bin/systemctl restart sshd.service




Test Putty access again – and we are cooking with gas!







Now that easy access is sorted, we’ll need an easy way to transfer files to/from the Linux servers. I settled for WinScp, a free, Windows-based file transfer utility with GUI. It’s versatile, every admin should have it in his/her toolbox. Download the portable version and unzip it to your preferred location. Any time you need to transfer a file, just run the executable, no installation required. CentOS 7 requires no additional configuration either – it allows WinScp access out of the box, even with root access.

That’s it. Now we need to repeat the same procedure for our second HAProxy box, lab-hap02. Whether you want to go through these steps from scratch again or clone lab-hap01 and reconfigure the clone as lab-hap02, is entirely up to you. I chose to build it from scratch just to confirm that the instructions in this article are easy to follow, accurate, and they work. However before you start reading the next paragraph, you should have lab-hap02 up and running in a similar configuration as lab-hap01.

In this part we have done the groundwork for installing HAProxy: installed the operating system and the required tools that will allow us to deploy and configure HAProxy easily.

In the next part we’ll download and install the latest available HAProxy source files. We’ll compile the source, install HAProxy, enable it as a service, and create the configuration file. Additionally we’ll prepare the certificates – yes, the dreaded certificates are part of our life now, so we must master it, like it or not. It’s not rocket science, don’t freak out.

Keep tuned for the next part



Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 1 - Introduction and lab description
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 2 - Deploy and configure the PKI infrastructure
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 3 - Configure and test the Exchange 2013 Client Access role
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 4 - Install CentOS 7 (this page)
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 5 - Install and configure HAProxy
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 6 - Make HAProxy highly available
Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 7 - Demo

No comments:

Post a Comment