tag:blogger.com,1999:blog-824493279486681411.post8208506223982459375..comments2024-03-08T02:18:26.928-08:00Comments on Notes from the field: Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 7Zolihttp://www.blogger.com/profile/11417728599342362209noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-824493279486681411.post-31410896782998888712018-12-10T01:27:35.675-08:002018-12-10T01:27:35.675-08:00Dear Zoltan Erszenyi:
Thank Your reply , I share m...Dear Zoltan Erszenyi:<br />Thank Your reply , I share my HAPROXY architecture diagram and configuration in this link:<br />https://drive.google.com/file/d/1engZ0iUJ16d9nG7VUBfMNclyFgOdD9yC/view?usp=sharing<br /><br />Haproxy status page screenshots in this sharing link:<br />https://drive.google.com/file/d/1xZ24RKFYVEaB2WbA9PF86D9_UDiKRsHA/view?usp=sharing<br /><br />I can make sure that windows Firewall shut down, DNS records is correct . <br />My exchange and spam use smart host connections<br /><br /><br /><br /><br /> Anonymoushttps://www.blogger.com/profile/02205308228019699093noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-10106195849537394722018-12-04T23:51:55.832-08:002018-12-04T23:51:55.832-08:00OTIS OU, there are lots of moving parts in such a ...OTIS OU, there are lots of moving parts in such a system. Not knowing what you have and how you've configured makes it virtually impossible to give you any directions. I can point you to some standard diagnostics stuff such as make sure your virtual directories are configured correctly, DNS records are OK, certificates are OK, services on the Exchange servers are started, no firewall interference etc.Zolihttps://www.blogger.com/profile/11417728599342362209noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-17248658723522733392018-11-15T18:46:40.066-08:002018-11-15T18:46:40.066-08:00Dear Zoltan Erszenyi:
Thank You for sharing , but...Dear Zoltan Erszenyi:<br /><br />Thank You for sharing , but I have a problem <br /><br />EAS displays a lot of resp errors on the HAPROXY status page , I tried to solve the problem, but there were still lots of mistakes.Anonymoushttps://www.blogger.com/profile/02205308228019699093noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-18161109058556676832017-01-28T02:01:24.023-08:002017-01-28T02:01:24.023-08:00No, haven't seen it...No, haven't seen it...Zolihttps://www.blogger.com/profile/11417728599342362209noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-44196552844578638702017-01-24T05:26:28.682-08:002017-01-24T05:26:28.682-08:00It works, but.. You will not meet with error 401 U...It works, but.. You will not meet with error 401 Unauthorized ?Antonhttps://www.blogger.com/profile/13928308368988785608noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-72723416726009425012016-06-14T04:39:13.780-07:002016-06-14T04:39:13.780-07:00hi Zoltan,
yes we use internal names that aren'...hi Zoltan,<br />yes we use internal names that aren't supported by public certificates. And i think this will not be supported anymore regarding this link.<br />https://www.digicert.com/internal-names.htm<br /><br />Of course we can use the only one name for internal and external URL but this mean that some internal name would not be implemented on the Cert. <br /><br />But i think your suggestion is the best.<br />thank you very much :)<br /><br /><br /><br />Anonymoushttps://www.blogger.com/profile/08276775438634421707noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-9076406141773234062016-06-09T23:49:15.675-07:002016-06-09T23:49:15.675-07:00JinFeng, are you trying to send SMTP traffic to th...JinFeng, are you trying to send SMTP traffic to the load balancer VIP? If you built it according to my blog then it will not work because my load balancer configuration only caters for HTTPS traffic (client access). It doesn't include a listener for SMTP. You can experiment adding SMTP support.Zolihttps://www.blogger.com/profile/11417728599342362209noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-67651311163727509732016-06-09T23:39:30.591-07:002016-06-09T23:39:30.591-07:00Tony, not sure how to read this: "we use some...Tony, not sure how to read this: "we use some internal name (not public faced)" - does it mean that you have names that aren't supported on public certificates, or they would be supported, except you didn't publish them?<br /><br />From what I understand you want your clients to connect to one URL from the Internet, and another URL when on the trusted network. When connecting from the Internet, you want the URLs "translated" by the LB to that configured internally.<br /><br />Frankly, I have never ever thought of this scenario, so I cannot advise you on whether it is doable or not. Additionally, when a user roams between internal and public access, their profile will have to be reconfigured every single time as the URLs would change. I strongly discourage such a configuration. Nevertheless, you can experiment and post your findings.<br /><br />Since you want to publish it anyway, why not configure the Exchange server with valid namespaces that can be published, and use a commercial certificate internally as well as externally? Keep it simple, you want to spend your weekends doing the things you like, not fixing broken e-mail access for grumpy executives.Zolihttps://www.blogger.com/profile/11417728599342362209noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-79862789144772993162016-06-02T00:05:33.668-07:002016-06-02T00:05:33.668-07:00@Zoltan, Thank you very much for your answer.
Act...@Zoltan, Thank you very much for your answer.<br /><br />Actually, my situation is that we doesn't publish our Exchange on internet. So that local PKi was used. and we use some internal name (not public faced) on the certificates.So that internally, the configurations work fine.<br /><br />We plan to buy an SSL certificates and apply it to the loadbalancer to be able to publish it on internet, but public autorities doesnt accept internal name on their certificates.<br /><br />So that was the point: could i use a public SSL for public faced name and my local pki for internal name? how to configure it on the LB if it is possible?<br /><br />Since the recommandation is to use always SSL...<br /><br />regards,<br />Tony<br /><br /><br />Anonymoushttps://www.blogger.com/profile/08276775438634421707noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-89367176623124693842016-06-01T23:55:53.571-07:002016-06-01T23:55:53.571-07:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/08276775438634421707noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-47918807365622269682016-06-01T04:28:38.610-07:002016-06-01T04:28:38.610-07:00@Tony, I am glad that you found it useful.
If you...@Tony, I am glad that you found it useful.<br /><br />If you don't want SSL encryption between HAProxy and Exchange then you'll need to configure SSL offloading on the Exchange CAS servers. Beware that user passwords and other content will be transmitted in clear text between HAProxy and Exchange. For this very reason I avoid even thinking about it. Have a look at https://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx.<br /><br />Apart from that, you would have to replace the "server" lines in the backend statements to something as simple as<br /><br />server lab-ex01 10.30.1.11:80 check<br />server lab-ex02 10.30.1.12:80 check<br /><br />as per https://www.haproxy.com/doc/aloha/7.0/haproxy/healthchecks.html#checking-a-http-service.<br /><br />Regards,<br />ZoltanZolihttps://www.blogger.com/profile/11417728599342362209noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-89232085401014405152016-05-16T23:33:56.513-07:002016-05-16T23:33:56.513-07:00hello,
i've followed your configurations and ...hello,<br /><br />i've followed your configurations and it work like a charm. <br />Could you give what i need to modify on the haproxy conf in case of ssl termination is used? so that no need to check ssl on CAS server anymore?<br /><br />Best regards, <br />Anonymoushttps://www.blogger.com/profile/08276775438634421707noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-77912643586780913512016-05-13T01:23:53.928-07:002016-05-13T01:23:53.928-07:00I use QQ Send mail to my email , don't send to...I use QQ Send mail to my email , don't send to it.<br /><br />telnet x.x.x.x 25 don't telnet.Anonymoushttps://www.blogger.com/profile/09523666244173988118noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-16043141863655875282015-07-14T02:00:04.484-07:002015-07-14T02:00:04.484-07:00on owa section set balance from "roundrobin&q...on owa section set balance from "roundrobin" to "source"<br /><br />This selects which server to use based on a hash of the source IP i.e. your user's IP address. This is one method to ensure that a user will connect to the same server.<br /><br />Search by HAProxy Load Balancing AlgorithmsAnonymoushttps://www.blogger.com/profile/05817735515099893370noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-6802983844487314432015-04-27T17:40:21.221-07:002015-04-27T17:40:21.221-07:00Dear Unknown, you don't provide sufficient det...Dear Unknown, you don't provide sufficient details to identify the source of the problem. Assuming that you followed all posts in this series and built it to the letter, then all I can tell is make sure you haven't made a typo or haven't misconfigured anything along the line. I tested and re-tested the process and the configuration multiple times before publishing it, and it works.Zolihttps://www.blogger.com/profile/11417728599342362209noreply@blogger.comtag:blogger.com,1999:blog-824493279486681411.post-30233057995265831482015-04-23T00:09:23.518-07:002015-04-23T00:09:23.518-07:00Dear Zoltan Erszenyi,
I have a problem when confi...Dear Zoltan Erszenyi,<br /><br />I have a problem when config HAProxy. When i login username/password on OWA webpage, HAProxy first direct trafic to primary node and then direct trafic to OWA webpage login again on second node, it mean owa login loop. Please help me to fix.<br /><br />Thank you. Unknownhttps://www.blogger.com/profile/16123053902758591544noreply@blogger.com