Re: [Zenloadbalancer-support] Zen and Outlook Anywhere Issues

Tue, 22 Jan 2013 08:04:57 -0800 

Hi,

Many thanks for the very detailed reply.

I have now tested this as an option and it works as expected.

But we were planning to terminate the SSL connection on the Load Balancer and 
then use HTTP to the backend Exchange servers. This was to overcome some 
challenges in our current environment.

As part of my troubleshooting, I’ve now installed a very basic CentOS server 
with the latest version of Pound (version 2.6) and replicated what I was trying 
to do with the Zen Load Balancer.

This works absolutely fine, for all aspects of “Outlook Web Access” and 
“Outlook Anywhere”.

Does this possibly indicate a problem with the version of Pound that’s used on 
Zen Load Balancer? From what I can tell, both version 2 (stable) and version 
3rc1 use Pound version 2.5

If this is the likely cause of my RPC issues (as it appears to be), are there 
any plans to update the version of Pound that’s used with the Zen Load Balancer.

I’m happy to test an updated version against my environment if that would be a 
help? Just drop me some pointers of how to upgrade the one in Zen.

Kind Regards,

Graham.


From: y l [mailto:[email protected]]
Sent: 22 January 2013 07:12
To: [email protected]
Subject: Re: [Zenloadbalancer-support] Zen and Outlook Anywhere Issues

Hi graham,

Unfortunately, Microsoft is obfuscating the RPC protocol into HTTP protocol 
which may required both ends of the socket to understand which version of RPC 
will be encapsulated within the HTTP payload. since you try to force Zen LB to 
terminate and proxy the request to the backend MS exchange servers, there may 
be an RPC  incompatibility problem.

One possible solution is to enable  SSL /TLS in all backend MS Exchange servers 
and to prevent Zen LB from proxying RPC over HTTPS, Just  use the  Zen LB TCP 
profile to define the VIP to route all SSL / TLS traffic to the backend MS 
Exchange OWA IIS interface and RPC redirect folders.

Then, you need to use the MS trick to export the private key along with the 
signed certificate and import it to any additional MS Exchange severs.

1)  Generating CSR in MS Exchange IIS

Select  one of your MS Exchange servers to create a Certificate Signing Request 
(CSR) via the IIS web site associated with Ms  Exchange which will create an 
X.509 private and public key pairs and a CSR file to be signed by an external 
Root Certificate Authority (rootCA)

2) Sign  the  CSR with the openSSL rootCA you indicated you had genrated and 
ensure all servers and clients imported your rootCA into the MS Windows  
Trusted Root CA repository

Get the CSR from the MS Exchange server and sign it  with your openSSL 
environment

3) Import rootCa and the MS Exchange server

    3a. Import the openSSL rootCA via MMC snap-in
    3b. Import the openSSL signed MS Exchnage server certificate via IIS  
pending certificate screen where the
          CSR was  generated

4) Now follow the instruction link below to transfer IIS 7 certificates along 
with its associated private key

5) Import rootCa and the source MS Exchange server certificate and private to 
the rest of all Ms Exchange servers

  Follow the instruction link below to transfer IIS 7 certificates along with 
its associated private key

6) Configure Zen LB VIP to handle SSL / TLS via its TCP profile.

You may try to  use the Zen Load Balancer  TCP profile, then specify the Farm 
Virtual IP and Virtual port and associated them with the MS Exchange backend 
servers which are listening for  SSL / TLS  traffic. Please do not setup nor 
associate any certificates with the farm definition for your VIP entries in the 
Zen LB. Just pretend your farm VIP traffic were being setup for port 80, but 
simply specify the ports you are using for SSL / TLS. All traffic will be 
routed to the backend where certificates processing will be handled as before 
Zen LB was used.



Links:

Install SSL Certificate Outlook Web Access 
(OWA)http://www.geocerts.com/install/owa
Configure Outlook Anywhere to Use an SSL Certificate with Redirection
http://technet.microsoft.com/en-us/library/bb310764%28v=exchg.141%29.aspx



How to Import and Export SSL Certificates in IIS 7
Transferring IIS 7 Certificate Files
http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm



Regards,

YPSlinux


________________________________
From: Graham Morley <[email protected]<mailto:[email protected]>>
To: "'[email protected]'" 
<[email protected]<mailto:[email protected]>>
Sent: Monday, January 21, 2013 4:27 AM
Subject: [Zenloadbalancer-support] Zen and Outlook Anywhere Issues

Hi All,

I’m new to the Zen Loadbalancer and I’m having some issues getting is working 
as part of an Exchange 2007 solution.

I’m try to use v2 (stable) as a solution to balance and terminate HTTPS 
connections to an Exchange 2007 environment. Everything is working great for 
OWA (Outlook Web Access), but it’s not working for OA (Outlook Anywhere – RCP 
over HTTPS).

Here’s what I know:

-          I’m using a self-signed certificate for testing, which was created 
with OpenSSL and I have added this to my Trusted Root Certificates store on the 
machine I’m testing from.
-          OWA (Outlook Web Access) works great, the certificate shows 
correctly in the browser (IE 9), so no problems there.
-          When I try to connect using OA (Outlook Anywhere), I just get a 
response from Outlook saying ‘Server Unavailable’.
-          In the configuration for the Farm, I have the RPC extensions enabled.

To try and troubleshoot this, I’ve used Wireshark to do a packet trace of a 
working solution (which uses MS ISA Server for the HTTPS termination) and from 
Zen.

The main difference that I can see is that with Zen Loadbalancer, I get a TLS 
“Encrypted Alert 21’ messages and then the connection is reset.

I could really using some help in trying to troubleshoot this, as I’m keen to 
use Zen to replace MS ISA Server, but need to resolve this OA (Outlook 
Anywhere) issue.

So any pointers on:

-          Could it be the Certificate?
o   It is self-signed, but this works fine for OWA and is trusted on the 
machine I’m testing from…
-          Is there some logging that I could enable in Zen to understand and 
troubleshoot the problem better?
-          Has anyone else experienced this problem?
-          Could this be a Bug? (It’s much more likely something I’ve done 
incorrectly)

Any help would be greatly appreciated. I’m happy to supply more information if 
it’s required.

Kind Regards,

Graham.

___________________________________________________________________________

The All England Lawn Tennis Club (Championships) Limited (company number 
7546773) is a company registered in England & Wales whose registered office is 
at Church Road, Wimbledon SW19 5AE. The All England Lawn Tennis & Croquet Club 
Limited (company number 7546718) is a company registered in England and Wales 
whose registered office is at Church Road, Wimbledon SW19 5AE. The Club’s 
grounds are owned by The All England Lawn Tennis Ground plc (company number 
168491, registered in England and Wales) whose registered office is at 1 Little 
New Street, London EC4A 3TR.

This email and its contents (including attachments) are confidential, and must 
not be disclosed without the sender’s permission. If you receive this email in 
error please notify the sender immediately and then delete it from your system. 
Emails may be monitored in accordance with English law.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412
_______________________________________________
Zenloadbalancer-support mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support


___________________________________________________________________________

The All England Lawn Tennis Club (Championships) Limited (company number 
7546773) is a company registered in England & Wales whose registered office is 
at Church Road, Wimbledon SW19 5AE. The All England Lawn Tennis & Croquet Club 
Limited (company number 7546718) is a company registered in England and Wales 
whose registered office is at Church Road, Wimbledon SW19 5AE. The Club’s 
grounds are owned by The All England Lawn Tennis Ground plc (company number 
168491, registered in England and Wales) whose registered office is at 1 Little 
New Street, London EC4A 3TR. 

This email and its contents (including attachments) are confidential, and must 
not be disclosed without  the sender’s permission. If you receive this email in 
error please notify the sender immediately and then delete it from your system. 
Emails may be monitored in accordance with English law.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Zenloadbalancer-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support

Reply via email to