Client affinity (dead ~)
Due to the changes in the CAS architecture mentioned earlier, we mentioned that client affinity is no longer required in the CAS of Exchange 2013. Client affinity means communicating with the same CAS server during a client connection, in other words, when a client connects to a specific CAs, the CAS continues to service the client until the connection is disconnected. To achieve this, CAS must maintain the session state and load balancers that pass through during the connection (the load Balancer that supports client affinity) to know which CAs are processing the connection and thus perform the correct diversion. If the load balancer or reverse proxy resolution does not support client affinity, then there is a problem of re-authentication in the Exchange 2007 and Exchange 2010 environments (the user is connected to a different CAs).
In an Exchange 2013 environment, because the client is connected to that CAS server, the connection is always properly proxied to the MBX server that owns the copy of the mailbox's active database. This feature applies to all protocols, such as the Outlook Web App. So on the load balancer this layer, no longer special need for the load office weighing products to support client affinity.
Let me say a few more words, from the level of the mailbox connection to the level of the Web connection request. As mentioned earlier, older versions of Exchange have problems requiring clients to re-authenticate without client affinity support (common to IE9 access Exchange2010 Outlookwebapp and then using DNS polling for CAS load balancing). Exchange 2013 improves the way in which authentication information is cached in cookies. In Exchange 2010
When the client passes the authentication, the CAS it connects to will provide an encrypted cookie to the client, which is not readable by other CAS servers (specifically what is encrypted, I do not know ...). )。 However, in exchange 2013, this encrypted cookie is encrypted by the public key of the CAS server's certificate so that all Ex2013 CAS servers that have the certificate can decrypt it. About certificate management, I will also talk to you in the future chapters, Microsoft recommended is what we commonly used, a certificate to go the world ~
Load Balancing Scheme
People who have a little contact with the network are aware of the OSI seven-layer network model, the matter-of-the-Net-pass table (sausage Pizza away), so we often say 4-tier load balancing and 7-tier load balancing, In fact, it means load balancing at the transport level (there is also a network-level load balancer, the name is not tangled) and application-level load balancing.
Four-layer Load balancing
Based on ip+ port load balancing, only concerned about the client's original address + port and destination address and port, the other content is not concerned about and can not care about, because it only know the four layers of the pre-tuning, can not unlock the content of the data packet, only according to the destination of Baotou request to determine the packet forwarding.
Seven-layer load balancing
The seven-tier load balancer is smart enough to see application-level traffic and identify analytics for application awareness. For example, if a mobile device client is requesting a URL:
https://mail.contoso.com/Microsoft-Server-ActiveSync?jQAJBBCz0DFoa3Zf/Y1CsFFhMg2bBErZMzwCV1A=HTTP/1.1 If the request is received by a four-tier load balancer, it will only recognize the destination address, the Mail.contoso.com, and the request port number, that is, HTTPS corresponds to 443. And seven-tier load balancing not only see this information, they can also identify which of the following parameters corresponds to which application's virtual directory (/ microsoft-server-activesync/), and the middle of the sync key value (that big string).
The endpoints of several protocols and services in Exchange are virtual directories for IIS, so if the target CAS server for this request is out of order, one of these protocols hangs, for example, EWS hangs. (new features in Exchange 2013 managed availablity (availability management) will attempt to resolve the issue, as well as notify clients that the workaround might be to recycle the application pool or restart IIS) a four-tier load balancer device receives the request, It only sees the CAS server as a whole and does not refine to the protocol plane, which results in client requests for EWS and requests to OWA to be forwarded to the CAs as usual. If it's a seven-tier load balancer, it knows that there's no problem with the Outlook Web app on this CAs, OK I'll forward the request again, EWS hangs, I redirect the EWS request to the other CAs server, because it refines each service to its specific path based on the application plane.
Four-tiered load balancer for load balancer availability detection only ping the destination IP address to see if it is up or down, some high-end point L4 can also initiate an HTTP request for HTTP health detection, but only for a single virtual IP address; in other words, an open, A server with a network cable, regardless of whether he has a CAS role that has no exchange installed on it, looks the same for four-tier load balancing devices. This is certainly not a requirement for some scenarios that require high availability. A seven-tier load balancing device not only knows whether the server's network is unblocked, but also knows whether the service requested by the client is in a normal state. Many seven-tier devices support health checks for specific applications and services, so they can perceive when these applications expire, when they return to normal, and then flow-oriented based on that information.
The Managed availablity Service provides a feature to get the HTTP value returned by accessing the/healthcheck.htm page of the corresponding virtual directory (such as/owa/healthcheck.htm), if HTTP 200 is returned , indicating that the app is in a normal state. This makes it easy to use this page for load balancing devices or monitoring devices to achieve healthcheck functionality.
DNS Polling
Strictly speaking, DNS polling is also a kind of load balancing technology, although it doesn't look very noticeable. When you configure multiple IP addresses for a domain name, the DNS server will tell all of these addresses to the client that queries the domain name and rotate the order of the two addresses in turn, that is, two clients are requesting the domain name at the same time, and they are getting the same two IP addresses, but in a different order. Most clients take the first address, so this achieves a simple load-offload effect. Microsoft claims that some of the smarter HTTP clients (Outlook 2010,outlook2013, and some exchangeactivesync clients) will try all the results after they have obtained the results of a DNS poll. This is not a problem with the CAs in Exchange 2013, it doesn't matter which one you connect to. But Microsoft does not specifically say which clients are "smarter", such as the Safari 6.X of Mac OS X supports this behavior, but safari for Windows does not support ... (Although it has stopped developing ha). This means that despite Microsoft's official support, you don't see a lot of DNS load balancing in the document library of Lync 2013. However, it is necessary to be cautious in practical applications.
Even if we throw away these smart and not smart questions, you should also notice the fatal weakness of DNS polling, which is the lack of usability detection behavior, For example: At the moment I have configured a DNS record mail.contoso.com to 192.168.0.100 and 192.168.0.200, if the 192.168.0.200 hang up, then half of the users will not connect to the server, even if you immediately put 192.168.0.200 in mind The user's machine also has a DNS cache, and your settings will not take effect immediately. This low-cost, easy-to-configure load-balancing approach is typically used on SMTP because SMTP is inherently stateless and cannot be automatically retried at a time.
Windows Network Load Balancing (Windows Networking workload Balancing)
Microsoft started to provide Windows Network Load Balancing Service (hereinafter referred to as WNLB) in Win2000, although it is the Windows operating system comes with, and experienced so many versions of the iteration is also counted as a stable product. But in an Exchange environment, the real adoption of WNLB is actually not much. Mainly because there is no availability detection, it will send the request as usual unless the host machine in the WNLB cluster or the disconnection exceeds the retry time.
It is also well known that it is not possible to deploy WNLB on a server that deploys a DAG because WNLB cannot coexist with the Windows Failover Cluster Service (WFC), meaning that if you are two full-role Exchange servers, say goodbye to WNLB; Use DNS to poll the chant.
How to choose between these load balancing scenarios:
Whichever load-balancing scheme you choose, they achieve the same purpose:
If you are using a load balancer device or WNLB, the client connects to a virtual IP address that corresponds to a unified FQDN namespace. If you are using DNS polling, then each server in the load Balancer farm has its own address that can be parsed and accessed by the client.
The number of servers in the load balancer is determined by the load balancer, such as the WNLB of Windows 2012, which restricts 32 nodes, and the rest of the scenarios are specific to their parameters.
After the incoming client connection reaches the load balancer, the load Balancer decides who to send the request to. L4 only look at the destination IP address and port, L7 will look at the connection content, which means that the L7 load balancer needs to be able to terminate the SSL connection, that is, SSL terminate, unpack the SSL packet, parse the content, and then determine the appropriate server to connect.
When these concepts have been identified, the next step is to make choices in terms of functionality and cost. L4 Price is not expensive, but the relative L7 equipment is insufficient. But let's think about it another way, if we split the namespace of each protocol and give different virtual IP addresses, it seems like we can make the L4 area separate from the service request. If the cost of doing this is more than buying a F5, then buy an honest F5 (laughter).
And the last thing to forget is that the physical load balancer is also a virtualized load balancer application? Now that software-defined networking (SDN) is becoming more and more popular, this is certainly an interesting issue in the future. Virtual switches and routers are not actually used by many, most of them are hypervisor integrated switches. But do you think about the SCVMM SDN model, and the idea of adding a virtual load balancer inside it is pretty reliable? Today's large and medium-sized enterprise environment, as said above, a large part of the hypervisor itself to stay at the virtual switch level, it is also a hardware load balancing it ... Of course, if your environment is very small, the use of VM load Balancer application is no problem, cost savings, function is similar.
All right, let's get to the chase, and the next chapter will tell you about Outlook anywhere. This is a key gadget in Exchange 2013.
I will not continue to play the advertisement ... Let's put it on the line, and then we'll hit it again.
This article is from the "Castamere Rainy season" blog, be sure to keep this source http://sodaxu.blog.51cto.com/8850288/1665278
"Deep Exchange 2013"04 load Balancing