Citrix Netscaler – Loadbalancing Exchange 2013/2016 (Walkthrough Guide)

If you get the task to load balance Exchange with NetScaler you will find a lot of whitepapers from Citrix with missing information and false configuration recommendations. I was bumping my head against the wall until I got a running configuration with all desired features. Here is the complete walkthrough guide to setup your Exchange environment with a single public ip address. Additional features like AAA, Front End Optimization  and Integrated Caching will depend on your current NetScaler licence.

Change Log

2019-12-07
– Updated expressions for the Authorization Policies (AAA.USER)
– Fixxed missing binding point for Traffic Session Policy “tm_pol_exchange2016_owa_sso” on the AAA vServer. Thanks @ Christian Demmerer
2019-10-28
– AAA-default settings changed with Citrix ADC (NetScaler) 13 build 41.20
2018-05-23
– Added 401 Based Authentication for MAPI, RPC, OAB, EWS
– Added Group Filtering for OWA, Outlook Anywhere and ActiveSync
2018-05-16
– Changed Persistence for the RPC/MAPI LB vServer from RULE to SOURCEIP
– Increased timeout from 240 to 30 minutes (RPC/MAPI)

Feature Matrix

Licence Load Balancing Content Switching Responder AAA Front End Optimization Integrated Caching
Standard x x x
Enterprise x x x x x
Platinum x x x x x x

Network Topology

diagram

Requirements

  • One public ip address
  • Two private IP addresses (Content Switch and Load Balancer)
  • Working DNS/NTP on NetScaler
  • Wildcard SSL certificate

Firewall Rules

From To Port Description
SNIP DNS Server UDP/TCP 53 DNS
SNIP NTP Server UDP 123 NTP
SNIP Domain Controller TCP 389 LDAP
SNIP Domain Controller TCP 636 LDAPS
NSIP Exchange Server TCP 25, 465, 587 SMTP Monitor
SNIP Exchange Server TCP 25, 465, 587 SMTP
SNIP Exchange Server TCP 143, 993 IMAP
SNIP Exchange Server HTTPS – 443 OWA, AutoDiscover, ActiveSync, MAPI, etc.
Internet SMTP LB IP TCP 25, 465, 587 SMTP
Internet IMAP LB IP TCP 143, 993 IMAP
Internet Content Switch VIP HTTP – 80 Web Traffic
Internet Content Switch VIP HTTPS – 443 Web Traffic

If you dont load balance DNS/LDAPS/NTP the traffic will flow from the NSIP. In my setup the servers are load balanced –> The SNIP is communicating with the backend servers.

Configuration

Features

Server

Monitors

Name Type Standard Parameter Send String
mon_smtp SMTP
mon_owa HTTP-ECV Secure “GET /owa/healthcheck.htm”
mon_activesync HTTP-ECV Secure “GET /Microsoft-Server-ActiveSync/healthcheck.htm”
mon_rpc HTTP-ECV Secure “GET /rpc/healthcheck.htm”
mon_ews HTTP-ECV Secure “GET /ews/healthcheck.htm”
mon_autodiscover HTTP-ECV Secure “GET /Autodiscover/healthcheck.htm”
mon_mapi HTTP-ECV Secure “GET /mapi/healthcheck.htm”
mon_ecp HTTP-ECV Secure “GET /ecp/healthcheck.htm”

Service Groups

Name Protocol Monitor
svcgrp_ex2016_smtp_25 TCP mon_smtp
svcgrp_ex2016_smtp_465 TCP mon_smtp
svcgrp_ex2016_smtp_587 TCP mon_smtp
svcgrp_ex2016_imap_143 TCP TCP
svcgrp_ex2016_imap_993 TCP TCP
svcgrp_ex2016_owa SSL mon_owa
svcgrp_ex2016_activesync SSL mon_activesync
svcgrp_ex2016_rpc SSL mon_rpc
svcgrp_ex2016_ews SSL mon_ews
svcgrp_ex2016_autodisover SSL mon_autodiscover
svcgrp_ex2016_oab SSL mon_oab
svcgrp_ex2016_mapi SSL mon_mapi
svcgrp_ex2016_epc SSL mon_epc

Load Balancer

vServer IP address Method Persistence Timeout Protocol Authentication (AAA)
SMTP 192.168.2.248 Least Connection NONE Default TCP
IMAP 192.168.2.248 Least Connection NONE Default TCP
OWA 0.0.0.0 Least Connection NONE Default SSL FBA
ECP 0.0.0.0 Least Connection NONE Default SSL FBA
ActiveSync 0.0.0.0 SRCIPDESTIP NONE Default SSL 401
AutoDiscover 0.0.0.0 SourceIP NONE 30 SSL 401
RPC 0.0.0.0 Least Connection SOURCEIP 30 SSL 401
EWS 0.0.0.0 Least Connection NONE Default SSL 401
OAB 0.0.0.0 Least Connection NONE Default SSL 401
MAPI 0.0.0.0 Least Connection SOURCEIP 30 SSL 401

Content Switch

Name Action Target Expression
cs_pol_owa cs_act_owa lb_vsrv_ex2016_owa HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/owa”)
cs_pol_ews cs_act_ews lb_vsrv_ex2016_ews HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/ews”)
cs_pol_activesync cs_act_activesync lb_vsrv_ex2016_activesync HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“Microsoft”)
cs_pol_autodiscover cs_act_autodiscover lb_vsrv_ex2016_autodiscover HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/autodiscover”)
cs_pol_rpc cs_act_rpc lb_vsrv_ex2016_rpc HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/rpc”)
cs_pol_ews cs_act_ews lb_vsrv_ex2016_ews HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/ews”)
cs_pol_oab cs_act_oab lb_vsrv_ex2016_oab HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/oab”)
cs_pol_mapi cs_act_mapi lb_vsrv_ex2016_mapi HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/mapi”)
cs_pol_cgi cs_act_owa lb_vsrv_ex2016_owa HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/cgi”)
cs_pol_owa_redirect cs_act_owa lb_vsrv_ex2016_owa HTTP.REQ.HOSTNAME.EQ(“mail.flashmob-saulgau.de”)

AAA (Enterprise)

If you have an enterprise licence you can let take the authenication on the AAA server and redirect the credentials to OWA. This feature offers improved security integration and n-factor authentication like RADIUS, SAML and certificate authentication is possible. If you enter the mail domain you will be redirected to the AAA login page.

aaa

If you want to you use “401 Based Authentication” on the Autodiscover service you need to set the following registry key in the user profile.

Otherwise Outlook 2016 is crashing while setting up the profile (ADAL is enabled by default)
NetScaler is not supporting ADAL at the moment.
https://discussions.citrix.com/topic/376086-outlook-2016-and-autodiscover/

Update (2018-05-23): When using NetScaler >= 12.0 there is no need to create the “EnableADAL” key. https://support.citrix.com/article/CTX216539

Update (2019-10-28): Johannes Norz reached out to me that there is a problem with the authentication when running the Citrix ADC on firmware 13.41.20 and higher. You  will receive the message “Error: Not an privileged user” after the succesfull authentication. Citrix changed the default authorization action to “DENY” which is causing the issue. You can change it back to “ALLOW” or create an authorization policy. For more information check his blog post.

 

Authentication Policies

In this setup we  will authenticate with LDAP only. For this we need create two policies.

1.) LDAP with sAMAccountName
2.) LDAP with userPrincipalName

The user can login with “test” or “[email protected]”.

 

SSO Traffic Policies

The priorty of the AAA content switch policy must be the one with the lowest priority.

Group Filtering

If you need to restrict the external access to security groups in Active Directory, create the following authorization policies.

Bind the authorization policies to the vServers.

When your user is not in the “External-OWA” group and the authentication against the AAA server was succesfull you will get the following notification:

“Error: Not a privileged User.”

I created a responder html page, to present a more user friendly message. This can’t be done via CLI. Go to AppExpert –> Responder –> HTML Page Imports

2018-05-23 15_02_53-Citrix NetScaler VPX - Configuration

Now you can create the responder policy & action.

Front End Optimization (Enterprise)

I couldnt test this feature too much so I configured like descriped in the Citrix whitepaper. If the optimization action “Moderate” is not suiting your expectations you can try the “Aggresive” mode. You can verify if FOE is working within the GUI. Go to Optimization –> Front End Optimization –> Statics (“stat feo” in CLI)

foe1

foe2

Integrated Caching (Platinum)

In the Citrix docs its recommended to allocate less than half of the NetScalers memory for integrated caching. Set the parameter “memLimit” fitting to your appliance. I’m using 500MB. You can verify if the cache is working within the GUI. Go to Optimization –> Integrated Caching –> View Cache Objects (“show cache object” in CLI)

cache1

cache2

 

I hope this guide helped you to load balance Exchange with Citrix NetScaler.
If you find any misconfigurations or have improvments please contact me.

Archives