slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
MMCUG 1/31/2014 Bryan F. Boretsky PowerPoint Presentation
Download Presentation
MMCUG 1/31/2014 Bryan F. Boretsky

Loading in 2 Seconds...

play fullscreen
1 / 51

MMCUG 1/31/2014 Bryan F. Boretsky - PowerPoint PPT Presentation

  • Uploaded on

MMCUG 1/31/2014 Bryan F. Boretsky. This presentation is intended solely for KEMP partners and customers, please do not distribute!. Agenda. Introductions Microsoft workload overview KEMP Overview Q&A. Exchange Load Balancing. Reference Architecture. Exchange 2013 Ready and Tested.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'MMCUG 1/31/2014 Bryan F. Boretsky' - nira

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript



Bryan F. Boretsky

This presentation is intended solely for KEMP partners and customers, please do not distribute!

  • Introductions
  • Microsoft workload overview
  • KEMP Overview
  • Q&A

Reference Architecture

Exchange 2013 Ready and Tested

how did we get here exchange 2010 story
How did we get here? Exchange 2010 story…
  • A newborn is named Client Access Array
  • Load Balancing requirements accompany the newborn
  • The world of Exchange administrators becomes complex…
story of protocols
Story of Protocols
  • Like our DNA, each one is unique
    • Outlook Web App – Persistence required – server cookie
    • Exchange Control Panel – Persistence required – server cookie
    • Web Services – Persistence required – cookie or no cookie is the ?
    • RPC Client Access – Persistence required – Client IP is the only option
    • Outlook Anywhere – Persistence recommended – Client IP/Cookie
    • ActiveSync – Persistence recommended – Client IP/SSL Session ID
    • Address Book Service – Persistence recommended – Client IP/SSL Session ID
    • PowerShell – Persistence recommended – LB generated cookie/Client IP
story of namespaces
Story of Namespaces
  • Exchange 2010 required One, err… many namespaces
    • Primary namespace
    • Secondary/DR namespace
    • OWA failback namespace
    • Another OWA failback namespace
    • Autodiscover namespace
    • RPC Client Access namespace
    • Legacy namespace
in summary
In Summary…
  • Exchange 2010 Load balancing
    • Is complex
    • Dizzying array of affinity requirements
    • Needs more planning
    • Requires Layer 7 Load Balancer

Costs $$$

new kid s on the block
New kid’s on the block…
  • Exchange 2013
    • Long live RPC/HTTP
    • RIP CAS Array
    • Long live CAS Proxy
    • Managed Availability
      • New Healthcheck Page
      • Easier Maintenance
client access role
Client Access Role…
  • Is strictly a proxy
  • No data rendering
  • Proxy to mailbox server OR
  • Redirect to another CAS server
  • No longer an RPC endpoint
    • guid@smtpdomain is new endpoint
    • Outlook profile doesn’t change
in summary1
In Summary…
  • Exchange 2013 Load balancing
    • Is simpler, no affinity needed
    • Still needs proper planning but less complex means less daunting
    • Layer 4 Load Balancer works

Costs LE$$

the great debate of dns rr
The great debate of DNS RR
  • Can you do away with Load Balancer?
    • Most client protocols are HTTP
    • HTTP client can try next record if one fails
    • BUT…
    • It is not service aware
    • It can’t account for grey errors
exchange 2013
Exchange 2013
  • Even though L4 is now avail, most customers still setting up at L7
  • Only one VS on port 443 at a minimum is needed with simple health checking. ex: set up health checking on the HTTPS protocol and point to /OWA or /microsoft-server-activesync
  • adding an HTTP-HTTPS Redirect VS is also common
  • We can also support Sub-VSs which would allow you to perform more specific Health Checking on each individual Service
  • Templates are available for Ex2013
load balancing lync 2013
Load Balancing Lync 2013
  • Visual Reference
load balancing lync 20131
Load Balancing Lync 2013
  • Load Balancing Front End/Director Pools
load balancing lync 20132
Load Balancing Lync 2013
  • Load Balancing Front End/Director Pools
  • Microsoft recommended method
    • Use DNS Load Balancing for SIP traffic
    • Configure Web services override FQDN for internal web services
    • Load balance TCP port 80, 8080, 443 and 4443
    • Also Load balance TCP port 444 if Director is deployed
load balancing lync 20133
Load Balancing Lync 2013
  • Load Balancing Front End/Director Pools
    • Source IP Persistence can be used, but should you?
      • Clients from behind NAT device shows up as single IP
      • Can result in uneven connection distribution
    • Health check on TCP port 5061, or use hardware load balancer monitoring port from topology if defined
    • Alternatively check /meet/blank.html instead of 5061 to ensure IIS is working
load balancing lync 20134
Load Balancing Lync 2013
  • Load Balancing Front End/Director Pools
    • Load balancer only configuration, DNS RR not used for SIP
      • Load balance the following ports (all TCP)
      • 5061, 444, 135, 80, 8080, 443, 4443, 448, 5070-5073, 5075-5076, 5080
      • Hardware Load Balancer Ports if Using Only Hardware Load Balancing -
load balancing lync 20135
Load Balancing Lync 2013
  • Load Balancing Mediation Pools
    • DNS only load balancing is sufficient
    • If using load balancer instead of DNS, load balance only TCP 5070
load balancing lync 20136
Load Balancing Lync 2013
  • Load Balancing Edge Pools
load balancing lync 20137
Load Balancing Lync 2013
  • Load Balancing Edge Pools using DNS
    • Loss of failover in following scenarios
      • Federation with organizations running OCS versions older than Lync 2010
      • PIM connectivity with Skype, Windows Live, AOL, Yahoo! and XMPP partners
      • UM Play on Phone functionality
      • Transferring calls from UM Auto Attendant
load balancing lync 20138
Load Balancing Lync 2013
  • Load Balancing Edge Pools using Load Balancer
    • External Interfaces
      • Access Edge Interface
        • Source NAT can be used
        • SIP (External Client) – TCP 443
        • SIP (Federation/PIM) – TCP 5061
        • XMPP –TCP 5269
      • Web Conferencing Interface
        • Source NAT can be used
        • PSOM – 443
      • AV Edge Interface
        • NAT can’t be used here
        • STUN/MSTURN – TCP 443
        • STUN/MSTURN – UDP 3478
load balancing lync 20139
Load Balancing Lync 2013
  • Load Balancing Edge Pools using Load Balancer
    • External Interfaces
      • Use Access VIP as default gateway on all Edge interfaces
      • AV Edge Interface considerations
        • Turn off TCP nagling for both internal and external TCP 443 VIP
        • Turn off TCP nagling for external port range 50000 - 59,999
        • Must use publicly routable IP with no NAT or port translation
load balancing lync 201310
Load Balancing Lync 2013
  • Load Balancing Edge Pools using Load Balancer
    • Internal Interfaces
      • Access SIP – TCP 5061
        • Used by Directors, FE Pools
      • AV Authentication SIP – TCP 5062
        • Any FE Pool and SBA
      • AV Media Transfer – UDP 3478
        • Preferred path for A/V media transfer
      • AV Media Transfer – TCP 443
        • Fallback path for A/V media transfer
        • File Transfer
        • Desktop Sharing
reverse proxy what is it
Reverse Proxy – What is It
  • Device deployed between clients and servers, usually in the DMZ and interacts with servers and services on behalf of the client
  • Commonly used to provide load balancing for availability and scalability
  • Terminates TCP traffic
  • Protects internal HTTP servers by providing a single point of access to the internal network
  • Full reverse proxies provide advanced Layer 7 features such as SSL acceleration, traffic management, intrusion prevention, content acceleration, etc.
  • More than NAT


Load Balancer

Reverse Proxy

load balancing lync 201312
Load Balancing Lync 2013
  • Reverse Proxy – a separate VIP on Load Balancer
    • Load balance port 80 and 443
    • Translate to server ports 8080 and 4443
    • Can not use pre-authentication
    • No persistence is required
    • Use 20 minute TCP session timeout
    • Use 1800 seconds TCP idle timeout
    • Health check on port 5061, or use hardware load balancer monitoring port from topology if defined
    • Alternatively check /meet/blank.html instead of 5061 to ensure IIS is working
load balancing lync 201313
Load Balancing Lync 2013
  • Load Balancing Office Web Apps Servers
    • Load balance port TCP/443
    • Enable and Reencrypt SSL
    • Use Source IP for persistence with 30 minute timeout, use other methods if NAT or concentrators are involved
    • Use 1800 seconds Idle timeout
    • Perform healthcheck on /hosting/discovery, using HTTP GET

Reference Architecture




KEMP LoadMasters

KEMP LoadMasters


Authentication Providers

SharePoint 2013 Farm

  • Perimeter LoadMaster can provide:
  • Reverse Proxy for SharePoint Farm
  • ESP with Preauthentication service

Reference Architecture


Internal Remote Desktop Users

Thin Clients


  • RDP Health Checking
  • Session Broker Support
  • L7 Persistence
  • Resource-Based LB Agent

RDS Server Farm

Session Broker


Site Failover (Active, Standby)





Reference Architecture for DR or Localization


Application Centric ADCs

“ It’s NOT about the Load Balancer, it’s about the application.”

  • All KEMP Hardware and Virtual Appliances are optimized for:
  • Exchange
  • Lync
  • SharePoint
  • Remote Desktop Services
  • TMG / Forefront
  • ADFS (federation servers)
kemp technologies overview

What we do

KEMP Technologies – Overview

Who we are

KEMP Technologies builds

Application Delivery Controllers

  • Established in 2000
  • US-HQ: New York | EMEA-HQ: Limerick |
  • APAC-HQ: Singapore
  • Over 17,000 customer deployments
  • ~700% Growth in past 5 years (510% in last 3)
  • 3rd ADC Vendor by Units Shipped
  • Ownership and Investments
  • Enabling our customers to achieve:
  • High Availability
  • Scalability
  • Performance Optimization
  • Application Acceleration

ALL LoadMaster Hardware and Virtual Appliances support:

  • L4/L7 Server Load Balancing
  • SSL Acceleration/Termination & Re-encryption
  • Cookie (L7) Persistence
  • Server Health Monitoring
  • Service “Aware”
  • L7 Transparency
  • Caching, Compression
  • Active/Hot-Standby High Availability
  • Application-specific Templates
  • Global load balancing
introducing the kemp family of adc
Introducing the KEMP Family of ADC

Unified Management

Common, “Tiered” UI

Feature-parity, platform ubiquity





Public Cloud


All Major


latest in hardware load balancers
Latest in hardware Load Balancers

The 140 series of Federal Information Processing Standards (FIPS) are US government computer security standards that specify requirements

for cryptography modules which include both hardware and software components used by the Feds.


Where’s KEMP Today?

KEMP is rapidly growing, currently #3 ADC Vendor in North America and EMEA by units shipped





*The complete Dell’OroGroup Data Center Appliance Quarterly Report can be found here:


Strategic Technology Partnerships

KEMP has a strong partnership with, Microsoft, VMware, Dell, HP, Cisco, Oracle and other enterprise application vendors. It is the “application” that drives the requirement for KEMP LoadMaster solutions.

Most Enterprise Workloads (e.g. MS Exchange, SharePoint; Oracle ERP, Web Apps) require an ADC or a Load Balancer to distribute application user requests to more than one server – hardware or virtual.

the kemp esp edge security pack
The KEMP ESP – Edge Security Pack
  • Endpoint Authentication for Pre-Auth
  • Persistent Logging and Reporting for User Logging
  • Single Sign On Across Virtual Services
  • LDAP Authentication
  • NTLM and Basic Authentication

Geo Pack add-on for

Global Site Load Balancing

Optimized for Exchange

Site Resiliency

5 Distributions

  • Closest
  • Geo-targeted
  • Fastest
  • Round Robin
  • Active/Standby
some useful links
Some Useful Links
  • Trial VLM Download
  • Templates, including new Lync and Exchange 2013, VMWare Horizons View and more
  • Documentation
  • Support
  • Training is available
    • Live, interactive Basic and Advanced Partner training scheduled for Wednesday and Friday next week respectively.
    • Lunch-and-learn sessions on demand
    • Training Videos
contact info
Contact info
  • Bryan F. Boretsky
  • North Central Territory Account Manager
  • Direct 631-259-6588
  • Cell 406-239-8199
  • Chris Colon
  • North Central Inside Sales Account Manager
  • Office: 631-259-4768