Jump to content
Welcome to our new Citrix community!

Load Balancing Exchange 2016 DAG - Outlook Authentication Window


Recommended Posts

Hi,

 

I have a Exchange 2016 DAG behind a Netscaler VPX

 

When i set both Exchange servers online in the netscaler interface the user get's the Outlook authentication window on starting outlook.

And the user can not log in even using the right credentials.

if only one of both exchange servers is set to online in the configuration it does not happen. (does not matter which one - it works with ony one online)

 

in a testenvironment i got the same issue with another netscaler

 

i think its a problem with the persistence but dont know really

 

i used this configuration for the lbsrv

 

add lb vserver lbvsrv_gs_ex2016_owa SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lbvsrv_gs_ex2016_activesync SSL 0.0.0.0 0 -persistenceType SRCIPDESTIP
add lb vserver lbvsrv_gs_ex2016_rpc SSL 0.0.0.0 0 -persistenceType RULE -rule 'HTTP.REQ.HEADER("Authorization")' -timeout 240
add lb vserver lbvsrv_gs_ex2016_ews SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lbvsrv_gs_ex2016_autodiscover SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30
add lb vserver lbvsrv_gs_ex2016_oab SSL 0.0.0.0 0 -persistenceType NONE
add lb vserver lbvsrv_gs_ex2016_mapi SSL 0.0.0.0 0 -persistenceType RULE -rule 'HTTP.REQ.HEADER("Authorization")' -timeout 240
add lb vserver lbvsrv_gs_ex2016_ecp SSL 0.0.0.0 0 -persistenceType NONE

 

 

setting the mapi persistence to Sourceip i thought it would work but that was only temporarily / is not very constant

 

 

Link to comment
Share on other sites

Take a look at Julian's walk-through on Exchange load balancing here: https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/

 

From there the example for persistence configuration is as below:

 

add lb vserver lb_vsrv_ex2016_owa SSL 0.0.0.0 0 -persistenceType NONE

add lb vserver lb_vsrv_ex2016_activesync SSL 0.0.0.0 0 -persistenceType SRCIPDESTIP

add lb vserver lb_vsrv_ex2016_rpc SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30

add lb vserver lb_vsrv_ex2016_ews SSL 0.0.0.0 0 -persistenceType NONE

add lb vserver lb_vsrv_ex2016_autodiscover SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30

add lb vserver lb_vsrv_ex2016_oab SSL 0.0.0.0 0 -persistenceType NONE

add lb vserver lb_vsrv_ex2016_mapi SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 30

add lb vserver lb_vsrv_ex2016_ecp SSL 0.0.0.0 0 -persistenceType NONE

 

I've used similar in the past with good outcomes.

 

Andy

Link to comment
Share on other sites

Also worth checking if you're seeing any failures on the monitors when you're getting the issues. If the back-end service is being marked as down then this would also trigger a credential prompt when the connection moves to the other service. Could be something transient in the environment that's causing connections to failover.

 

Link to comment
Share on other sites

OK, my results so far:

using resistence sourceip 30 min is now active - problem still there.

 

but i got a hint looking at the connectionstatus of the client - RPC

 

so i disabled the windows firewall on the second exchange - seems to work now.

interesting: the firewall already has a rule to allow port 443 and 80 from everywhere to any service - so it should not be the problem

 

i'll compare the rules and report

Link to comment
Share on other sites

seems to be the Microsoft firewall on the exchange - definitve.

 

0. Firewall on - no connection

1. Firewall off - Works

2. Firewall on - works , works not works not...... Client always brings Outlook connected disconnected 

after some Outlook closing and reopening the client is disconnected

if you let Outlook open and disable the firewall the client gets connect immediately

 

Rules on both servers all the same.

not have to turn off the MS firewall i created a new rule that allows everything for the SNIP of the netscaler to the everything on the exchange

seems to work

 

Differences between both systems: the new one with the problem has the latest Windows server 2016 OS patches. the old one has to be updated soon.

(created the same firewall-rule on the old system to prevent problems after update)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...