Reading Time: 8 minutesCitrix NetScaler is a very powerful and versatile platform for application delivery. Load balancing is one of the key features of Citrix NetScaler. Many organisations are using Microsoft Exchange 2016 to provide email, calendar, tasks and other enterprise collaboration solutions to their employees and customers. Deploying Citrix NetScaler in front of Microsoft Exchange 2016 ensures security, reliability and performance for end-users and IT-engineers. This method is also known as “reverse-proxy” for Microsoft Exchange.
Requirements for the configuration:
- Citrix NetScaler 11.1 (www.citrix.com)
- Microsoft Exchange 2016
- SSL Certificate
My homelab setup
My homelab setup is not that complex. I am running the Exchange 2016 server and the NetScaler as a Hyper-V virtual machine. For load balancing usually you need more then one back-end resource (Exchange 2016 server), but for testing the load balancing concept it’s fine. Also I am using a self-signed certificate. If you run this similar setup in production, you need a valid certificate singed by a public certificate authority.
So let’s start.
Logon to the NetScaler and go to System-> Basic Configuration and enable the correct featured in the Basic Features panel according to the screenshot below.
Add Servers (back-end servers)
Let’s add the servers we will be using to load balance. In my case this is my Exchange 2016 Server. When we add the server here, we can later use it in the Service Group as a resource.
Navigate to Traffic Management -> Load Balancing -> Servers and click on Add.
Enter the required information and click on Create.
Set up Service Groups
We will need a total of five Service Groups. See the table below. Let’s setup the Service Groups needed to feed the Load Balancing vServer.
| Load Balancing Service Group Name | Exchange feature | Protocol | Port |
| lb_svg_exch2016_owa | Outlook Web Access | SSL | 443 |
| lb_svg_exch2016_ews | Exchange Web Service | SSL | 443 |
| lb_svg_exch2016_activesync | ActiveSync Service for mobile mailclients | SSL | 443 |
| lb_svg_exch2016_rpc | Outlook Anywhere or RPC over HTTPS | SSL | 443 |
| lb_svg_exch2016_autodiscovery | Autodiscover Service | SSL | 443 |
Navigate to Traffic Management -> Load Balancing -> Service Groups and click on Add.
Enter the required information and click on OK. Make sure to choose SSL as Protocol.
Click then on OK again.
Now we have to assign Service Group members. These are your Exchange 2016 servers off-course. In my case there is only one as I explained earlier in my post. Click on No Service Group Member.
Click on Server Based to select the server you added earlier. In my case that is exchange01.vikash.nl. Make sure you use port 443. Click on Create.
Click on Done.
You will now be taken to the overview of the Service Groups. Using the steps above create the other needed Service Groups. You can select the lb_svg_exch2016_owa and then click on Add. This is how it should look in the NetScaler interface when you have create all the Service Groups according to the table above.
Set up Load Balancing Virtual Servers
Navigate to Traffic Management -> Load Balancing -> Virtual Servers and click on Add.
We will create five Load Balancing Virtual Servers. In the table below I have specified them:
| Load Balancing Virtual Server name | Load Balancing function |
| lb_exch2016_vsrv_owa | Outlook Web Access |
| lb_exch2016_vsrv_ews | Exchange Web Services |
| lb_exch2016_vsrv_autodiscovery | Autodiscover Service |
| lb_exch2016_vsrv_activesync | ActiveSync Service for mobile mailclients |
| lb_exch2016_vsrv_rpc | Outlook Anywhere or RPC over HTTPS |
Enter the required information. Make sure you choose SSL for protocol and make the IP Address Type Non Addressable. We don’t want the Virtual Server to be directly accessible on the network. Instead we will use the Content Switching feature of the Citrix NetScaler to direct traffic to where we want it. Click on OK after setting up everything like the screenshot below.
Click on No Load Balancing Virtual Server ServiceGroup Binding.
Select the a Service Group to bind and click on Bind.
Click on Continue.
Click on No Server Certificate to bind a certificate.
Select the appropriate Server Certificate. In my case this is my self-signed certificate, which is fine for testing purposes. In this post I show you how to import a PFX certificate on the NetScaler. After selecting the correct certificate, click on Bind.
Click on Continue.
Click on Done.
Create the other Load Balancing Virtual Servers like I specified in the table above. Just select the Load Balancing Virtual Server we just added, and click on Add and follow the steps as described above.
After adding all the Load Balancing Virtual Servers, the list should look like the screenshot below.
Set up Persistence
Several of the Load Balancing Virtual Server require a different setting for Persistence. In the table below I have specified the settings:
| Load Balancing Virtual Server Name | Exchange Feature | Persistence Type | Setting per type |
| lb_exch2016_vsrv_owa | Outlook Web Access | NONE | Default |
| lb_exch2016_vsrv_ews | Exchange Web Service | NONE | Default |
| lb_exch2016_vsrv_activesync | ActiveSync Service for mobile mailclients | SRCIPDESTIP | Default |
| lb_exch2016_vsrv_rpc | Outlook Anywhere or RPC over HTTPS | RULE | TimeOut: 240
Expression:
HTTP.REQ.HEADER("Authorization") |
| lb_exch2016_vsrv_autodiscovery | Autodiscover Service | SOURCEIP | Default |
Navigate to Traffic Management -> Load Balancing -> Virtual Server and select lb_exch2016_vsrv_rpc. Then click on Edit. You will should see the screen below. Click on Persistence in the right column of the page.
Select the setting for this specific virtual server in the drop-down menu. Enter the expression HTTP.REQ.HEADER(“Authorization”) and click on OK.
Click on Done.
Now do the same for the other load balancing virtual servers. Check the table for the specific settings. In the end you should end your Virtual Server should look like the screenshot below.
Set up Content Switching Virtual Servers
The content switching server will redirect the traffic to the appropriate load balancing server. After creating the content switching virtual server we will define the content switching actions and policies, and bind them to the content switching virtual server. Navigate to Traffic Management -> Content Switching -> Content Switching Virtual Servers and click on Add.
Enter the information and make sure you use a new IP address and port 443.
Click on OK.
Now we have to bind the SSL certificate. Click on Certificate in the right column.
Select the certificate (in my case vikash.nl) and click on Bind.
Click on Continue and then on Done.
We can now see that the virtual server is up.
Create Content Switching Actions
Now we have to create the content switching Actions. These actions will send the traffic to the appropriate backend load balancing virtual server.
Navigate to Traffic Management -> Content Switching -> Content Switching Actions and click on Add.
Fill in the name, select Loadbalancing Virtual Server and select one of the Load Balancing Virtual Servers. In my screenshot I start with the load balancing server for Outlook Web Access. Click then on Create.
Now select the content switch action we just created, and then on Add. This will duplicate the switch action, making it easier to adjust settings for the following switch actions.
In the end you should have all the load balancing virtual servers connected to a specific content switch action, and your screen should look something like the my screenshot below.
Create Content Switching Policies
In the content switching policies we will tell Citrix NetScaler where to redirect the requests to. In the table below I have created an overview of the policies.
| Policy Name | Expression | Action |
| cs_pol_activesync | HTTP.REQ.URL.CONTAINS("Microsoft") | cs_act_activesync |
| cs_pol_rpc | HTTP.REQ.URL.CONTAINS("/rpc") | cs_act_rpc |
| cs_pol_ews | HTTP.REQ.URL.CONTAINS("/ews") | cs_act_ews |
| cs_pol_autodiscovery | HTTP.REQ.URL.CONTAINS("/autodiscover") | cs_act_autodiscovery |
| cs_pol_owa | HTTP.REQ.URL.CONTAINS("/owa") | cs_act_owa |
Navigate to Traffic Management -> Content Switching -> Content Switching Policies and click on Add.
Give a name and select the appropriate action. Fill in the correct expression (see table above) and click on Create.
Now select the content switch policy we just created, and then on Add. This will duplicate the switch policy, making it easier to adjust settings for the following switch policies.
In the end your list of policies should look like my screenshot below.
Bind Content Switching Policies
Now we have to bind the content switching policies to the content switching virtual server. This is the server where all the traffic comes in, and according to the policies the NetScaler redirect the traffic.
Navigate to Traffic Management -> Content Switching -> Content Switching Virtual Server. Select the content switching virtual server and click on Edit.
Click on No Content Switching Policy Bound to bind the policies.
Select the policy and set the priority. Click then on Bind.
Do the same for all the policies. Your screen should look like my screenshot below.
You should have 5 content switching policies bound to the switching virtual server.
Testing
Now you can test! You should be able to connect to the ip address of the content switching server and it should redirect you to the appropriate resource on the backend.
This concludes this tutorial. Feel free to contact me of you have any questions or comments.
You can also follow me on twitter or add the rss feed from the blog and you will be notified when I add new posts.
Load Balancing Microsoft Exchange 2016 with Citrix NetScaler Read More
