In my post just the other day I provided a link to the new guide covering Exchange publishing via Forefront TMG or UAG. One poster followed up by asking, “How do I set things up when I have both TMG/UAG with a web farm and a hardware load balancer?” It’s a great question, as these days hardware load balancers are becoming commonplace, and trying to get both Forefront TMG/UAG and the load balancer to work together is important to get right. As it happens, I had written something about this up too, and was saving it for a rainy day, so it looks like today, it’s raining. I hope this helps answer the question.

The introduction of the Client Access Server (CAS) role as the MAPI end point Outlook uses to connect to a mailbox has prompted many organizations to consider load balancing internal clients for the first time. The introduction of a load balancer to provide fault tolerance and sharing of load to client access, when combined with using a product such as Forefront TMG or UAG to publish Exchange, when those products can also provide load balancing, can be a source of confusion.

The most common question is whether Forefront TMG (Forefront TMG will be referred to throughout this section but the same is true of Forefront UAG in these scenarios) should be used to publish the Virtual IP address (VIP) created on the load balancer, as shown in the diagram below, or whether a farm of CAS should be configured on Forefront TMG, and that used as the destination for the publishing rule.

Figure 1 - All Connections through the Load Balancer

This approach of publishing the load balancer itself has both advantages and some disadvantages.

An obvious advantage is that a simple, common path now exists for both internal and external client connections, both via the load balancer. The disadvantage is that a single point of failure now exists for all client connections, though that will always be the case when concentrating connections to any form of hardware device and is usually mitigated by using redundancy in the configuration.

Another advantage is that a hardware load balancer usually has many more affinity methods available to it, and so that extra capability can be leveraged when balancing the load across the CAS.

One of the more subtle disadvantages is only clear when you consider how Forefront TMG views the health of the end point it is publishing – if the end point is a single load balancer, if there is an issue connecting to that load balancer the entire target is marked as down, whereas if Forefront TMG is treating the health of each member CAS on an individual basis, then any one member being down does not impact the entire service. This is similar to the previous case however, in that redundancy in the load balancer can help mitigate this risk.

A further issue that can cause problems in this scenario, though it is relatively easy to work around if the network configuration allows it, is that Forefront TMG typically uses its own IP address as the source IP in the TCP packets that reach the load balancer, effectively appearing to the load balancer as a single IP address, or client, which will impact the load balancers ability to distribute load based on source IP address. There are three mitigations to this problem;

• Configuring Forefront TMG to not replace the IP address of the client with its own IP address (though this requires Forefront TMG to be set as the default gateway (or used as the ultimate exit route from the network) on the load balancing hardware (if it is decrypting SSL) to ensure the packets route back through Forefront TMG), or on CAS, if SSL is being decrypted there.
• Configure the load balancer to use a form of affinity other than based on source IP – though this can be a problem for clients such as Outlook Anywhere where one client can create multiple SSL sessions, this can result in sessions from the same client being split across multiple CAS.
• Configure Forefront TMG to use Bi-Directional Affinity (available only in the Enterprise version of Forefront TMG) which allows Forefront TMG to manage this complex networking scenario. There are however some caveats to this approach, which are discussed in this blog post: http://blogs.technet.com/b/isablog/archive/2008/03/12/bi-directional-affinity-in-isa-server.aspx.

One last disadvantage to this solution is that publishing the load balancer itself rather than each individual server is that certain scenarios, any that involve Kerberos Constrained Delegation (KCD) for example (certificate based authentication and NTLM Outlook Anywhere are two Exchange scenarios), cannot be configured. KCD requires that Forefront TMG utilize the Service Principal Name of the delegated service, and since SPN’s cannot be configured on more than one machine in a domain, there is no way to configure KCD from Forefront TMG to CAS in this scenario at this time. In these scenarios, publishing a single virtual IP address, that of the load balancer, would prevent KCD from working altogether.

Another potential solution is to not use the hardware load balancer and simply point all client traffic at Forefront TMG and allow it to load balance all the connections. This is shown in the diagram below, and shows all internal and external client requests being made via Forefront TMG.

Figure 2 - Use Forefront TMG as only Sole Load Balancer

The problem with this suggestion is that Forefront TMG is unable to use a farm for any protocol other than HTTP. Accessing a mailbox from an Outlook client when connected to the same network is done using RPC, POP3 or IMAP4. Neither Forefront TMG nor UAG can load balance these protocols across a farm of servers. Therefore you should not use a name that ultimately uses Forefront TMG or UAG as the MAPI end point for your Outlook clients. Whilst it is technically possible to configure Forefront TMG to make the appropriate ports available, they can only be used to publish a single IP address. This single IP could be a single server, or a load balanced IP address, though if you have load balancing available, but choose to concentrate all your connections to Forefront TMG, you are negating all the benefit of having the load balancer in the environment.

Another alternative would be to force all your internal users into Outlook Anywhere mode, so all traffic is HTTPS and can therefore utilize the Forefront TMG/UAG web farm. Some customers without hardware load balancers have done this to solve this problem, and whilst it is certainly possible, it is not necessary if you do happen to have a hardware load balancer, as we will discuss.

Knowing that Forefront TMG cannot effectively load balance RPC requests, but can load balance HTTP based traffic, you may be tempted to force all your internal Outlook clients to connect using Outlook Anywhere, using HTTP, and then allow Forefront TMG to load balance this traffic to the CAS in the web farm being published. Whilst this would work in most cases, uneven load balancing is often seen as the number of source IP addresses seen by Forefront TMG is low, particularly if NAT is being used in any part of the network, and so the connections from Forefront TMG to CAS tend to be uneven. For this reason a dedicated software or hardware load balancer is the recommended approach for internal Outlook to CAS connections.

The opposite approach is to not use Forefront TMG at all, and instead only use the load balancer at the network edge (assuming the device is designed for and supported in this scenario).

Figure 3 - Use Only a Hardware Load Balancer

In this scenario you benefit from being able to use a multitude of affinity options provided by your load balancing device, and can use the same device for internal and external load balancing if the network supports it, but you do lose the ability to pre-authenticate traffic at the perimeter of the network, and scenarios involving KCD will require that CAS be responsible for terminating the SSL stream from the client.

A better solution is using a web farm for all clients accessing via Forefront TMG, and pointing all internal clients at the hardware load balancer. The diagram below outlines this design.

Figure 4 - Use Forefront TMG to Publish Each CAS and Point Internal Client at the Hardware Load Balancer

In this configuration, a web farm of CAS is created in Forefront TMG, containing the individual CAS servers, and used as the target for all publishing rules. A virtual array is also configured on the hardware load balancer containing those same CAS servers. The internalURL and DNS settings, used by clients connecting when inside the network point to the load balancing device, and the external settings resolve to the external interface of Forefront TMG.

The advantage of this approach is that clients benefit from being able to use the hardware load balancer for all protocols, including RPC, and Forefront TMG provides the load balancing for clients accessing from the Internet, and fully support scenarios such as certificate based authentication, by being able to delegate to specific CAS within the farm.

If you require POP3 and/or IMAP4 access from the Internet, this would be the only scenario where using Forefront TMG to publish the internal Virtual IP of the load balancer would be recommended, as Forefront TMG is unable to publish those protocols to a web farm, and using the VIP as a target gives additional availability to the solution.

The final presented solution is to simply place the load balancer at the network edge (assuming the device is designed for and supported in this scenario), and use it to publish any Exchange resources that you do not wish to pre-authenticate or for which you require KCD.

Figure 5 - Split the Edge Connections between Devices as Needed

This solution allows Forefront TMG to provide pre-authentication to the Outlook Anywhere users and perform KCD back to CAS (and could easily allow certificate based authentication with KCD for ActiveSync users), and enables the load balancer itself to be used for OWA and EAS access. There is no perimeter pre-authentication for these clients, which is a trade off, but this allows the full range of load balancer affinity types to be used for these clients, and avoids the routing complexities previously discussed. It’s an unusual configuration, requiring pre-authentication for Outlook Anywhere, but not for OWA, but some customers may choose this route as they are using some kind of custom security software on their CAS to provide strong authentication, and that software can’t be installed on Forefront TMG.

The choices available to you are summarized in the table below.

Conclusion

The decision as to which of these solutions you should deploy will come as a result of understanding the scenarios you wish to support, and considering the network implications that can impact routing and load balancer effectiveness. It is important to understand that if you require pre-authentication of traffic in the perimeter network, then you need to deploy Forefront TMG, but if you don’t, you could simply use the load balancer to do load balancing for internal and external users. If you realize that you need to load balance RPC Client Access traffic, you need a hardware or software load balancer, as you cannot do that with Forefront TMG. If you ultimately want the best of both worlds, you may decide to deploy both, and use them for different purposes. As long as you carefully plan your requirements, you should be able to make the decision based on your needs, but always remember to keep one eye on the future. Things can change!

WEB HOST INDUSTRY REVIEW) -- The six-year effort to create a specific Web address for online adult entertainment has come to a close with the ICANN Board’s approval of the .xxx top-level domain.

According to the announcement from sponsoring registrar ICM Registry (www.icmregistry.com), this decision comes on the heels of an independent review that declared that ICANN’s previous decision to deny .xxx was wrong.

“It’s been a long time coming, but I’m excited about the fact that .xxx will soon become a reality,” ICM Registry chairman Stuart Lawley said in a statement. “This is great news." ICM Registry will now work with ICANN staff to complete the due diligence on its technical and financial qualifications and to finalize the contract to run .xxx.

In documents submitted to ICANN reported in a CNet news story, the ICM Registry proposed .xxx registry would charge $60 per domain name and let resellers add a markup in the ball park of $10 to $15 per domain. Secondly, the International Foundation For Online Responsibility (www.onlineresponsibility.org), a nonprofit organization, would be in charge of the rules for .xxx to make sure that issues surrounding child pornography, freedom of expression and the interests of the adult entertainment industry all weight in on the domain.

The ICM Registry expects .xxx domains to go live at the start of 2011, if not sooner. There are already 110,000 pre-reservations, which is expected to increase now that ICANN has formally approved the TLD.

According to the ICM Registry, the .xxx domain will provide a place online for adult entertainment providers and their service providers who want to be part of a voluntary, self-regulatory community. It will provide effective labeling of content, so that individuals and search engines know that .xxx websites likely contain adult content, which will allow for simple and effective filtering for those who wish to do so.

This will also provide an opportunity for domain registrars to sell millions of new domains, as well as effectively forcing them to buy a .xxx version of their current .com domain to maintain their brand

During the installation of Exchange rollup update for Exchange Server 2007 and Exchange Server 2010, some of the Exchange services e.g. the Microsoft Exchange Transport Service may fail to start. This issue occurs because there is a problem with the way in which the Exchange services interact with Forefront during the patching process. The problem is currently being investigated. However, a suggested workaround is to use a Windows PowerShell script to disable and enable the Forefront Service for Exchange during the installation.

A new feature was introduced in Exchange Server 2007 Service Pack 2 to allow administrator run PowerShell scripts during rollup installation. For more information, please refer to http://msexchangeteam.com/archive/2010/06/02/455063.aspx. The script in this article demonstrates how to use CustomPatchInstallerActions.ps1 file to disable and enable the Forefront service for Exchange utilizing this new feature. However the script can be customized by customers for use with other third party products in this way.

In order to allow installer to find the script file, these criteria must be followed:

1. The script file is named as CustomPatchInstallerActions.ps1

2. The script file is placed under <Exchange installation folder>\Scripts\Customization

3. The script file must have three sections:

• PrePatchInstallActions : User defined actions that will be performed before the installation starts.
• PostPatchInstallActions : User defined actions that will be performed after installation has finished.
• PatchRollbackActions : User defined actions that will be performed after rollback of the installation (due to cancellation of installation).

The details for each section are:

PrePatchInstallActions:

• Stop related services in this order:
  • MSExchangeSA
  • MSExchangeTransport
  • MSExchangeIS
  • FSCController
• Disable Forefront service by running "fscutility /disable"

PostPatchInstallActions:

• Enable Forefront service by running "fscutility /enable"
• Start related services in this order:
  • FSCController
  • MSExchangeSA
  • MSExchangeIS
  • MSExchangeTransport

PatchRollbackActions:

• The same as PostPatchInstallActions

A log file named CustomPatchInstallerActions.log will be generated under <SystemDrive>\ExchangeSetupLogs. It can be used to track failures generated during the execution.

NOTE: The script needs to be properly signed otherwise you need to run "Set-ExecutionPolicy Unrestricted" in order to run the script.

You can find the sample CustomPatchInstallerActions.ps1.template script HERE

While we appreciate all the positive feedback we've received on Exchange Server 2010, we know you all are eager to find out what's been going on in Redmond since November. Today, we are happy to give you a first look at what's coming later this year in Exchange Server 2010 Service Pack 1 (SP1).

SP1 will include fixes and tweaks in areas you've helped us identify, including a roll-up of the roll-ups we've released to date. I also wanted to flag some of the feature enhancements we're excited to bring to you with SP1 including: archiving and discovery enhancements, Outlook Web App (OWA) improvements, mobile user and management improvements, and some highly sought after additional UI for management tasks. This is not an all-inclusive list, so stay tuned for the detailed list coming soon!

In addition to sharing these details with you, I'm pleased to let you know that we'll be offering a beta of SP1 for download in parallel with TechEd North America this June. This will give you a chance to test drive SP1 and prepare for its official release.

Archiving and Discovery Enhancements

With the release of Exchange Server 2010 last November, we introduced integrated archiving capabilities aimed at helping you preserve and discover e-mail data. In SP1, we've enhanced this archiving functionality based on the great feedback you've given us since our launch. This includes adding the flexibility to provision a user's Personal Archive to a different mailbox database from their primary mailbox. This means your organization can now more easily implement separate storage strategies (or tiered storage) for less frequently accessed e-mail. And, we didn't just stop there! We've also added new server side capabilities so you can import historical e-mail data from .PST files, directly into Exchange, as well as IT pro controls to enable delegate access to a user's Personal Archive.

To help streamline the implementation of retention policies, SP1 updates the Exchange Management Console with new tools to create Retention Policy Tags, so you can automate the deletion and archiving of e-mail and other Exchange items. New optional Retention Policy Tags give you even more flexibility in defining your organizations retention management strategy.

Lastly, we've made several improvements to the Multi-Mailbox Search features, which can be used to conduct e-Discovery of e-mail for legal, regulatory or other reasons. A new search preview helps with, for example, early case assessment by providing you an estimate on the number of items in the result set-with keyword statistics-before e-mail located in the search are copied to the designated discovery mailbox. And, you now have a new search result de-duplication option, that when checked, only copies one instance of a message to the discovery mailbox. This can help you reduce the amount of e-mail you need to review following the search. Finally, added support for annotation of reviewed items means you can make your e-Discovery workflow even more efficient and less time consuming or costly.

For those of you that have been holding your breath for this one, we're also happy to let you know that in SP1 timeframe, there will be an update which will enable us to support access to a user's Personal Archive with Outlook 2007.

By now many of you have leveraged the Exchange 2010 Mailbox Server Role Requirements Calculator. And my name is forever cursed as a result. Why wouldn't it be with over 116 questions that have to be answered and nearly 30 results tables? Yes, the calculator was complicated; I'm sure many of you have thought, "what in the hell were we thinking?"

And let's face it, there are a number of smart folks that have used the calculator and hats off to you guys for questioning our formulas. Yes, I hate to admit it, but we made up a bunch of the calculations (and by we, I really mean Greg Taylor; that guy doesn't know anything about storage, but loves Excel and has coveted owning the storage calculator for a long time). Honestly, we didn't try to make it that difficult, but there were some back room deals with certain vendors that resulted in our hands being tied (yes there were some awkward photos of the ESE and HA teams that sealed our doom).

But times have changed. A few weeks ago, the Exchange team managed to procure some free-lance ninjas. Last night, they successfully infiltrated the vendors in question and retrieved the compromising photos. I never saw so many high fives in my life last night in the Outlook Live datacenter (aka the command center)! That's right folks! Not only does Exchange rock, but we also have some silent ass-kicking ninjas now. That's some epic awesomeness right there. I dare say that we shouldn't expect any future versions of Windows to block upgrades of Exchange any longer! Greg Thiel was so happy he started jumping up and down yelling "I'm going to Disney World!" over and over, and at this very second is boarding a plane to Florida with his family.

But I digress. I'm finally pleased to provide you with the calculator that I've wanted to release since we dreamed up Exchange 2007. This calculator is very streamlined - it only asks a handful of questions and provides you with the data you need in an easy to read manner.

All of us in Exchange are really sorry for all the endless nights and loss of hair we caused all of you over the years with these ridiculous calculators. Hopefully one day you'll forgive us (or me since part of those backroom deals required my name to go on the calculators. Don't ask).

Now, go tryout the new version of the calculator and let us know what you think.

Our friends over in the Data Protection Manager product group recently posted this article on how you can protect your Exchange 2010 high availability architecture using the next version of Data Protection Manager.  To find out more about DPM 2010, head over to the DPM blog.

We've just finished our 6 part series of webcasts on six key topics that developers need to know about as they start planning for moving their applications to Exchange 2010.  Those webcasts are now available as on-demand webcasts below, check them out today!  If you'd like a bit more human contact than these webcasts, then come join us at TechEd in Germany or Exchange Connections in Las Vegas next week; or the Microsoft Professional Developers Conference in LA November 17-19^th where we'll have great Exchange 2010 Web Services sessions and program managers from the Exchange Web Services team there to answer your questions and get your applications Exchange 2010-ready.

View the webcast now- Exchange Server 2010 Development (Part 1 of 6): Migrating Applications to Exchange Web Services

View the webcast now - Exchange Server 2010 Development (Part 2 of 6): A Deep Dive into Using Autodiscover Service in Exchange Web Services

View the webcast now - Exchange Server 2010 Development (Part 3 of 6): A Deep Dive into Impersonation and Delegation in Exchange Web Services

View the webcase now - Exchange Server 2010 Development (Part 4 of 6): A Deep Dive into Exchange Web Services Notifications (Push/Pull)

View the webcast now - Exchange Server 2010 Development (Part 5 of 6): A Deep Dive into the Exchange Web Services Managed API

View the webcast now - Exchange Server 2010 Development (Part 6 of 6): Best Practices for Building Scalable Exchange Server Applications

The Exchange team loves user groups!

If you lead an Exchange user group or want to lead a launch event for Exchange 2010, I'd like to hear from you! We've got (a limited amount) of swag I can offer to support these meetings, and also have some presentations and demos you can use to facilitate them.

To be eligible for a care package, you need to be the leader of a user group that meets to talk about Exchange at least four times a year and has some sort of Web presence I can check out. Email kslough AT Microsoft DOT com with your contact information to request a care package.

These packages are first-come, first-served! Looking forward to hearing from you.

Are you prepared for outages that affect e-mail service or data availability? Have you defined recovery strategies and procedures for disasters big and small?

This Webcast will cover the recommended strategies for protecting Microsoft Exchange Server 2007 messaging service and data, with an emphasis on the ultimate disaster: a full site failure.  Join Scott Schnoll this Friday (August 15, 2008) from 9:30 AM to 10:30 AM PST as he dives deep into standby continuous replication (SCR), which was designed with these disasters in mind. This is a 300-400 level Webcast that covers disaster recovery options and strategies for Exchange 2007 SP1, standby continuous replication, and site resilience.

You can register for this free Webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032381322&Culture=en-US.

WEB HOST INDUSTRY REVIEW) -- In a major extension of its server virtualization offerings for Apple environments, cloud services automation and virtualization software Parallels (www.parallels.com) has introduced the world's first bare-metal hypervisor solution for the Apple Xserve.

According to the company's Wednesday announcement, Parallels Server for Mac Bare Metal Edition offers greater performance for applications running in virtual machines on the Xserve, and enable businesses to standardize on the Apple platform, and open a new opportunity for cloud services providers to offer profitable Mac OS X services. The addition of Parallels Virtual Automation provides comprehensive management tools for monitoring and maintaining the virtual environment.

"The 33 percent year-on-year increase in sales of Macintosh computers reported by Apple this quarter indicates a growing interest in Apple hardware," Parallels chief executive officer Serguei Beloussov said in a statement. "Virtualization solutions can help make this a practical reality for users, giving them the ability to run the Windows and Linux applications they need on the Apple system they want. Parallels Server for Mac Bare Metal Edition provides a high performance solution that enables IT professionals and developers to capitalize on the power of Mac OS X Server while having the flexibility to run Windows and Linux workloads both on-premise and through the Cloud."

Building on Parallels' virtualization portfolio for Apple environments (most notably the existing server virtualization solution, Parallels Server for Mac), the new architecture represents the first ever bare-metal hypervisor for Intel-powered Apple systems, offering users greater performance and hot migration, the ability to migrate systems without needing to go completely offline.

"The Xserve offers unbeatable performance, and Mac OS X Server is the world's easiest to use server operating system," said Ron Okamoto, Apple's vice president of Worldwide Developer Relations. "With the Mac more popular than ever, and Parallels' new virtualization tools, there has never been a better or easier time for entire organizations to switch to Mac." 

Not just for on-premise deployments, Parallels Server for Mac Bare Metal Edition presents an opportunity for cloud services providers to diversify their offerings into new growth areas -- capitalizing on Apple's popularity. Parallels' service provider partners can quickly and easily offer profitable Mac OS X services, including Virtual Private Servers and application hosting as a cloud service. 

At this week's Parallels Summit in Miami, hosting company Go Daddy (www.godaddy.com) announced plans to offer Mac OS X services based on virtual private servers built on Parallels Server for Mac Bare Metal Edition. "Go Daddy is always looking for ways to enhance our customer experience, and provide simple solutions," Go Daddy chief operating officer and president Warren Adelman said in a statement. "We do this by offering the products our customers want and need. Together with the innovative minds at Parallels and the usability experts at Apple, we have opened the door to a line of Mac OS X hosting products."