Hi, You're not supposed to have a NLB in the loop, and I would say it's introducing more issues than it could solve!
Please find our exchange 2013 configuration template here: https://github.com/exceliance/haproxy/blob/master/configuration_templates/exchange2013_simple_https_load-balancing.tpl You can use the script below to turn the template into HAProxy configuration: BASH: https://github.com/exceliance/haproxy/blob/master/configuration_templates/genconf.sh Powershell: https://github.com/exceliance/haproxy/blob/master/configuration_templates/genconf.ps1 Baptiste On Fri, Sep 20, 2013 at 7:56 AM, Leo Raikhman <[email protected]> wrote: > Hi Baptiste, > > So you do layer 7 mode http?ould you be able to give me a copy of the confit > whichever irks for you? > > I'm happy to give that a shot tonight, Australia time... And I'll get back to > you. > > In terms of netscaler, I have a clustered pair that I created a virtual > server on in tcp mode, balancing port 443 to the NLB IP of the CAS servers - > it's doing essentially the same thing as the haproxy server is supposed to be > doing... > > Ta, > Leo > > Sent from my iPad > >> On 20 Sep 2013, at 3:35 pm, Baptiste <[email protected]> wrote: >> >> Hi Leo, >> >> I have a lab with a slightly different configuration than yours. >> In my lab, HAProxy decipher the traffic, log everything then recipher >> the traffic to the server. Like a man in the middle. >> I have a round robin algorithm + no session persistence + option >> http-server-close. >> >> I ran the same test as yours. >> >> From my lab platform, I can see those URLs requested, in front the >> server that was used: >> exch1: "POST >> /ecp/DDI/DDIService.svc/SetObject?schema=PasswordService&msExchEcpCanary=<SOME >> BLAH BLAH HERE> HTTP/1.1" >> exch2: "GET /ecp/PersonalSettings/logoff.aspx?src=exch HTTP/1.1" >> exch1: "GET /owa/logoff.owa HTTP/1.1" >> exch2: "GET >> /owa/auth/logon.aspx?url=https%3a%2f%2fmail.2013.haproxylab.net%2fowa%2flogoff.owa&reason=0 >> HTTP/1.1" >> >> so sounds normal I'm logged out after a password update: application design. >> >> That said, your configuration should not produce this effect, since >> all your requests are routed to a single server. >> An other point: my password has been changed, but now I can't change >> it anymore due to a password policy issue (whatever I type in, it says >> my password is too weak)... >> >> I'll investigate on this in my platform and keep you updated. >> >> Can you tell us exactly how your netscaller is configured and works >> with exchange 2013? >> >> Baptiste >> >> >>> On Fri, Sep 20, 2013 at 3:56 AM, Leo Raikhman <[email protected]> wrote: >>> Hi all, >>> >>> I have haproxy 1.5dev19 running in TCP mode in front of my Exchange 2013 CAS >>> servers. My config is appended. >>> >>> It seems that haproxy can't handle the outlook web access redirect. When I >>> log into OWA 2013, internally, and externally, everything is fine. >>> >>> When I click on the "Options" or "Change Password" item on the OWA menu the >>> URL changes from https://email.company.com/owa to >>> https://email.company.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2femail.company.com%2fecp%2f%3frfr%3dowa%26owaparam%3dmodurl%253D0%26p%3daccount >>> and drops me into the Exchange 2013 login page again, except I can't login. >>> >>> This does not happen internally, or when I load balance the CAS servers >>> behind a Citrix NetScaler. Is there something I'm missing? Does haproxy have >>> a character limit on URLs in TCP mode? Can it not decode the URL encoding of >>> those characters? >>> >>> Please help... >>> >>> Config: >>> >>> defaults >>> option dontlognull >>> option redispatch >>> option contstats >>> retries 3 >>> timeout connect 5s >>> timeout http-keep-alive 1s >>> timeout http-request 15s >>> timeout queue 30s >>> timeout tarpit 1m >>> backlog 10000 >>> >>> balance roundrobin >>> mode tcp >>> option tcplog >>> log global >>> timeout client 300s >>> timeout server 300s >>> default-server inter 3s rise 2 fall 3 >>> >>> frontend ft_exchange_tcp >>> bind 10.0.0.9:443 name https >>> maxconn 10000 >>> default_backend bk_exchange_tcp >>> >>> backend bk_exchange_tcp >>> stick-table type ip size 10240k expire 60m >>> stick on src >>> option redispatch >>> option abortonclose >>> balance leastconn >>> server cas1 10.0.0.15:443 maxconn 10000 check >>> server cas2 10.0.0.16:443 maxconn 10000 check >>> >>> -- >>> Leo Raikhman >>> VMware ESX/Storage Consultant >>> Ph: 0404943618 >>> Email: [email protected]
