Hey ZLB users, I am in the process of selecting a clustered (HA) load
balancing solution for both Exchange 2013 and our Anti-Spam SMTP gateway.
We are after a transparent LB solution so that our servers see the original
IP of client traffic. From an Exchange 2013 perspective, we are looking at
SSL offloading also.
I am having trouble getting my head around the network architecture required
to get this working correctly. If ZLB could work as a NAT gateway with both
a Public VIP and Private VIP (gateway), as our current HAProxy LB is
working, I would be set, but I am trying to work out a transparent solution
within our current IP infrastructure that will work effectively.
Our public IP allocation is as follows.
/30 subnet on the outside of our firewall routing to a /28 subnet on the
inside of the firewall
We also have a private subnet running on a LAN interface of the firewall
For the private subnet, the Firewall's LAN IP address acts as the gateway
and NAT's all outbound traffic via the /30 public IP address
Here lies the problem.
We need to have 2 clusters of load balancers as we need to balance to
different streams of SMTP traffic, therefore each of the clusters needs to
be assigned an IP address from our /28 subnet. If we do this and NAT the
relevant inbound traffic to the required ZLB cluster, the SMTP servers will
send return traffic from our /30 IP, as they will be using the firewall as
the gateway.
Similarly, we have the same issue with HTTPS, POP and IMAP for the Exchange
CAS servers.
Possible solutions to our problem
1. This may be averted by some MESSY NAT rules on the firewall,
NAT'ing translating the public /30 ip address to the original inbound /28
address, but as I said, that would be EXTREMELY MESSY.
2. Install another router on the /28 subnet with 2 public interfaces
(one for each IP) and 2 x private subnets with NAT on each, one for each ZLB
cluster. This removes HA as the router is then a single point of failure if
we are to install HA for the routers, it once again becomes EXTREMELY MESSY.
3. Use HAProxy, (not as user friendly)
Surely, there is an easy way around this, or am I looking at the problem
from the wrong perspective?
All feedback welcome.
Thanks
Paul
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Zenloadbalancer-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
