Hi, in my point of view, a https offload farm would be the best option for exchange, https farm adds x forwarded for header and you could to know the client ip with this configuration.
And L4 farm with dnat for smtp or pop, the load balancer would be the gateway for backends in a private subnet where your fw is the gw for the zlb. Both configurations can work like a charm in the same network. Any feedback will be apreciated Regards El 20/03/2014 01:18, "Paul Mitchener" <[email protected]> escribió: > Hey ZLB users, I am in the process of selecting a clustered (HA) load > balancing solution for both Exchange 2013 and our Anti-Spam SMTP gateway. > > > > We are after a transparent LB solution so that our servers see the > original IP of client traffic. From an Exchange 2013 perspective, we are > looking at SSL offloading also. > > I am having trouble getting my head around the network architecture > required to get this working correctly. If ZLB could work as a NAT gateway > with both a Public VIP and Private VIP (gateway), as our current HAProxy LB > is working, I would be set, but I am trying to work out a transparent > solution within our current IP infrastructure that will work effectively. > > > > Our public IP allocation is as follows. > > > > /30 subnet on the outside of our firewall routing to a /28 subnet on the > inside of the firewall > > We also have a private subnet running on a LAN interface of the firewall > > > For the private subnet, the Firewall's LAN IP address acts as the gateway > and NAT's all outbound traffic via the /30 public IP address > > > > Here lies the problem. > > > > We need to have 2 clusters of load balancers as we need to balance to > different streams of SMTP traffic, therefore each of the clusters needs to > be assigned an IP address from our /28 subnet. If we do this and NAT the > relevant inbound traffic to the required ZLB cluster, the SMTP servers will > send return traffic from our /30 IP, as they will be using the firewall as > the gateway. > > > > Similarly, we have the same issue with HTTPS, POP and IMAP for the > Exchange CAS servers. > > > > Possible solutions to our problem > > 1. This may be averted by some MESSY NAT rules on the firewall, > NAT'ing translating the public /30 ip address to the original inbound /28 > address, but as I said, that would be EXTREMELY MESSY. > > 2. Install another router on the /28 subnet with 2 public > interfaces (one for each IP) and 2 x private subnets with NAT on each, one > for each ZLB cluster. This removes HA as the router is then a single point > of failure if we are to install HA for the routers, it once again becomes > EXTREMELY MESSY. > > 3. Use HAProxy, (not as user friendly) > > > Surely, there is an easy way around this, or am I looking at the problem > from the wrong perspective? > > All feedback welcome. > > Thanks > Paul > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Zenloadbalancer-support mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support > >
------------------------------------------------------------------------------
_______________________________________________ Zenloadbalancer-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
