Part 1: Reverse Proxy for Exchange Server 2013 using IIS ARR


For a long time, ForeFront TMG (and ISA before it) has been the go-to Microsoft reverse proxy solution for many applications, including Exchange Server. However, with no more development roadmap for TMG 2010 a lot of customers are looking out for an alternative solution that works well with Exchange Server 2013.

The Windows team have added an additional component called Application Request Routing (ARR, or as Greg the pirate says, ARR!) 2.5 to the Internet Information Service (IIS) role, which enables IIS to handle reverse proxy requests. By using the URL Rewrite Module and Application Request Routing you can implement complex and flexible load balancing and reverse proxy configurations.

There are two options when implementing this solution and each have their pros and cons, which I’ll cover in three posts. In this first post, we’ll take a look at:

  1. Installation steps.
  2. Option 1 of implementing ARR as a reverse proxy solution for Exchange 2013 (this option is the simplest of the three configurations).

In the next 2 posts in the series, we’ll cover the second option and some troubleshooting steps. The troubleshooting steps would also help you to verify if you have implemented the reverse proxy solution correctly.

Here’s a diagram of the environment we’ll use when discussing how to implement ARR.

Arr1

Prerequisites

  1. The IIS ARR server need not be domain joined. It’s your choice to decide if you want to domain join this server or not.
  2. The IIS ARR server should have two NICs, one for the internal network and the other for the external network.

    TIP To make sure you’re configuring and using the right network interface, rename the NICs to Internal and External.

  3. If you’re not using an internal DNS server, you should update the HOSTS file on the IIS ARR server so that it can perform name resolution for the internal CAS and the published Exchange namespaces.
  4. Make sure you have already set the Internal and External URL’s for Outlook Anywhere, OWA, EWS and EAS, have your certificates installed correctly and this is all working as expected. If not, get it working first before you start adding ARR into the mix.

Installing ARR

Requirements: IIS ARRis supported on Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. It is also supported on Windows Vista, Windows 7, and Windows 8 with the Web services features installed. Note that IIS ARR does not require IIS 6.0 compatibility mode.

Note: As with all such changes, we recommend that you test this in a non-production environment before deploying in production environment.

To install IIS with the ARR module on the server identifid as the Reverse Proxy:

  1. 1. Install IIS, including .NET 3.5.1 and Tracing. You can use run this command in PowerShell to add all of the required features.

    Import-Module ServerManager
    Add-WindowsFeature Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Net-Ext,Web-Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,NET-Framework-Core,NET-Win-CFAC,NET-Non-HTTP-Activ,NET-HTTP-Activation,RSAT-Web-Server

  2. Export the Exchange certificate (from a CAS) and import the certificate to the local machine certificate store on the IIS Reverse Proxy, together with any required root or intermediate certificates. See the following topics on how to export & import certificates:
    1. Export an Exchange Certificate
    2. Import a Server Certificate (IIS 7)
  3. On the Default Web Site, add an HTTPS binding and associate the (imported) Exchange certificate.

    ARR2

  4. Download and Install the latest version: IIS ARR 2.5.

    If you don’t have internet access on the IIS ARR server, you can use the steps highlighted in How to install Application Request Routing (ARR) 2.5 without Web Platform Installer (WebPI).

OPTION 1

This is the simplest way of implementing IIS ARR as a Reverse Proxy solution for Exchange Server 2013. This implementation requires a minimum number of SAN entries in your certificate and minimum number of DNS entries.

This set up assumes that all protocols (OWA, ECP, EWS etc) have been published with the mail.tailspintoys.com namespace.

  • Certificate: mail.tailspintoys.com, autodiscover.tailspintoys.com
  • DNS: Public IP address for each of the above namespaces

Step 1: Create a Server Farm

  1. Open IIS and click on Server Farm.
  2. Create a new farm and give it a name as shown below.

    ARR3

  3. On the Add Server page, add each of the Client Access server and click Finish.

    ARR4

  4. Select Yesat the below prompt.

    ARR5

Step 2: Server Farm Configuration Changes

On the Server Farm settings node make the configuration changes as detailed below:

  1. Select Caching and choose Disable Disk Cache.
  2. Select Health Test.  This is used to make sure that a particular application is up and running. It is similar to a Load Balancer’s service availability test.

    In Exchange 2013 there is a new component called Managed Availability and it uses various checks to make sure that each of the protocols (OA, OWA, EWS, etc.) are up and running. If any protocol fails this check then an appropriate action is automatically taken. (This was just a very simple explanation as to what Managed availability is of course, but if you can take it, and want a more detailed understanding watch Ross Smith IV’s TechEd 2013 Session). We are going to leverage one of these checks to make sure that the service/protocol is available.

    https://<fqdn>/<protocol>/HealthCheck.htm is the default web page present in Exchange 2013. These URL’s are specific for each protocol and do not have to be created by the administrator.

    Examples:

    https://autodiscover.tailspintoys.com/Autodiscover/HealthCheck.htm

    https://mail.tailspintoys.com/EWS/HealthCheck.htm

    https://mail.tailspintoys.com/OAB/HealthCheck.htm

    Configure the Health Test with the following settings:

    URL: https://mail.tailspintoys.com/OWA/HealthCheck.htm

    Interval: 5 seconds

    Time-Out: 30 seconds

    Acceptable Status Code: 200

    ARR6

  3. Select Load Balance and choose Least Current Request. There are other options, but for this scenario, we find this to be simple and effective.

    ARR7

  4. Select Monitoring and Management. This shows the current state of the CAS that are part of this Server Farm. The Health Status is based on the output of the Health Test mentioned above.

    ARR8

  5. Select Proxy.  Change the below two values.  The actual value for these settings may need to be tweaked for your deployment, but these usually work well as a starting point.

    Time-Out: 200 seconds

    Response Buffer threshold: 0

  6. Select Routing Rules and uncheck Enable SSL Offloading as it is not supported in Exchange 2013.
  7. Select Server Affinity.  Due to major architectural changes in the way CAS works in Exchange 2013 we do not need to maintain session affinity. As long as you can get to a CAS server, you will be able to access your mailbox. Thus leave this setting as is. Which means, no changes required.

Step 3: Create URL Rewrite Rules

  1. At the IIS Root (this is the root and not the properties of the Default Web Site) click on URL Rewrite.

    ARR9

  2. You should see two URL Rewrite rules already created (these were created when you selected “Yes” at the end of Server Farm creation).
  3. Deletethe one for HTTP .

    ARR10

  4. Open the properties of the HTTPS rule and make the changes as below;
    1. Under Conditions add a condition for {HTTP_HOST} and make sure it looks like this:

      ARR11

    2. Under Action make sure that you have the below options set i.e.: choose the appropriate Server Farm from the drop down menu.

      ARR12

      Note: Make sure the option “Stop processing of subsequent rules” is selected. This is to make sure that the validation process stops once the requested URL finds a match.

    3. Repeatthe same steps of creating a Server Farm and URL Rewrite rule for your AutoDiscover URL (i.e., autodiscover.tailspintoys.com). The final result is as shown below.

      ARR13

That’s it!!!! ….You are now all set and have a reverse-proxy-with-load-balancing solution for your Exchange 2013 environment!

Give it a try and see how it works. Make sure DNS for mail.tailspintoys.com resolves to your reverse proxy and try connecting a client. And if it doesn’t work, go back through the steps and see where you went wrong. And if it still doesn’t work, post a comment here, or wait for Part 3, Troubleshooting (so please don’t do all this for the first time in a production environment! Really, we mean it!).

Finally, here are a couple of additional changes we recommend you review and optionally consider making to your IIS ARR configuration.

  1. Implement the changes (Step3 and Step4) from Install Application Request Routing Version 2.
  2. For optimization of RPC-HTTP traffic make the changes as stated. Click on the root of IIS and open the properties for Request Filtering. Then click on “Edit Feature Settings” and change the settings for “Maximum allowed content length” to the below.

    ARR14

We’ve spent time testing this configuration and found it to work as we hoped and expected. Note that support for IIS ARR is provided by the Windows/IIS team, not Exchange. That’s no different than support for TMG or UAG (if you use either of these products to publish Exchange).

We would really appreciate any feedback on your implementation and/or any configuration where this doesn’t seem to work.

Keep your eyes peeled for the next set of articles where we’ll talk about slightly complex and interesting implementations of IIS ARR for Exchange 2013.

I would like to thank Greg Taylor (Principal PM Lead) for his help in reviewing this article.

Part 2 | Part 3

References

B. Roop Sankar
Premier Field Engineer, UK


Comments (42)
  1. Milind Naphade says:

    Excellent, ARR can work with Exchange is a good news. I always liked this option over other load balancing method but it was never possible to use with Exchange Servers. Good Move Gentlemen!

  2. Dame Luthas says:

    Awesome move!

    No need to use the F5 APM anymore..

    Dame

    thelifestrategist.wordpress.com

  3. Tim Seery says:

    ARR can also provide a reverse proxy option for Lync: http://technet.microsoft.com/en-us/library/gg398069.aspx

  4. zumarek says:

    Anyone tried this with Exchange 2010 ?

  5. solgae says:

    It does work with Exchange 2010 – we have it set up for reverse proxying autodiscover and EWS.

  6. itworkedinthelab says:

    sounds cool BUT

    the only thing it really "buys" you is it will block any other url but these that are published

    compared to tmg.isa content inspection inside those packets also no?

    so its a nice little cheap solution I admit but it really does need an additional layer if you ever want to secure and monitor what's going on inside those rpc traffic for example…

    I guess its cool:)

  7. Ajay Kakkar says:

    Can you please describe below point:

    1.) Load balancing in ARR for CAS will be intelligent or is it just like Round-Robin?

    2.) Can we deploy two ARR server with windows NLB to achieve HA?

  8. Vik Singh says:

    Excellent Article.

  9. Chris M. says:

    We are planning to implement a CAS load balancer, Does this solution could work instead? We are running Exchange 2010.

  10. Chris Dearie says:

    This is great.  I really think this is a great direction.  TMG just wasn't scaling anymore and its content inspection is for the days of IIS5.  For me, just having a solution pre-auth external connections before they can hit the internal prod servers will help me sleep.  

    QUESTION:  Where did you get the stencils from your first illustration?  Is this new visio stencil ?

  11. Brian Day [MSFT] says:

    @Chris Dearie, if you Bing terms like Exchange 2013 Visio stencil you should end up at this in the end; http://www.microsoft.com/…/details.aspx

  12. KEith Gibson says:

    Great article.  I can get OWA and ECP to work fine but when using EWS I get a 502 error – Web server received an invalid response while acting as a gateway or proxy server.   Any ideas where I am going wrong?

  13. Roop Sankar [MSFT] says:

    @Ajay –  

    1. When you set the option to "Least Current Request", then the traffic is distributed based on the current number of HTTP requests between ARR and each of the CAS servers. Requests are routed to the server with the least number of current HTTP requests.

    This article would give you additional information on the available Load Balancing algorithms in IIS ARR.

    technet.microsoft.com/…/dd443524.aspx

    2.
    http://www.iis.net/…/achieving-high-availability-and-scalability-arr-and-nlb

    @Keith – Make sure that EWS External & Internal URL’s have been published correctly. Run, Get-WebServicesVirtualDirectory to see the namespace EWS is published on.

                   Example:  mail.tailspintoys.com/…/Exchange.asmx

  14. Keith Gibson says:

    Hi Roop

    Both URL's are set correctly….any other ideas?

    Thanks

    Keith

  15. Cameron Murray says:

    ARR is a great reverse proxy, but it doesn't provide pre-authentication like TMG does it? This is the big selling point with other application proxies like TMG..

  16. Keith Gibson says:

    Hi Roop

    The 502 – Bad Gateway error I was getting is a bug in ARR when used with Windows 2012.  Here is the fix:

    http://www.microsoft.com/…/details.aspx

    Just in case anyone else gets this frustrating problem!

    Working a treat now

  17. High Availability? says:

    How should you configure redundancy between 2 ARR boxes?

  18. Roop Sankar [MSFT] says:

    @ Keith — That’s a bit strange that this patch fixed the EWS issue while OWA and ECP was already working without this patch. So I don’t think this is a bug as such but I am investigating  this behaviour. Also, this patch is for IIS 7.0 and IIS 7.5 so applies
    to both Windows Server 2008 R2 and Windows Server 2012. Anyway, happy to hear that you have this all working now.

    @Cameron — That is correct, IIS ARR doesn’t provide any pre-authentication. If pre-auth is a requirement then you can look at Web Application Proxy (WAP) which is available in Windows Server 2012 R2.

    Enable Work from Anywhere without Losing Sleep: Remote Access with the Web Application Proxy and VPN Solutions

    channel9.msdn.com/…/WCA-B333

    @ High Availability — You can configure two IIS ARR boxes either in an Active/Passive or Active/Active configuration.

    Active/Passive –  This configuration achieves high availability.

    Active/Active –  This configuration achieves both high availability and scalability.

    Achieving High Availability and Scalability – ARR and NLB

    http://www.iis.net/…/achieving-high-availability-and-scalability-arr-and-nlb

  19. Keith Gibson says:

    I can't get this to work if I have both my CAS servers online in the Server Farm.  With both online I can't get past the login page.  I put the login details in and click Sign-in and it just returns me to the login page again.  If I take one of the servers off-line it works correctly.  As soon as I enable both servers it fails to login again.

    Any ideas?

  20. bwitch says:

    one question: what about SMTP?

  21. Petri X says:

    How to filter out non- Exchange URLs?

  22. Diego Arias says:

    Hi:

    Does Outlook Anywhere Works?

  23. Roop Sankar [MSFT] says:

    @bwitch — IIS ARR cannot be used for SMTP

    @Petri X — Every URL that IIS ARR recives is evaluated against the URL Rewrite Rules you (Admin) have defined. So if you take the examples from this article then IIS ARR will BLOCK all requests except the ones for mail.tailspintoys.com and autodiscover.tailspintoys.com. Hence any URL's that the Admin has not defined in IIS ARR will be blocked by default.

    @ Diego Arias — Yes, it does work for Outlook Anywhere.

  24. Jim says:

    What about TMG authentication such as Radius with constrained delegation, Certificate Based with Constrained Delegation, NTLM with constrained delegation?

    We are using these authentication methods to enable finger print authentication for OWA, certificate authentication for ActiveSync, and NTLM with constrained delegation for Outlook Anywhere, respectively.

  25. Greg Taylor [msft] says:

    What about them Jim? ARR is one option, TMG is another (using radius is very slow performance wise by the way, you should switch to LDAP or direct AD), this article covers ARR only.

  26. Petri X says:

    Roop,

    Aah, you speak about host name filtering, but I meant the URL path filtering (after the hostname).

    On the "URL Rewrite" picture you have now "URL Path = *", which basically allows everything to come in. But is it so, that if you add URL path=/owa/* the ARR will block everything else, except OWA traffic (assuming the host part is valid)? Or let the ARR be the request as untouched if it cannot find the rewrite rule (assuming still that host part is valid)?

  27. Roop Sankar [MSFT] says:

    @Petri X — Yes, you can have IIS ARR further "filter" for the URL path after the hostname i.e: /OWA/*, /ECP/* etc. IIS ARR can indeed be configured to verify both the Hostname (mail.tailspintoys.com) and the URL path (/OWA) before blocking or allowing the traffic/request through.

    And just as wishful thinking, I have talked about this in "Part3" of the series, which is going to be published soon :-)  

  28. Bernd says:

    Excellent!

    What about sizing the AAR Reverse Proxy with RAM and CPU, especially in a VM enviroment?

  29. rtenhet@nmhs.net says:

    If my IIS ARR server is sitting in a DMZ and the "internal" interface is separated from the CAS servers by a firewall, what ports/protocols need to be allowed between the ARR and CAS servers?

    I also have some sizing questions like Bernd asked in a previous post.

    Thanks

    Richie

  30. Tom says:

    I tried this and the outlook activity test could not reach the RPC server. I tried installing RPC over HTTP on the ARR server and I get a 401 access denied. If I route the traffic directly to the Exchange server I have no problem. Is there something special that you have to do on the ARR server to get RPC to work?

  31. JustRebuildIt says:

    I also only receive HTTP 401 whilst trying to connect to an Exchange 2010 NLB CAS Array.  Any suggestions?

  32. Brian Gibson says:

    Is there a way to use client certificates with this method?  We can no longer use KCD with TMG and I was hoping this was the solution to replace that but it doesn't work either.  I get 502 errors when I try to use client certificates.

  33. itpadla says:

    I have the same situation as @Keith Gibson

    I can't get this to work if I have both my CAS servers online in the Server Farm.  With both online I can't get past the login page.  I put the login details in and click Sign-in and it just returns me to the login page again.  If I take one of the servers off-line it works correctly.  As soon as I enable both servers it fails to login again.

    All servers are Windows Server 2012, ARR 3.0

    Have you got any ideas?

  34. IMP says:

    Can ARR be used with single NIC? Our single NIC is able to communicate both externally and internally

  35. igibason says:

    Hi Everyone,

    First gratz again on this great article.

    As for @Keith Gibson and @itpadla I was having the same issue where both servers are enabled and when I enter my login details, click sign-in, it would just return me to the login page.  This was for logging into the ECP.  To resolve this I actually enabled Client Affinity on the Server Farm settings.

    This leads me into my questions.

    1. Why do we have the HTTPS and not HTTP in the inbound rules in URL Rewrite.  I am finding that if I wanted to go to OWA I need to enter https://… but if I type in HTTP it response with a simple IIS page.  Is there a way to redirect to HTTPS from HTTP and still keep the rule setup in this article?

    2. Next, is it OK to enable Client Affinity on my ECP server farm?  Does this open any security issues from the client to the ARR IIS server?

    Thanks…

  36. How does this relate to the Web Application Proxy feature just released in Server 2012 R2?

  37. Jeroen Struijk says:

    Good blog, I managed to get Outlook Anywhere (rpc) working after some troubleshooting.

    I allready had ARR 2.5 installed on a Windows 2012 domain controller. Wich worked for some other websites than Exchange 2013. I managed to get owa working(ish) but with this blog I got it right.

    Only thing that didn't work was Outlook Anywhere, it kept coming with a user and password window. In the log files I found error 400 and 401.

    Eventually found that in IIS on the CAS server, in the rpc virtual directory the Basic authentication was disabled. When manually enabling Basic authentication, Outlook Anywhere works like a charm.

    After that I did a change in the OutlookAnywhere config in Exchange. For both internal en external I set Basic authentication.

  38. Jeroen Struijk says:

    Afterwards I upgraded Windows 2012 to R2 and ARR 2.5 to 3.0.

    It still works without modifying the configuration.

  39. tsperbeck@enzy.com says:

    I too am questioning the need for two network interfaces on the ARR Server.  I've seen this suggestion in a number of ARR How-To articles, but haven't seen an explanation as to why.  When you suggest an "internal" network interface, are you proposing that it be connected directly to a subnet/VLAN on the internal network?  If so, that would be circumventing a network firewall checkpoint, which I don't think we should be comfortable with.

  40. Uilson Souza - MCTS MTAC says:

    Sankar, May I use ARR for another web app than OWA or Lync?

  41. Michel says:

    Installing the required roles and features on Windows Server 2012 "NET-Win-CFAC" and "RSAT-Web-Server" are not available. "NET-Win-CFAC" is part of .net framework 3.5.1 and automatically  installed with "NET-Framework-Core". "RSAT-Web-Server" is renamed to "Web-Server". So the command for installing the required roles and features is:

    Install-WindowsFeature Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Net-Ext,Web-Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,NET-Framework-Core,NET-Non-HTTP-Activ,NET-HTTP-Activation,Web-Server

  42. Michel-v-V says:

    Installing the required roles and features on Windows Server 2012 "NET-Win-CFAC" and "RSAT-Web-Server" are not available. "NET-Win-CFAC" is part of .net framework 3.5.1 and automatically  installed with "NET-Framework-Core". "RSAT-Web-Server" is renamed to "Web-Server". So the command for installing the required roles and features is:

    Install-WindowsFeature Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Net-Ext,Web-Http-Logging,Web-Request-Monitor,Web-Http-Tracing,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,NET-Framework-Core,NET-Non-HTTP-Activ,NET-HTTP-Activation,Web-Server

Comments are closed.