Shulou(Shulou.com)06/02 Report--

-provide Microsoft product implementation and outsourcing, such as AD\ Exchange\ Lync\ Sharepoint\ CRM\ SC\ O365, QQ:185426445. Tel. 18666943750

Requirements description:

Use a public network IP to publish CA, Exchange and OOS to the public network and provide access to Internet users. In this case, IIS ARR is used to publish related applications.

Environment description:

Two Exchange2016 servers, external domain name yuntcloud.net, two servers using DAG,DAG VIP of 192.168.0.30

CA is the primary domain server, IP:192.168.0.194

Two OOS servers, using NLB cluster, unicast, VIP:192.168.0.32

IIS ARR is a reverse proxy server, two, using NLB cluster, unicast, VIP:192.168.0.31

The steps are as follows:

Step 1. Install ARR

Two network cards are installed on the IISARR server, one for the internal network and one for the external network. (you can use a network card as needed.)

Iis-arr-01 's private network IP:192.168.0.115, public network IP:192.168.0.133

Iis-arr-02 's private network IP:192.168.0.112, public network IP:192.168.0.132

(Microsoft ARR NLB environment official article is a single network card, no domain, modify the computer Netbios name)

If you are not using an internal dns server, you should update the hosts file to ensure that the Exchange, OOS, and published URL names can be resolved.

The operating system uses windows server 2012 R2, and the computer name is named iis-arr-01.zh-yunner.com and iis-arr-02.zh-winner.com. (note: without adding domains, it also supports Windows server 2016 environment. Why did I choose 2012 R2 instead of 2016? I don't remember why. 2012 R2 and 2016 are supported anyway.)

For details of software download and related introduction and operation, please refer to the following website:

Https://www.iis.net/downloads/microsoft/application-request-routing

Https://docs.microsoft.com/en-us/iis/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb

Https://blogs.technet.microsoft.com/exchange/2013/07/19/part-1-reverse-proxy-for-exchange-server-2013-using-iis-arr/

Https://blogs.technet.microsoft.com/nexthop/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013/

Https://technet.microsoft.com/zh-cn/library/jj219455.aspx

Http://masteringlync.com/2013/02/12/using-iis-application-request-routing-arr-as-a-tmg-replacement/

Step 2. IIS-ARR-01 changes the Netbios name without adding a domain

Step 3. Firewall enables file sharing

Step 4. Firewall enables remote Desktop

Step 5. Create a permanent static route on the internal interface that connects to all internal networks where the client or server is located. We set a permanent static route to the internal network. Refer to the command as follows:

Route add 192.168.0.0 mask 255.255.0.0 192.168.0.253-p

[note: since the two IIS ARR servers in my environment are virtual machines, and the network segments of the internal and external network cards are the same, there is already a route to the gateway, so it will not be added]

Install NLB components on two IIS ARR servers

Step 6, because they are all hyper-V virtual machines, unicast is used and MAC address spoofing is enabled. (MAC address spoofing is enabled on both network cards)

Step 7. Use the Wan port network card to do NLB. When accessing the public network, it is connected to the WAN port.

Step 8. Add IIS ARR cluster IP:192.168.0.31

Step 9. Select unicast and keep it by default. You don't need to fill in the full Internet name here.

Step 10. Add two IIS ARR machines to the NLB cluster

Step 11 below is the ARP information of the two virtual machines of ARR and the cluster VIP. If we use multicast, we need to statically bind the ARP to the exit interface G 0x0ax 1 (our current environment is a firewall for Huawei USG6350 firewall, and the layer 3 switch is Huawei S5700. In the lower layer 2 switch, the two host servers of the ARR virtual machine are connected to the layer 2 switch, and connected to the upper layer 3 switch interface G 0Bank 0ram 1).

Therefore, if you use multicast, ARP needs to bind and set the interface port to G _ 0 _

Because internal access does not have to go through ARR reverse proxies, Mail, autodiscover, crl, oos, and all domain name records point to their own addresses.

192.168.0.30 is the VIP address of the DAG of two Exchange2016

192.168.0.31 is the VIP address of the NLB of two ARR

192.168.0.32 is the VIP address of the NLB of two OOS

192.168.0.194 is the CA server IP used to publish the crld revocation list

Step 12. Add two A records to the DNS server, the internal network card IP:192.168.0.112 of IIS-ARR-01 's internal network card IP:192.168.0.115,IIS-ARR-02

Step 13, both iis-arr-01 and iis-arr-02 host files add exchange internal and external virtual directory names mail.yuntcloud.net and iis-arr full computer name and Netbios name of two computers, not filling in may result in the loss of NLB cluster members due to unparsing, and the FQDN, OOS and CRL names of Exchange servers also need to be added.

Step 14. Install ARR3.0 on the IIS ARR server.

Https://www.iis.net/downloads/microsoft/application-request-routing

Step 15. After the installation is complete, Server Farms appears in the IIS Manager

Step 16. Select the default web site of IIS-ARR-01. We need to bind certificates to two servers of IIS ARR.

Step 17. Copy the Exchange certificate we have exported before, select the IIS root directory, switch to the certificate, and select Import Certificate.

Step 18. Enter the following figure after import

Step 19. Bind the certificate in the default site

Step 20. If you need to use pop and imap, pay attention to the public network publication of the domain name. It is recommended that the public network mail and pop use the same public network IP. The client pop mode can be set to pop or mail domain name.

The domain name information is as follows:

Certificate consumer

CN = mail.yuntcloud.net

OU = IT

O = Fengyun Zaiqi Information Technology Co., Ltd.

L = Zhuhai

S = Guangdong Province

C = CN

User optional name

DNS Name=mail.yuntcloud.net

DNS Name=AutoDiscover.yuntcloud.net

DNS Name=zh-winner.com

DNS Name=yuntcloud.net

DNS Name=pop.yuntcloud.net

DNS Name=imap.yuntcloud.net

DNS Name=smtp.yuntcloud.net

DNS Name=ex2016.zh-winner.com

DNS Name=ex2016-02.zh-winner.com

DNS Name=oos.yuntcloud.net

Step 21. Install the CA root certificate at the same time. After installation, we click to see the certificate path, and we can find that the CA root certificate has been imported.

Step 22. Let's start to configure the server farm required by the Exchange server and configure Server Farms (Note: the following is to set a directory path for each Exchange directory, which can be used to check the health of each http path, because our environment uses the same domain name mail. If it is consistent with my environment, please skip this step)

Create separate Server Farms and URL rewriting rules for each individual protocol so that you can perform a health check on each protocol and provide a true reverse proxy and load balancing configuration.

Here is a health check for each protocol implemented by IIS ARR

1) make sure that each released protocol uses a different naming

Get-OWAVirtualDirectory | FL Server, InternalURL, ExternalURL

Server: TS-E2013-CA-01

InternalUrl: https://mail.contoso.com/OWA

ExternalUrl: https://mail.contoso.com/OWA

Server: TS-E2013-CA-02

InternalUrl: https://mail.contoso.com/OWA

ExternalUrl: https://mail.contoso.com/OWA

Get-ECPVirtualDirectory | Fl Server, InternalURL, ExternalURL

Server: TS-E2013-CA-01

InternalUrl: https://ecp.contoso.com/ECP

ExternalUrl: https://ecp.contoso.com/ECP

Server: TS-E2013-CA-02

InternalUrl: https://ecp.contoso.com/ECP

ExternalUrl: https://ecp.contoso.com/ECP

Get-WebServicesVirtualDirectory | fl Server, InternalURL, ExternalURL

Server: TS-E2013-CA-01

InternalUrl: https://ews.contoso.com/EWS/Exchange.asmx

ExternalUrl: https://ews.contoso.com/EWS/Exchange.asmx

Server: TS-E2013-CA-02

InternalUrl: https://ews.contoso.com/EWS/Exchange.asmx

ExternalUrl: https://ews.contoso.com/EWS/Exchange.asmx

Get-ActiveSyncVirtualDirectory | fl server, InternalURL, ExternalURL

Server: TS-E2013-CA-01

InternalUrl: https://eas.contoso.com/Microsoft-Server-ActiveSync

ExternalUrl: https://eas.contoso.com/Microsoft-Server-ActiveSync

Server: TS-E2013-CA-02

InternalUrl: https://eas.contoso.com/Microsoft-Server-ActiveSync

ExternalUrl: https://eas.contoso.com/Microsoft-Server-ActiveSync

Get-OABVirtualDirectory | fl server, InternalURL, ExternalURL

Server: TS-E2013-CA-01

InternalUrl: https://oab.contoso.com/OAB

ExternalUrl: https://oab.contoso.com/OAB

Server: TS-E2013-CA-02

InternalUrl: https://oab.contoso.com/OAB

ExternalUrl: https://oab.contoso.com/OAB

Get-OutlookAnywhere | fl server, * hostname*

Server: TS-E2013-CA-01

ExternalHostname: oa.contoso.com

InternalHostname: oa.contoso.com

Server: TS-E2013-CA-02

ExternalHostname: oa.contoso.com

InternalHostname: oa.contoso.com

2) create a Server Farms. After the server farm of each protocol is created, add a health test URL

Health testing format https://FQDN/ProtocolName/HealthCheck.htm

Server Farm

Health Test URL

Autodiscover.contoso.com

Https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm

OA.contoso.com

Https://oa.contoso.com/rpc/HealthCheck.htm

Mail.contoso.com

Https://mail.contoso.com/owa/HealthCheck.htm

ECP.contoso.com

Https://ecp.contoso.com/ecp/HealthCheck.htm

EWS.contoso.com

Https://ews.contoso.com/ews/HealthCheck.htm

OAB.contoso.com

Https://oab.contoso.com/oab/HealthCheck.htm

EAS.contoso.com

Https://eas.contoso.com/Microsoft-server-ActiveSync/HealthCheck.htm

Mp.contoso.com

Https://mp.contoso.com/mapi/HealthCheck.htm

Step 23. The same virtual directory we use here, ex2016 and ex2016-02 servers use mail.yuntcloud.net both internally and externally

Step 24. Switch to server farms and select create server farm

Step 25, server farm name:mail.yunrcloud.net (or any name that identifies this server farm)

Step 26. Add two Exchange server names

Step 27. Add it as shown in the following figure. Of course, here we can also remove the specified server from the corresponding server farm at any time.

Step 28, click Yes

Step 29. Select the server farm mail.yuntcloud.net that has been built

Step 30. Continue to select caching and invert Enable disk cache.

Step 31. Health Test setting. If the corresponding Server Farms is a stand-alone environment, it can be empty here. If there are multiple servers, you need to enter the relevant URL here in order to perform a health check on the relevant servers.

Health Test URL: https://mail.yuntcloud.net/owa/healthcheck.htm

Interval (seconds): 5

Time-out (seconds): 30

Acceptable status codes: 200

Step 31. My environment is IIS ARR 3.0. Load balance keeps the default. If it is IIS ARR 2.5, select Least Current Request.

Step 32, monitoring and management, we can see the added status of the two servers, health status is unhealthy, indicating that the server-related services are abnormal or down, and the client requests will not continue to be sent to the corresponding servers.

Step 33, proxy setting

Time-out (seconds): 200

Response buffer threshold:0

Step 34, routing rules, reverse select enable ssl offloading

Step 35. Delete or disable those without SSL because they are not needed.

Step 36. Select URL rewrite and edit inbound rules

Step 37. Add conditions

Condition input: {HTTP_HOST}

Mode: mail.yuntcloud.net

Step 38, add the following

Step 39, operation, operation attributes, select the corresponding server farm

Step 40, similar steps to set up the server farm, autodiscover.yuntcloud.net

Step 41. After setting up, go back to the IIS root directory and set the maximum allowed content length as follows

Step 42. Set the redirection from http to https

Because we are used to typing the URL mail.yuntcloud.net or http://mail.yuntcloud.net, we need to jump to https in the new rules, 80

Name: Redirect To HTTPS

Step 43. Edit inbound rules

Condition {SERVER_PORT}, type and pattern match, pattern 80

Condition {HTTP_HOST}, type and pattern match, pattern mail.yuntcloud.net

Step 44, operation plan https://mail.yuntcloud.net/{R:0}, stop processing subsequent rules

Step 45, the same operation of the two ARR machines. After setting up, the jump of 80 to 443 will be realized.

Step 46. Because IIS ARR can only proxy similar HTTP ports 80 and 443, the public network ports 80 and 443 point to the NLB VIP address of IIS ARR. SMTP, POP and IMAP cannot be reverse proxied through IIS ARR, so they can only point to the VIP:192.168.0.30 of DAG, and the intranet does not need reverse proxy.

Step 47. The private network DNS records are as follows:

Step 48. The private network port mapping is as follows:

192.168.0.31 is the NLB VIP address of IIS ARR

192.168.0.30 is the VIP address of DAG

Step 49. The public network domain name is set as follows:

All related domain names point to the public network IP:221.4.214.186

Step 50. The client POP and IMAP settings are as follows:

After shutting down one of the IIS ARR and one of the Exchange 2016 respectively, the public network outlook can complete the failover and switchover within 2 minutes. If the OWA IIS application pool of Exchange is stopped, outlook and owa will no longer access the failed Exchange server, indicating that IIS ARR implements layer 7 load balancing in the application layer. (note: NLB is a load balancer of layer 3 network layer, which can only be switched when IP is abnormal. Layer 4 load balancing is a hardware load balancing device of transport layer load balancing with IP plus ports.)

Step 51. If you need IIS ARR to publish Exchange and publish OOS at the same time, we need to first modify the certificate of ARR to include the relevant certificate names of Exchange and OOS. In order to unify, I replace Exchange, OOS and ARR with certificates that include all names.

Step 52. The certificate of ARR includes the domain name record of OOS

Certificate consumer

CN = mail.yuntcloud.net

OU = IT

O = Fengyun Zaiqi Information Technology Co., Ltd.

L = Zhuhai

S = Guangdong Province

C = CN

User optional name

DNS Name=mail.yuntcloud.net

DNS Name=AutoDiscover.yuntcloud.net

DNS Name=zh-winner.com

DNS Name=yuntcloud.net

DNS Name=pop.yuntcloud.net

DNS Name=imap.yuntcloud.net

DNS Name=smtp.yuntcloud.net

DNS Name=ex2016.zh-winner.com

DNS Name=ex2016-02.zh-winner.com

DNS Name=oos.yuntcloud.net

Step 53. The HOST record of ARR is as follows

Step 54. Create a server farm corresponding to office online server

Refer to the following website:

Http://masteringlync.com/2013/02/12/using-iis-application-request-routing-arr-as-a-tmg-replacement/

Step 55. Create the required server farm. If you change the certificate, you need to rebuild the corresponding server farm.

New-OfficeWebAppsFarm-InternalURL "https://oos.yuntcloud.net"-ExternalURL" https://oos.yuntcloud.net"-CertificateName arr-SSLOffloaded-AllowHttp-EditingEnabled

(note:-SSLOffloaded allows SSL termination to be offloaded to the load balancer)

Step 56. Add oos02 to the server farm

New-OfficeWebAppsMachine-MachineToJoin "oos.zh-winner.com"

Step 57. We can see that both oos and oos02 are added to the same server farm.

Step 58, venue name: oos.yuntcloud.net

Step 59. Add the corresponding OOS server

Step 60, the Caching settings are as follows

Step 61. Heath Test is set as follows (if more than 2 servers make up the server farm, this needs to be set, otherwise the service may not be able to open or react very slowly when one server is turned off)

URL: https://oos.yuntcloud.net/hosting/discovery/healthcheck.htm

Step 62. If the Health status is unhealthy, the proxy request will not be sent, otherwise it will be displayed as healthy even if the computer is turned off, and the request will continue to be accepted.

Step 63. The Proxy setting is as follows, and the time-out setting is 200.

Response is set to 0

Routing Rules disables SSL offloading

Disable or delete rules without SSL

Step 64. If we consider using HTTP at the same time, we will keep this rule

Step 65. The relevant settings are as follows. After this setting, oos can also be accessed through port 80 on the outside.

Step 66. Continue to set the rule with SSL

Use select regular expressions, patterns (. *)

Select condition, add, condition input {HTTP_HOST}, match pattern, pattern: oos.yuntcloud.net

Step 67. Select the route to the server farm and select the corresponding oos farm.

Step 68, we can continue to publish the revocation list for CA

Step 69. Add server farm name:crl.yuntcloud.net

Step 70. Add dc01.zh-winner.com to the corresponding server farm

Step 71, the choice is

Disable CRL rules with SSL

Inbound rule

Condition input: {HTTPS}

Mode: ^ OFF$

Step 72. Continue to publish CA's Certsrv directory

Add dc01 record to Wanwang for clients to download CA root certificate by themselves

Step 73. The HOST file of ARR is set as follows, and the private network FQDN addresses of crl and dc01 are added.

Step 74, create server farm...

Step 75, server farm name:dc01.yuntcloud.net

Step 76, server address:dc01.zh-winner.com

Step 77, the choice is

Inverted Enable disl cache

Time-out:200

Response buffer threshold:0

Inverted Enable SSL offloading

URL rewriting disables with SSL

Use select regular expressions, patterns (. *)

Add the following conditions: https access is prohibited, only http access is allowed

Edit the inbound rules as follows

The final setting effect is as follows

Operation, select the corresponding server farm

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.