Wednesday, March 3, 2010

ISA/TMG Load Balance CAS Servers????

One of the most frequent asked question on the Exchange forums is to load balance CAS servers. I think the excitements of Exchange being redundant ( DAG) as nature bringing all these good questions and scenarios on the table.

I have learned recently great information in this regard and wanted to pass it on to you guys to clear some of the confusion may exist.


Can TMG/ISA be used to load balance the CAS servers ?


ISA or TMG cannot load balance RPC traffic it can only load balance Internet protocol traffic )-:  ( HTTPS,OA)

  • It is possible to use WNLB ( windows network load balancing) with HT/CAS server , However there are caveats doing this such as ,
  • Scalability more than 8 nodes in WNLB with E2010 CAS is not recommended.
  • Network Flooding, WNLB may cause network flooding
  • Lack of Service Awareness , the WNLB only is aware of IP is being up/down

So as summary


WNLB with HT/CAS Possible but not recommended Network flooding & lack of service awareness
WNLB MBX+CAS Not Possible!!! limitation build into Windows (hard-blocked)
ISA /TMG Cannot load balance RPC traffic Only internet protocol traffic,such as  HTTPS,OA
  • RPC Traffic load balance is possible with Hardware load balancer , which obviously will introduce extra $$$$.


As I learn more in this matter I will come back and update this information.

Best regards,

Oz Casey , Dedeal

MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http:// (Blog

Http:// (Blog)

Http:// (Blog


Glenn Blinckmann said...

You know, you do have a couple of options with this. First, you could do round-robin DNS. It's also not service-aware, but you don't have the flooding problem.

You could also switch to using Outlook Anywhere internally. This would allow you to load balance HTTPS only. This is a lot simpler for the load balancer. It's also sometimes looked at as a security enhancement in some environments as this is all encrypted HTTPS and allows you to firewall RPC traffic from the Exchange servers.

Pushpendu said...

My 2 cents - why would anyone want to use ISA 2006 or TMG to load balance RPC traffic over the Internet in case of a reverse proxy? ISA 2006 or TMG has Oulook Anywhere templates ( as Glen pointed out) which is precisely used for securing RPC over HTTPS. So as long as ISA provides load balancing for HTTP or HTTPS it would solve your purpose.