Netscaler to Load balance Virtual Email Appliance

Hi David.

In general you're playing with fire and I would never recommend a load balancer for email unless your talking 10's of millions of message per day.  It's simply not worth it.

A record > firewall > loadbalancer > appliance > exchange 

If not done correctly you will most certainly have issues.  In this scenario the load balancer does not let the mta connect to the appliance.. Instead it will replace the mta ip with its own.   From the appliances perspective you will break RDNS and Filtering options.  (mail from jimmy@gmail.com will be delivered from 10.10.10.1)  it will also prevent you from connection level blocking and delay queue will be impacted. 

However if you really wish to do so..

#1 ensure your load balancer allows the mta to connect to the appliance (if this is possible then configure the rest, if not your appliance will fail to identify bad senders)

#2 configure filtering options

A: Enable policy-level blocking of mail from known bad senders  (this will allow known bad hosts to relay mail instead of been dropped at connection level, it should not impact if the mail is dropped or not however ANY policy that matches may deliver the message)   recommended is to drop the connection at time of connecting.

B: uncheck Enable proactive IP connection control for blocking suspicious hosts

I do NOT recommend doing this unless absolutely necessary.  The BEST method for load balancing is via MX/A records each having its own ip and each pointing to its own appliance.

For example.

;; ANSWER SECTION:
sophos.com. 143 IN MX 10 mx4.sophos.com.
sophos.com. 143 IN MX 10 mx5.sophos.com.
sophos.com. 143 IN MX 10 mx6.sophos.com.
sophos.com. 143 IN MX 10 mx3.sophos.com.
sophos.com. 143 IN MX 10 mx2.sophos.com.
sophos.com. 143 IN MX 10 mx1.sophos.com.

;; ADDITIONAL SECTION:
mx1.sophos.com. 282 IN A 145.253.124.137
mx2.sophos.com. 28 IN A 145.253.124.138
mx3.sophos.com. 289 IN A 198.144.101.25
mx4.sophos.com. 143 IN A 198.144.101.26
mx5.sophos.com. 225 IN A 195.171.192.119
mx6.sophos.com. 282 IN A 195.171.192.120

every time an email is sent, its round robined through all of those addresses.. the is-spam email box probably gets 10M emails a day.   Unless your talking 10's or 100's of millions of emails like o365 or gmail .. dns is the prefered method.

If you only have 1 public ip / A record.. even if you employ the worlds best load balancing for redundancy.. the second you get blacklisted, your done.

If your idea is..

A record > firewall > appliance > load balancer > exchange

In all honesty.. there is no point in devoting hardware for this, simply go into configuration / routing / mail delivery servers  

click add, from the drop down select "create mail delivery group"

create 3 A records, give them all a priority of 10 and enter your downstream exchange servers.

Hi David.

In general you're playing with fire and I would never recommend a load balancer for email unless your talking 10's of millions of message per day.  It's simply not worth it.

A record > firewall > loadbalancer > appliance > exchange 

If not done correctly you will most certainly have issues.  In this scenario the load balancer does not let the mta connect to the appliance.. Instead it will replace the mta ip with its own.   From the appliances perspective you will break RDNS and Filtering options.  (mail from jimmy@gmail.com will be delivered from 10.10.10.1)  it will also prevent you from connection level blocking and delay queue will be impacted. 

However if you really wish to do so..

#1 ensure your load balancer allows the mta to connect to the appliance (if this is possible then configure the rest, if not your appliance will fail to identify bad senders)

#2 configure filtering options

A: Enable policy-level blocking of mail from known bad senders  (this will allow known bad hosts to relay mail instead of been dropped at connection level, it should not impact if the mail is dropped or not however ANY policy that matches may deliver the message)   recommended is to drop the connection at time of connecting.

B: uncheck Enable proactive IP connection control for blocking suspicious hosts

I do NOT recommend doing this unless absolutely necessary.  The BEST method for load balancing is via MX/A records each having its own ip and each pointing to its own appliance.

For example.

;; ANSWER SECTION:
sophos.com. 143 IN MX 10 mx4.sophos.com.
sophos.com. 143 IN MX 10 mx5.sophos.com.
sophos.com. 143 IN MX 10 mx6.sophos.com.
sophos.com. 143 IN MX 10 mx3.sophos.com.
sophos.com. 143 IN MX 10 mx2.sophos.com.
sophos.com. 143 IN MX 10 mx1.sophos.com.

;; ADDITIONAL SECTION:
mx1.sophos.com. 282 IN A 145.253.124.137
mx2.sophos.com. 28 IN A 145.253.124.138
mx3.sophos.com. 289 IN A 198.144.101.25
mx4.sophos.com. 143 IN A 198.144.101.26
mx5.sophos.com. 225 IN A 195.171.192.119
mx6.sophos.com. 282 IN A 195.171.192.120

every time an email is sent, its round robined through all of those addresses.. the is-spam email box probably gets 10M emails a day.   Unless your talking 10's or 100's of millions of emails like o365 or gmail .. dns is the prefered method.

If you only have 1 public ip / A record.. even if you employ the worlds best load balancing for redundancy.. the second you get blacklisted, your done.

If your idea is..

A record > firewall > appliance > load balancer > exchange

In all honesty.. there is no point in devoting hardware for this, simply go into configuration / routing / mail delivery servers  

click add, from the drop down select "create mail delivery group"

create 3 A records, give them all a priority of 10 and enter your downstream exchange servers.