This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Netscaler to Load balance Virtual Email Appliance

Hi Everyone,

We are about to configure NetScaler to Load balance (internally) the traffic between two clustered appliances and I wonder if anyone else did it using NetScaler or another LB solution and what recommendations would you have in regards to configuration, persistency settings etc...

We are doing this to have a site and component resilient SMTP proxy in the event of a site or appliance failure.

 

thanks in advance.

David P



This thread was automatically locked due to age.
Parents
  • Yeah If you are going to use a Load Balancer you must configure it to be at Layer 4 (Transport Layer) which does mean that the email appliances will need to be in their own network zone (ip range etc) with gateway pointing at the load balancer. (there are other ways but that is the easiest). For internal traffic this might be harder.

    Needs to be at layer 4 as above you need to know about RDS and connection level transactions.

    For internal traffic it might be ok though to simple do it at the Application layer (SMTP) but it might be a huge security risk as then you need to add the load balancers IP as a trusted relay and then any endpoint communicating via the load balancer is allowed to send email. 

    You really want that IP address context so you can make decisions based on it.

Reply
  • Yeah If you are going to use a Load Balancer you must configure it to be at Layer 4 (Transport Layer) which does mean that the email appliances will need to be in their own network zone (ip range etc) with gateway pointing at the load balancer. (there are other ways but that is the easiest). For internal traffic this might be harder.

    Needs to be at layer 4 as above you need to know about RDS and connection level transactions.

    For internal traffic it might be ok though to simple do it at the Application layer (SMTP) but it might be a huge security risk as then you need to add the load balancers IP as a trusted relay and then any endpoint communicating via the load balancer is allowed to send email. 

    You really want that IP address context so you can make decisions based on it.

Children
  • Thanks for the replies,

    We've ended up doing it the following way,

    A VIP in each site with a single SEA behind for now. (scalable)

    GSLB owns the DNS record for SMTP and resolves to the primary site VIP and to the secondary in the event of a failure. (resilient)

    GSLB uses a MEP to monitor the health of the SEA and failover automatically.

    So from an internal perspective if a SEA fails NetScaler resolves the DNS record for SMTP to the Secondary site.

    Incoming mail will use the MX records to send to either SEA and the SEA will then route it to Exchange.

     

    This will allow internal applications that send email to external customers to have a resilient SMTP service in the event of a Site or SEA failure without human intervention.

    Hope this helps someone else in the same position.

  • Now I understand how to solve the problem, thanks.

    Gclub