Tutorial on how to configure Reverse Proxy for Exchange with KEMP
The following components are installed in this lab
- 1 x Exchange 2013 Server (10.10.8.201) in LAN
- 1 x KEMP Virtual (MGMT IP – 172.16.1.100/24 & Virtual IP = 172.16.1.201/24) in DMZ
- NAT is configured in Firewall to forward Public IP to KEMP Virtual IP for HTTPS (Port 443) & SMTP (Port 25)
LoadMaster Templates
The template sets the configuration as recommended by KEMP to quickly and easily add and configure services in the LoadMaster
Download all the templates from Microsoft Exchange 2013 Templates with LoadMaster 7.2.37.1 and later
Go to Virtual Services – Manage Templates – Add New Template and upload all the downloaded templates
HTTPS Virtual Service for Exchange Server
Go to Virtual Services – Add New and enter the following information
- Virtual Address – 172.16.1.201
- Port – 443
- Template – Exchange 2013 HTTPS Reencrypted
With SSL Reencryption, the SSL session is first terminated at the LoadMaster. Persistence and other Layer 7 functionality can then be performed. After that, the traffic is re-encrypted in a new SSL session between the LoadMaster and the Real Server
Click Add this Virtual Service to continue
Modify the following settings in SSL Properties
- Select the imported Wildcard SSL Certificate and click Set Certificate
- Cipher Set – BestPractices
- Strict Transport Security Header – Add the Strict Transport Security Header – No Subdomains
Go to SubVSs to view all the pre-defined Exchange Virtual Directory and click Modify
Click Add New
Enter the IP Address of Real Server Address (Exchange 2013 Server) with Add to all SubVSs checked. Click Add This Real Server to continue
Verify all the Real Servers are created with the following in RED Color for now
- ActiveSync, AutoDiscover, EWS, MAPI, OAB and RPC
Change the HTTP Method from GET to HEAD for ActiveSync, AutoDiscover, EWS, MAPI, OAB and RPC
All the Real Servers are changed to GREEN Color now
Configure the settings below in System Configuration – Miscellaneous Options – L7 Configuration
- Drop Connections on Real Server Failure – When this option is enabled, LoadMaster tracks all the incoming connections and which Real Servers they are connected to. When a Real Server fails, all connections to the Real Server are immediately dropped, forcing the connections to reconnect to a different Real Server.
- Drop at Drain Time End – When this option is enabled, LoadMaster severs all existing connections to a disabled server after the L7 Connection Drain Time is reached. Clients are then forced to re-establish a connection to one of the remaining Real Servers.
- 100-Continue handling = RFC-7231 Complaint – To avoid issues with Exchange Web Services, especially in hybrid configuration
- Additional L7 Header – When using the built-in Mail client on Mac, you may experience connectivity issues
Verify the Functionality of Reverse Proxy for Exchange with KEMP
Run Microsoft Remote Connectivity Analyzer to ensure that there is NO ERROR found for the following
- Exchange ActiveSync
- Synchronization, Notification, Availability and Automatic Replies
- Service Account Access
- Outlook Connectivity
SMTP Virtual Service for Exchange Server
Go to Virtual Services – Add New and enter the following information
- Virtual Address – 172.16.1.201
- Port – 443
- Template – Exchange 2013 SMTP with STARTTLS
SMTP with STARTTLS is required as Hybrid Co-Existance is configured between Exchange 2013 & Office 365 in our lab
Click Add this Virtual Service to continue
Uncheck SSLv3 & TLS 1.0 in Supported Protocols and select BestPractices in Chiper Set
Add the IP Address of Real Servers (Exchange 2013 Server) in Real Server
Exchange 2013 SMTP with STARTLS is added successfully
Verify Mail flow between users in Exchange 2013 Server & Office 365 are working fine
A+ Result with Qualys SSL Scanner
Perform a SSL Scan using Qualys SSL Scanner
Refer to Disable TLS 1.1 & Add HTTP Strict Transport Security (HSTS) if A+ Result is required
ESP Connection Logs
Enable the Connection Logs in Virtual Services – View / Modify Services for Exchange 2013 HTTPS Reencrypted & Exchange 2013 SMTP with STARTTLS
Enable ESP and configure the following settings in ESP Options – For HTTPS Virtual Service
- ESP Logging – Enable Connection
- Allowed Virtual Hosts – mail.aventislab.com
- Allowed Virtual Directories – /*
Enable ESP and configure the following settings in ESP Options – For SMTP Virtual Service
- ESP Logging – Enable Connection
- Permitted Domain – .
Click View in ESP Connection Logs in System Configuration – Extended Log Files
Connection Logs show in Google Chrome
