Reverse Proxy for Exchange with KEMP

Tutorial on how to configure Reverse Proxy for Exchange with KEMP

The following components are installed in this lab

  • 1 x Exchange 2013 Server (10.10.8.201) in LAN
  • 1 x KEMP Virtual (MGMT IP – 172.16.1.100/24 & Virtual IP = 172.16.1.201/24) in DMZ
  • NAT is configured in Firewall to forward Public IP to KEMP Virtual IP for HTTPS (Port 443) & SMTP (Port 25)

Reverse Proxy for Exchange with KEMP

LoadMaster Templates

The template sets the configuration as recommended by KEMP to quickly and easily add and configure services in the LoadMaster

Download all the templates from Microsoft Exchange 2013 Templates with LoadMaster 7.2.37.1 and later

Reverse Proxy for Exchange with KEMP

Go to Virtual Services – Manage Templates – Add New Template and upload all the downloaded templates

Reverse Proxy for Exchange with KEMP

HTTPS Virtual Service for Exchange Server

Go to Virtual Services – Add New and enter the following information

  • Virtual Address – 172.16.1.201
  • Port – 443
  • Template – Exchange 2013 HTTPS Reencrypted

With SSL Reencryption, the SSL session is first terminated at the LoadMaster. Persistence and other Layer 7 functionality can then be performed. After that, the traffic is re-encrypted in a new SSL session between the LoadMaster and the Real Server

Click Add this Virtual Service to continue

Modify the following settings in SSL Properties

  • Select the imported Wildcard SSL Certificate and click Set Certificate
  • Cipher Set – BestPractices
  • Strict Transport Security Header – Add the Strict Transport Security Header – No Subdomains

Go to SubVSs to view all the pre-defined Exchange Virtual Directory and click Modify

Click Add New

Enter the IP Address of Real Server Address (Exchange 2013 Server) with Add to all SubVSs checked. Click Add This Real Server to continue

Verify all the Real Servers are created with the following in RED Color for now

  • ActiveSync, AutoDiscover, EWS, MAPI, OAB and RPC

Change the HTTP Method from GET to HEAD for ActiveSync, AutoDiscover, EWS, MAPI, OAB and RPC

All the Real Servers are changed to GREEN Color now

Configure the settings below in System Configuration – Miscellaneous Options – L7 Configuration

  • Drop Connections on Real Server Failure – When this option is enabled, LoadMaster tracks all the incoming connections and which Real Servers they are connected to. When a Real Server fails, all connections to the Real Server are immediately dropped, forcing the connections to reconnect to a different Real Server.
  • Drop at Drain Time End – When this option is enabled, LoadMaster severs all existing connections to a disabled server after the L7 Connection Drain Time is reached. Clients are then forced to re-establish a connection to one of the remaining Real Servers.
  • 100-Continue handling = RFC-7231 Complaint – To avoid issues with Exchange Web Services, especially in hybrid configuration
  • Additional L7 Header – When using the built-in Mail client on Mac, you may experience connectivity issues

Verify the Functionality of Reverse Proxy for Exchange with KEMP

Run Microsoft Remote Connectivity Analyzer to ensure that there is NO ERROR found for the following

  • Exchange ActiveSync
  • Synchronization, Notification, Availability and Automatic Replies
  • Service Account Access
  • Outlook Connectivity

SMTP Virtual Service for Exchange Server

Go to Virtual Services – Add New and enter the following information

  • Virtual Address – 172.16.1.201
  • Port – 443
  • Template – Exchange 2013 SMTP with STARTTLS

SMTP with STARTTLS is required as Hybrid Co-Existance is configured between Exchange 2013 & Office 365 in our lab

Click Add this Virtual Service to continue

Uncheck SSLv3 & TLS 1.0 in Supported Protocols and select BestPractices in Chiper Set

Add the IP Address of Real Servers (Exchange 2013 Server) in Real Server

Exchange 2013 SMTP with STARTLS is added successfully

Verify Mail flow between users in Exchange 2013 Server & Office 365 are working fine

A+ Result with Qualys SSL Scanner

Perform a SSL Scan using Qualys SSL Scanner

Refer to Disable TLS 1.1 & Add HTTP Strict Transport Security (HSTS) if A+ Result is required

ESP Connection Logs

Enable the Connection Logs in Virtual Services – View / Modify Services for Exchange 2013 HTTPS Reencrypted & Exchange 2013 SMTP with STARTTLS

Enable ESP and configure the following settings in ESP Options – For HTTPS Virtual Service

  • ESP Logging – Enable Connection
  • Allowed Virtual Hosts – mail.aventislab.com
  • Allowed Virtual Directories – /*

Enable ESP and configure the following settings in ESP Options – For SMTP Virtual Service

  • ESP Logging – Enable Connection
  • Permitted Domain.

Click View in ESP Connection Logs in System Configuration – Extended Log Files

Connection Logs show in Google Chrome

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top