Office 365 Lab: Using a Single Public IP for both ADFS WAP and Exchange Server with KEMP
Let’s say you want to setup an Office 365 lab so you can test hybrid functionality, learn ADFS or simply understand how the service works in a medium to enterprise setting. In theory, you would need a minimum of two public IP addresses:
- Public IP #1 would need a NAT over TCP 443 / 25 for Exchange 2016 Hybrid traffic
- Public IP #2 would need a NAT over TCP 443 / 49443 for ADFS STS and Enterprise Registration (if being used)
Unfortunately, most broadband providers will provide a single public IP, thus requiring us to either sacrifice Exchange hybrid (non-minimal) or ADFS….
…. but there is a way around it.
Overview
Using the KEMP VLM-100 (which is free, found here) we can setup Content Rules (reference) and configure Content Switching (reference). Essentially, what this allows is for the network load balancer to read the HTTP/1.1 header information, and based off a HOST rule reroute the request to the proper sub-virtual service.
This guide won’t go over the initial setup / configuration of the KEMP VLM-100, as that can be found anywhere on the internet. This will go over the configuration of the content rules, switching and virtual service (Virtual IP / NLB pool) itself for both Exchange and ADFS.
Setting up the Content Rules
Logon to your KEMP VLM-100 and then navigate to Rules & Checking > Content Rules. Click on “Create New…”
Within the Create Rule screen, you will want to edit the following while keeping the rest at default
Rule Name: Enter something you can easily identify, in my case I used “Exchange” and “ADFS”
Header Field: host
Match String: this will be the FQDN of the service. For example, my ADFS farm name is “adfs.exchangelaboratory.com”, so my string will be “^adfs.exchangelaboratory.com*”
When done click create rule. Create a second rule for Exchange, and others as you need for your services being load balanced over TCP 443. If doing just Exchange and ADFS like myself, it should look similar to below
Creating the Virtual Service and Sub-Virtual Services
Navigate to Virtual Services > Add New. Enter in the virtual address (virtual IP), port and under protocol select TCP. Afterwards click “Add this Virtual Service”
Now edit the virtual service you created, and expand SSL Properties.
First thing you will need to do is enable SSL Acceleration, along with SSL Bridging (re-encrypt the traffic after KEMP decrypts it). This can be done by checking the box Enabled and Reencrypt under the SSL Acceleration section.
If you have your SSL public and private key imported (via a .PFX file), you would then assign it to the virtual service. Click Set Certificates once completed, as if you do not do this it will simply forget your setting changes later on. If your certificate is not imported, do so now then assign it to the virtual service.
Last but not least, you will need to set the Reencrypt SNI Hostname. This should be set to the FQDN of the ADFS Farm, in my case adfs.exchangelaboratory.com. Failure to do this will break ADFS while Exchange TCP 443 traffic will work.
We will need to also set the persistence settings, which are under Standard Options.
Change the Persistent Options to Super HTTP, then change the scheduling method from Round Robin to Least Connection.
Finally, we will create our two sub-Virtual Services within this parent. On the bottom of the virtual service configuration page expand the section labeled Real Servers. Click on the Add SubVS button twice to create two sub-Virtual Services. One will be for ADFS, and the other will be for Exchange 2016.
Configuring the ADFS sub-Virtual Service
Click on one of the new sub-Virtual Services you created within the parent above. Once there, expand Standard Options and match the persistence settings to the parent (visual below).
Expand Real Servers and we will need to configure both the Real Servers and the Healthcheck.
Real Server Check Method and Port: HTTPS Protocol, TCP 443 (click “Set Check Port” when completed)
URL: /adfs/ls/idpinitiatedsignon.htm (click “Set URL” when completed)
Use HTTP/1.1: Checked
HTTP/1.1 Host: FQDN of the ADFS Farm. In my lab, it is adfs.exchangelaboratory.com (click the “Set Host” when completed)
HTTP Method: GET
Now click on Add new… and we will add the two ADFS WAP within the 192.168.3.0/24 subnet
Once we have the real servers added to the ADFS sub-Virtual Service, we will then enable Content Switching and then assign the Content Rules to each real server.
To enable Content Switching you must have at least one Real Server added. If you have been skipping around, stop. You are just going to make this harder for yourself.
Expand Advanced Properties, and then click on the Enable button for Content Switching
Once enabled, you will see next to the real servers two red boxes highlighted. Click on each of them to associate the content rules for the ADFS Farm FQDN you created earlier.
When done simply click the Back button until you are back at the parent Virtual Service.
Configuring the Exchange Sub-Virtual Service
Configuring the Exchange sub-Virtual Service is essentially the same as the ADFS sub-Virtual Service with a few difference, which are around the healthcheck and the content rules assigned per real server
Healthcheck Configuration:
Real Server Check Method and Port: HTTPS Protocol, TCP 443 (click “Set Check Port” when completed)
URL: /owa/healthcheck.htm (click “Set URL” when completed)
Use HTTP/1.1: Checked
HTTP/1.1 Host: FQDN for the Exchange Client Access services. In my lab, it is mail.exchangelaboratory.com (click the “Set Host” when completed)
HTTP Method: GET
Content Rule Associated:
Once again, when completed click the Back button until you are at the parent Virtual Service.
Final Configuration for Parent Virtual Service
The only thing left would be to enable Content Switching at the Parent Virtual Service level, and then associate rules.
Similar to both the sub-Virtual Services, expand Advanced Properties and then click Enabled for Content Switching. This should then trigger two rule boxes showing up under the SubVSs section as shown below.
And.. as we did earlier with both sub-Virtual Services you will want to associate the Content Rule that is appropriate for each sub service. For example, ADFS sub-Virtual Service gets the content rule that points to adfs.exchangelaboratory.com, and so on.
Below is an example of me adding the Content Rule for the ADFS sub-Virtual Service
Once done, click back until you are greeted with (hopefully) some beautiful green boxes, showing your parent and sub-Virtual Services online
Testing ADFS and Exchange 2016
Now that this is configured we finally test! For ADFS, I tested using and Exchange using https://mail.exchangelaboratory.com/owa/. Both worked without an issue.
To further test if the content switching is working, you can try going to https://adfs.exchangelaboratory.com/owa/. This will give an HTTP 404, as the Content Switching rule (for the Virtual IP / Virtual Service) is going to route the /owa/ connection to the real servers assigned to ADFS, and OWA doesn’t exist on ADFS.
That is all for this blog today. There will be additional posts in the future building off this post, and actually step-by-step for deploying Exchange, ADFS and Azure AD Connect in a home lab for integration into Office 365 so stay tuned.
- Adam F
