Load balancers have been around for quite some time, and over the years have had many enhancements and improvements done to them. There are many out there and some of the big names like F5 Networks and Kemp Technologies have some quality products. (I wrote an article on load balancers and the different options here at TechGenix.) Why am I mentioning a load balancer when you can NAT (network address translation) an Exchange Server to the Internet?
The answer is simple. A load balancer offers you protection because it is the frontline device exposed to the Internet and not the Exchange Servers. With all the attacks against Exchange Servers recently, you may want to consider putting a device in front of Exchange so you can protect your Exchange Servers. It does not mean that the load balancer is foolproof, and you do not have to worry about the backend.
No matter what you do, patch your Exchange Servers
You still need to actively patch your Exchange Servers and operating systems when Microsoft releases patches on the first Tuesday of each month. Besides being an additional layer to protect your Exchange Servers, what else can a load balancer do for you? F5 and Kemp, for example, have health checks that can be configured to ensure that protocols on Exchange are working efficiently. This means you can have it login to OWA or check if the different ports like 25,110,143,993,995,587 are responding, and if not, the load balancer can send traffic to another server where it is working.
SSL traffic is generally re-encrypted from the load balancer to the Exchange Servers. Just as you would have multiple Exchange Servers in a DAG for redundancy, you would need to apply the same logic to your load balancer and have an HA pair so if you have an issue with one, you do not take down Exchange and mail but have it running on the second device. This brings the question about cost. It costs $$$ to have a license for a year per device and is expensive to maintain. Yes, nothing is cheap but consider the fact that if you got hit with ransomware, you would most likely pay 3-4 times more than the license cost to get your data back.
And also patch your load balancers
The next thing to consider is patching your load balancers. Just like you would patch your Exchange Servers and operating systems, you need to do the same with this hardware or virtual appliance. Just recently, F5 identified an issue in some of their devices (you can read about it here), and as you can see, attackers are looking for loopholes to exploit. Now you may be asking, why should I put these devices in if they can be exploited? Well, the same logic applies. Companies put devices in and never patch them or don’t change the default login credentials, which leads to disaster. But if you actively manage your devices and keep them updated, you are at lower risk than having a device that is not patched. This does not mean you can’t be attacked or have the system exploited.
Each month, vendors release patches, and it is your duty to make sure you close these vulnerabilities. You need to patch the critical flaw or zero-day exploit identified to ensure that the business stays up and running. If Kemp, for example, issues a warning that they identified an issue on a device, companies running the affected version firmware need to upgrade.
Coming back to load balancers, and to sum up, they work well in providing you with redundancy and fault tolerance and ensure that the backend systems like Exchange and Active Directory are protected. No system is just put into place and left alone. The principle of patching applies to hardware and software vendors alike. If you are running load balancers and they are out of warranty and cannot be upgraded, it might be best to raise the security concerns with senior management so that you can get new updates and have vendor support when you need it.
If you do not have a load balancer in place, reach out to the vendors and ask them for a trial to demonstrate to the business what it can do and then decide whether to purchase them. Load balancers come in many different flavors, some having more bandwidth options than others. Kemp allows you to try it out before buying it.
Unsure about load balancers and Exchange? Ask your vendor
F5 also has a trial option on the cloud version and BIG-IP versions. Lastly, if you are unsure about putting this in your environment, reach out to the vendor or someone who knows and maybe ask them for a case study that will persuade your management to purchase it.
Featured image: Shutterstock
3 thoughts on “Using a load balancer vs. exposing Exchange Server to the Internet”
Excellent article. With 30+ years administering e-mail systems, having a load balancer in front of your e-mail system is the best way to go. Both F5 and Kemp Technologies offer devices (physical or virtual) with a set of features that provide good functionality. You can add additional features to your license to improve performance and expand what you can do overall with the device.
I’ve been in IT for more than 30 years and load balancers are the worst products I’v ever seen, not special to a load balancer vendor. It is almost a fake product and besides being fake, they are one of the most expensive items in the shop too!
Instead, for Exchange servers and Web servers and any other servers around, you can easily use DNS round-robin mechanism, which is one of the dullest mechanism. It is dull but it is free, and simple to maintain.
Hi @Murat, it is not about simplicity, it is about protecting the backend. Layer 7 will provide more protection than DNS round-robin. Attacking an Exchange server vs attacking a load balancer are two different things.