I’ve been working on setting up HAProxy as a Layer 7 NLB for our Microsoft Exchange 2016 cluster to replace a DNS round-robin (for internal) + firewall random DNAT (external) configuration.
Using CentOS 7, I opted to install the latest available RPM version from the IUS yum repository, which turned out to be HAProxy version 2.07.
Relying on a number of different HOWTO and blog articles, I created a configuration which seemed to be well supported (though based on pre-2.0 versions of HAProxy), using http mode and frontend acls to route traffic to individual backends for each Exchange service with backend health checks for each.
Using local hosts file overrides, I was able to test some clients and determined that everything was working well (OWA, ECP, ActiveSync, etc.) with the exception of Outlook clients, which couldn’t seem to authenticate and kept prompting for credentials or claiming the server was unavailable.
I set up a Layer 4 tcp mode configuration as a test, and everything worked perfectly including Outlook, so I figured the issue was related to something I’d missed with the http configuration.
After perusing Discourse for a bit, I added:
option accept-invalid-http-request to the frontend configuration, and
no option http-use-htx to the default configuration.
That seemed to work; the test Outlook clients were now able to authenticate and no more errors or server disconnects were evident.
I updated the internal DNS to point to the HAPRoxy NLB rather than the Exchange servers directly, and at first everything seemed to be working perfectly.
However, after an hour or so as more and more clients switched over to the NLB (DNS propagation delays) all Outlook clients started receiving “diconnected from server” warnings. Restarting Outlook on any given workstation would result in a successfull connection and an immediate burst of receiving/sending queued mail to/from the server, after which the server would show as disconnected once again.
I was unable to see any error messages in the haproxy.log, but figured there might be issues with connection limits, so I bumped up maxconn quite a bit but it didn’t help.
I switched back to my tcp mode configuration, and despite much lower maxconn settings everything is working flawlessly with no client issues reported.
How can I diagnose my http mode configuration for 2.07? Any help would be appreciated.
I have not messed with my system ulimit, as haproxy -vv indicates epoll is supported. I’ve checked SELinux and it’s not currently running in enforcing mode. Firewall logging shows nothing unexpectedly blocked.
I’ve considered trying a 1.8.x install as a diagnostic step, but wanted to check in here first as I expect I’m still missing something.