Transparent HAProxy and Exchange not working


#1

Hello,

I am attempting to setup a pair of HAProxy servers running CentOS 7 to load balance 2 Exchange 2016 servers transparently. We have logging requirements so the client IP address must be logged on the Exchange side. I have non-transparent setup functioning with layer 7. I followed the instructions here: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ however when I have ‘source 0.0.0.0 usesrc clientip’ defined in the backends my pages do not load I also do not see errors logged in /var/log/haproxy.log.

I have verified the tproxy module is loaded:
lsmod | grep -ie tproxy
xt_TPROXY 17327 0
nf_defrag_ipv6 35104 3 xt_socket,xt_TPROXY,nf_conntrack_ipv6
nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

I replaced firewalld with iptables to allow me to follow the documentation.

All servers are in the same subnet: 192.168.5.0/24
keepalived VIP 192.168.5.205
HAProxy-01: 192.168.5.206
HAProxy-01: 192.168.5.207
Ex2016-01: 192.168.5.181
Ex2016-01: 192.168.5.182

I am testing from a different subnet: 192.168.6.0/24

I feel like I am missing something but do not know what.

Here is my config:
global
log 127.0.0.1 local0 info
maxconn 10000
chroot /var/lib/haproxy
daemon
quiet
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 30000ms
timeout client 30000ms
timeout server 60000ms
timeout check 60000ms

listen stats
bind 192.168.5.206:8181
mode http
log global
maxconn 10
clitimeout 100s
srvtimeout 100s
contimeout 100s
timeout queue 100s
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth admin:
stats uri /haproxy?stats

frontend fe_ex2016
mode http
bind 192.168.5.205:80 transparent
bind 192.168.5.205:443 transparent ssl crt /etc/ssl/certs/ssl_cert.pem
redirect scheme https code 301 if !{ ssl_fc }
acl autodiscover url_beg /Autodiscover
acl mapi url_beg /mapi
acl rpc url_beg /rpc
acl owa url_beg /owa
acl eas url_beg /microsoft-server-activesync
acl ecp url_beg /ecp
acl ews url_beg /ews
acl oab url_beg /oab
use_backend be_ex2016_autodiscover if autodiscover
use_backend be_ex2016_mapi if mapi
use_backend be_ex2016_rpc if rpc
use_backend be_ex2016_owa if owa
use_backend be_ex2016_eas if eas
use_backend be_ex2016_ecp if ecp
use_backend be_ex2016_ews if ews
use_backend be_ex2016_oab if oab
default_backend be_ex2016

backend be_ex2016_autodiscover
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_mapi
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_rpc
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_owa
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_eas
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_ecp
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /ecp/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_ews
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_oab
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

listen smtp
bind 192.168.5.206:25 transparent
mode tcp
source 0.0.0.0 usesrc clientip
option tcplog
balance roundrobin
option smtpchk EHLO mail.mydomain.net
server vm-ex2016-01 192.168.5.181:25 check
server vm-ex2016-02 192.168.5.182:25 check


#2

When using TPROXY you need to have all reply traffic go back via HAproxy, this is most usually accomplished by setting the real servers to use the HAProxy host as it’s default gateway. Because of this it often also requires a 2 arm(subnet) setup unless all clients are from an external subnet as yours are.