When using Citrix NetScalers to load balance Exchange services, a comment/question I’ll receive on occasion is as follows, “With the NetScalers in place, my mail works, but my Unity voicemails are not delivered to the Inbox. Why is that?”
Within the Unity management interface, if you Test the connection between Unity and Exchange, you may see a “401: Incorrect service account name or password” error as shown below:
In my experience, customers will have this problem if they point Unity to the same NetScaler Virtual IP (VIP) Address that is load balancing the Exchange CAS servers, in this example 10.11.12.13.
If you read the Citrix NetScaler/Exchange 2013 Deployment Guide released by Citrix, you’ll see the recommended Method and Persistence settings for the OWA/SSL services on page 14 and shown below:
I believe the problem with Unity stems from COOKIEINSERT being set as the Persistence method for the OWA virtual server object. Certainly this configuration works great with Exchange-based SSL services, but it causes a disruption in the interaction with Unity.
To resolve the Unity validation 401 error and allow voicemails to be sent to an Inbox, you will need to create a new virtual server using the following values:
- Name: Unity_Connection_to_Exchange_2013_SSL (or whatever you prefer)
- Protocol: SSL
- Port: 443
- Services: Use the same services in use by the Exchange OWA virtual server (Exchange CAS SSL Services)
- Cert: Same certificate used by Exchange OWA virtual server
- Method: Least Connection
- Persistence: SOURCEIP
With the new virtual server created, return to the Unity configuration page and set the new VIP, in this case 10.11.12.14, and test the connection. You should be good to go at this point if you are load balancing Exchange 2013.
If you are load balancing Exchange 2010, you’ll still need an additional VIP, but the virtual server needs to be setup a little differently in that I’ve had to set the Protocol to TCP and the Port to *