Front-end Tier
All the nodes from the front-end tier must have one or more proxy/routing services enabled, with service authentication and connection/message routing set via the solution's LDAP service.
Axigen Installation
The Axigen package must be installed normally, according to the platform specific instructions. When configuring it with the Axigen Configuration Wizard after the installation process finishes successfully, you should not select configuring the IMAP, POP3, and WebMail services, as they will be disabled in favor of their proxy counterparts, which will be enabled and configured from the WebAdmin interface. Thus, at the end of the Axigen Configuration Wizard successful run, only the CLI, WebAdmin and SMTP protocol services will be enabled.
LDAP Mapping
Before configuring the proxy and routing services, an LDAP connector must be set up, first. To do this, from the WebAdmin interface, add an LDAP connector by expanding the Clustering left menu and clicking on the Clustering setup option. In the LDAP Connectors tab, press on the + Add connector button and fill in the fields, as follows.
The LDAP Connector name field must contain the name of the clustered LDAP failover domain tag from the back-end tier, for example ldap or ldap1 if you are using multiple OpenLDAP instances.
The LDAP Server Parameters panel must also be configured with the hostname of the OpenLDAP failover floating IP address or its corresponding DNS host name. The standard for for plain connections to the OpenLDAP server is 389 and the standard LDAP over SSL port is 636.
Select the Server type as OpenLDAP and check the Enable Clustered Operations option. The rest of the connectivity and synchronization parameters depend on your setup.
In the LDAP Search Parameters panel, select the Use Administrative DN option, and fill in the OpenLDAP server administrator, which will also be used for provisioning write operations. The Account Base DN parameter specifies the scope where the searches are being performed in. Finally, the Hostname attribute must be set to axiHost, defined in the axigen custom schema file you have installed in OpenLDAP.
Depending on your setup, other parameters from the LDAP connector configuration may be set. Please tune this configuration according to your needs.
Press the Quick Add button to complete adding the LDAP connector and then define a user map which will point to this connector. Switch to the User Maps tab and press the + Add User Map button. Name it accordingly and then select the LDAP Bind option from the User Map type drop-down list and then select the LDAP connector you have defined earlier from the next drop-down list.
Having a LDAP connector and an user map, you can now configure the user authentication from the Routing and Authentication tab, by selecting LDAP Bind and the corresponding user map from the Authentication Type (applies to all services) panel.
In the Routing panel, select the corresponding user map for the Route / redirect proxy request through User Map and Enable SMTP routing through User Map options.
At the end, save the configuration to finish the setup.
Here is an example of LDAP connector and its corresponding user map, according to specific data from the back-end setup:
-
LDAP Connector
-
LDAP Connector name: ldap
-
LDAP Server Parameters
-
IP / Hostname:
ldap.cl.axilab.local
-
Port:
389
-
-
Server type: OpenLDAP
-
Enable Clustered Operations: [x]
-
Synchronization direction: Axigen to LDAP
-
LDAP Search Parameters
-
Use Administrative DN: (*)
-
Admin DN:
cn=admin,dc=domains
-
Admin DN Password: secret
-
-
Account base DN:
ou=Users,o=%d,dc=domains
-
Enable Group Synchronization: [x]
-
Group base DN:
ou=Groups,o=%d,dc=domains
-
-
LDAP Routing Configuration
-
Hostname attribute:
axiHost
-
-
-
User Map
-
User Map name:
usermap-ldap
-
User Map type:
-
LDAP Bind
-
ldap
-
-
-
Routing and Authentication
-
Authentication Type (applies to all services)
-
Perform LDAP Bind authentication using:
usermap-ldap
-
-
Routing
-
Route / redirect proxy request through User Map:
usermap-ldap
-
[x] Enable SMTP routing through User Map:
usermap-ldap
-
-
Proxy Services
Each needed proxy service must have its listener configured with the front-end node's IP address (or 0.0.0.0
if you want Axigen to listen to all available interfaces) and with the standard port corresponding to each service:
-
POP plain:
110
-
POP over SSL:
995
-
IMAP plain:
143
-
IMAP over SSL:
993
-
WebMail plain:
80
(standard HTTP port) -
WebMail over SSL:
443
(standard HTTPS port)
Other settings for each of the proxy services may also apply, according to your specific policies.
When you finish configuring the proxy services, you can enable them from the Services Management option found in the Services menu on the left side of the WebAdmin interface.
SMTP Routing
Because the SMTP routing has already been set previously, no special configuration must be applied to this service, except that the SMTP Receiving and SMTP Sending services must be enabled and configured according to your specific organization policies.
Load Balancer
Using a known configurable scheduling algorithm, the load balancer distributes, the connections from the outside (corporate local network or Internet) to the front-end tier. That's why, the load balancer must have at least an IP address accessible from the outside, and another IP address visible to the nodes in the front-end tier.
Configuring the load balancer will be performed according to product documentation and only generic configuration guidelines will be covered in this document.
In order to achieve high availability in this tier, a second load balancer must be installed in an either active/active or active/passive setup, depending on the load balancer's capabilities. Please consult the load balancer configuration for configuring a highly available setup.
For each Axigen messaging service (IMAP, POP3, WebMail, SMTP), a load balanced counterpart must be configured to point to all Axigen proxy nodes from the front-end tier, using the scheduling algorithm suitable for your scenario. If required and supported by the load balancer, the SSL services may also be configured accordingly, similar to their plain counterparts.
If all the nodes in the front-end tier have identical hardware performances, the 'least-connection' scheduling algorithm will suffice. If, however, the hardware differs, a 'weighted least-connection' scheduling algorithm must be used to ensure a uniform load on the front-end nodes.