Ensuring your Proxy server can scale to handle Office 365 traffic

Proxy servers are often in place at customer sites, happily ticking away handling Internet traffic for years before Office 365 came along. As Office 365 generally travels over port 443 (for Outlook and SharePoint at least) then what's to think about? Your proxy can handle this like any other SSL traffic right?

Well, yes technically speaking this is indeed the case, but one thing you need to consider is the way Office 365 connects, it uses multiple, long life connections. This is not the same as normal web browsing as these sessions tend to be multiple yes, but not long life, they are generally torn down after the page is loaded/finished with. Also they aren't all going to the same remote IP address. So we've got to take into account both that each user will be using more, multiple TCP sessions than previously and that those sessions will in some cases be kept open for an extensive period of time (i.e. Outlook connections).

This Article outlines the expected number of TCP connections for older versions of Outlook. You can see in the table below, in Cached mode 8 connections per client is possible. I've seen more than this when you add multiple mailboxes and calendars (think your Exec PA's). Generally the newer versions of Outlook use a lower number of connections as they are designed with the Cloud in mind, but again, power users can push the number of connections up above the norm.

 

Let's take an example, Contoso has a single Proxy with a single IP, which has been working fine for years. They introduce Office 365 gradually for 6000 clients, including Outlook and SharePoint

Whilst the proxy server is able to cope with the load at present, it is presenting itself to Office 365 via a single IP address.

Using the calculations outlined in this article we believe an absolute maximum of 6000 clients can be supported by the current setup although I would err on the side of caution and estimate this to be nearer 4000. This issue stems from the available ephemeral ports available to connect to Office 365. Outlook can, and does open many connections per user.

  • Maximum supported devices behind a single public IP address = (64,000 – restricted ports)/(Peak port consumption + peak factor)
  • For instance, if 4,000 ports were restricted for use by Windows and 6 ports were needed per device with a peak factor of 4:
  • Maximum supported devices behind a single public IP address = (64,000 – 4,000)/(6 + 4)= 6,000

So Contoso here would find that with 6000 clients running Outlook 2007, not only would Office 365 connections start to fail at random as we approached the limit, general Internet connections would start to fail as there are no resources available, and the proxy would be under enormous load. This because the normal internet traffic is going through the proxy and we're using many thousands of long lasting connections to Office 365, from a single IP. Using a more modern Outlook client may give you some more leeway in this scenario but you're still sailing close to the wind with the proxy's limitations when handling Outlook, SharePoint plus normal web traffic.

Although Microsoft recommend a proxy is not used and traffic for office 365 is sent direct due to this, and performance concerns, we are aware this is not an easy solution for many customers who prefer to use a proxy.

The article below outlines a solution to this problem by segmenting the network to multiple proxies. Another might be to load balance multiple proxies, however the load balancer would have to ensure stickiness to the client as every connection from Outlook to Office 365 needs to come from a single IP. Update: Stickiness is no longer required now we've removed HTTPS/RPC from use (unless you're on Outlook 2007, and then you've only got till October https://support.microsoft.com/en-au/help/3201590/rpc-over-http-deprecated-in-office-365-on-october-31,-2017) 

https://technet.microsoft.com/en-us/library/hh852542.aspx

So in summary, it's wise to check how many clients you've got connecting to Office 365 and ensure you have enough proxies, and IP addresses on those proxies to be able to scale to the number of ports required whilst still efficiently serving normal internet traffic. Don't presume your faithful old proxy is going to be able to handle the load, and new type of long standing TCP connections that Office 365 uses alongside its normal handling of other web traffic.

Comments

  • Anonymous
    January 01, 2003
    Hi Ryan, thanks for the feedback. I covered that at the start of the article where I talk about multiple connections caused by opening other calendars/mailboxes. This is the sort of thing I normally see with exec Pas.
  • Anonymous
    June 30, 2014
    Great article, thanks for putting this out. FYI, we have found in EXO 2013 that if users are opening other EXO MBXs, Calendars, etc that additional connections are seen. In infrastructures with a single Proxy and many people using Delegation, the Proxy could run out of the 65535 connections and either not allow the connection or wait until another connection opens up, making the Outlook operation very slow. Maybe you could put in a blurb around this, regarding opening OTHER EXO resources and the additional connections needed to make this work and make sure your Proxy can handle ALL the Outlook connections for ALL the EXO users. THANKS!
  • Anonymous
    October 26, 2015
    Actually there would only be about 64k of ports available and less than that depending on the firewall and its config if there was one in front of your proxy.
  • Anonymous
    February 05, 2016
    The new link for NAT support in Office 365: https://support.office.com/en-us/article/NAT-support-with-Office-365-170e96ea-d65d-4e51-acac-1de56abe39b9
  • Anonymous
    February 05, 2016
    The new link for NAT support in Office 365: https://support.office.com/en-us/article/NAT-support-with-Office-365-170e96ea-d65d-4e51-acac-1de56abe39b9
    • Anonymous
      April 20, 2017
      Thanks for the updated link