Forum Discussion
Andyhud0_5004
Nimbostratus
Nimbostratus2 Site Exchange 2010 CAS Array - Active/Active with GTM
Hi All
My first post so go easy on me.
I have a conundrum I can't get my head around and would appreciate any thoughts/advice
Simple put we have 2 BIGIP's with GTM. 1 in each of our DataCentres in the US and Europe.
These DataCentres for Exchange 2010 are Active/Active. So we have users accessing their mailboxes in the US DataCentre, and users accessing their mailboxes in the Europe DataCentre
Both DataCentres are Internet Facing.
so when a user browses to our Exchange 2010 OWA URL they get directed to either the US DataCentre or Europe DataCentre based on where they are geographically located. Most of the time this is fine.
However, if they travel abroad (say a user goes from Europe to USA) and then browses to the Exchange 2010 OWA site, they will get OWA Forms Based Page in the US, but their mailbox is homed in Europe
Now, before you say it, this would be fine, because we can use CAS-CAS Proxying. HOWEVER, we need the Forms Based (fancy White/Yellow) logon page available wherever a user goes. If we switch it off to just Integrated Windows Auth, yes we can have CAS-CAS Proxying, but the user doesnt get the FBA Logon page.
when they go back to Europe, and then logon to OWA, they will get the Europe OWA page and as their mailbox is homed in Europe they logon fine.
1. We dont have the WebAccelerator Option on our BIGIP's
2. Yes, we are SSL Offloading OWA/ECP etc.
3. Our GTM directs the user based on their Geographic Source IP.
4. We need the user to access their mailbox via the pretty FBA logon screen whether they hit the CAS servers in the US DataCentre, or the CAS Servers in the Europe Datacentre, regardless of where their actual mailbox is.
I have enabled Integrated Windows Auth in IIS (instead of in the EMC) which leaves FBA enabled, but it didnt work (yes, I removed the External URL and set it to $null
Any thoughts?
We must have both DataCentres Internet Facing for OWA. If we just have one, yes, problem solved as we can use CAS-CAS Proxy, but that isnt an option unfortunately.
Hope you can help
Thanks
Andy
Michael_Koyfma1Cirrus
Andy,
I am assuming you have those two DCs in two different AD sites - that's why you can't use CAS in US to send traffic directly to mailbox in Europe and vice versa.
We do have a solution for you, but that involves using another module - APM - Access Policy Manager. You can read up on how to setup APM in front of Exchange 2010 in our latest Exchange deployment guide available on f5.com/microsoft. That would be our Exchange remote access proxy setup - pretty much equivalent to Microsoft's own ISA/TMG.
The premise is that you will authenticate your users on F5 device, validate them, make access/loadbalancing decision, and then SSO them to the CAS.
So, the way it would work is that when the user hits either site - US or Europe - we will present them with your own FBA page(which you can customize to look a lot like OWA's own logon page), authenticate them, lookup which site their mailbox lives in(via AD query), and then send them to the right CAS pool based upon where their mailbox lives - problem solved!
This approach(user authentication, mailbox lookup, and then sending user to the proper CAS array) also works great in the migration scenario, and we've had customers implement it when migrating between different version of Exchange(2007->2010, 2003->2010, etc). while preserving a single internet-facing namespace for access(e.g. https://mail.contoso.com).
Let me know if you have any additional questions.
Andyhud0_5004Michael thanks for your reply
Ironically I was lying on the sofa last night thinking about it and I thought "What if sit a TMG infrastructure inbetween the BIGIP's and the CAS servers in each site"
That way ALL CAS servers in the org can be on Integrated Auth and not FBA, the FBA can be offloaded to the TMG boxes and I could still SSL offload on the BIG IP's and re-encrypted back to the TMG's
Guess thats the same as your thinking... or APM?
Thanks
Andy
p.s. Sorry Michael, yes, 2 diff AD sites, hence why I need the CAS-CAS Proxy- Michael_Koyfma1It's very similar - but I am obviously advocating APM approach. :)
APM provides scalability(APM can process up to 600 logons/sec and up to 60,000 concurrent users depending on the platform), performance(you benefit from a single SSL offload and do not need to re-encrypt to TMG), single point of management, and since APM is just a module, you can turn it on on and not worry about provisioning and managing TMG instances to do this. - dgroscost_22373Michael, we are looking to use the single namespace - active/active data center, and APM to query AD and intelligently route users to the appropriate CAS pools. You had mentioned you had a solution for this. I would love to see what kind of APM/irules/etc used to make this work. Would you be able to share them with me or point me to the documentation used to create this design? Thanks in advance.
- dgroscost_22373Michael, we are looking to use the single namespace - active/active data center, and APM to query AD and intelligently route users to the appropriate CAS pools. You had mentioned you had a solution for this. I would love to see what kind of APM/irules/etc used to make this work. Would you be able to share them with me or point me to the documentation used to create this design? Thanks in advance.
Josh_41258dgroscost,
Check this video out.. I think it uses a similar (if not same) technique that uses APM to redirect users to the site that contains their mailbox: https://devcentral.f5.com/weblogs/gcoward/archive/2012/06/29/migrating-from-exchange-2007-to-2010-with-access-policy-manager.aspx
Josh