APM EWS Remote Connectivity Analyser

Hello

Found strange issue with APM protecting Exchange 2019

Deployed configuration using Appendix C: Manual configuration tables from https://www.f5.com/pdf/deployment-guides/microsoft-exchange-2016-dg.pdf

Everything working fine (all required protocols). But Microsoft Remote Connectivity Analyser https://testconnectivity.microsoft.com/tests/EwsAccess/input shows that Autodiscovery and EWS cannot be reached (timeout error)

I took decrypted tcpdump for traffic from Remote Connectivity Analyser (RCA) and found that front-end request (RCA-F5) contains Basic Authorization header, but back-end request (F5-Exchange) does not contain one

Front-End request

POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.20.7828.000
Accept-Encoding: gzip,deflate
X-RCA-IgnoreCertificateTrust: true
X-ClientStatistics: MessageId=,ResponseTime=99882,SoapAction=GetFolder;
Authorization: Basic BASE64_STRING
Host: exchange.domain.tld
Content-Length: 764
Expect: 100-continue
X-Forwarded-For: 52.109.8.10

Back-End request

Header "Authorization: Basic BASE64_HIDDEN_STRING" is missing

Header "APM_session: a63a0c88" is added by standard iRule from Exchange deployment guide

POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.20.7828.000
X-RCA-IgnoreCertificateTrust: true
X-ClientStatistics: MessageId=,ResponseTime=99882,SoapAction=GetFolder;
Host: exchange.domain.tld
Content-Length: 764
Expect: 100-continue
X-Forwarded-For: 52.109.8.10
APM_session: a63a0c88

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
request-id: b9c88db3-461b-427b-9be0-54915949a9e5
X-OWA-Version: 15.2.1544.11
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
X-FEServer: EXCHANGE_SERVER
Date: Fri, 09 Aug 2024 18:38:16 GMT
Content-Length: 0

Logs from APM:

Policy result allow, so everything should be fine

VPE with name "App EXCH" contains SSO credential mapping

# grep a63a0c88 /var/log/apm
2024-08-09T21:33:43.488+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'Client for MS Exchange' from item 'Client for MS Exchange' to terminalout 'Client'
2024-08-09T21:33:43.488+03:00 bigip01 notice apmd[7113]: 01490010:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Username 'domain\test_user'
2024-08-09T21:33:43.507+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'Successful' from item 'AD Auth' to terminalout 'Success'
2024-08-09T21:33:43.516+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'memberOf' from item 'AD Query' to terminalout 'Success'
2024-08-09T21:33:43.517+03:00 bigip01 notice apmd[7113]: 01490009:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: ACL '/PARTITION/Exchange_acl' assigned
2024-08-09T21:33:43.517+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'fallback' from item 'Advanced Resource Assign' to terminalout 'Out'
2024-08-09T21:33:43.517+03:00 bigip01 notice apmd[7113]: 01490005:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'Out' from item 'App EXCH' to ending 'Allow'
2024-08-09T21:33:43.518+03:00 bigip01 notice apmd[7113]: 01490102:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Access policy result: LTM+APM_Mode
2024-08-09T21:33:43.519+03:00 bigip01 notice apmd[7113]: 01490248:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Received client info - Hostname:  Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0

APM config:

Exchange profile according to latest docs. Front-end authorization is Basic and back-end is NTLM. As described on page 113 on deployment guide

apm profile access /PARTITION/Exchange_access {
    exchange-profile /PARTITION/Exchange_exchange
}
apm profile exchange /PARTITION/Exchange_exchange {
    app-service none
    auto-discover-auth-type basic
    auto-discover-sso-config /PARTITION/Exchange_ntlmv2
    ntlm-auth-name none
    offline-address-book-auth-type basic
    offline-address-book-sso-config /PARTITION/Exchange_ntlmv2
    rpc-over-http-auth-type basic
    rpc-over-http-sso-config none
    web-service-auth-type basic
    web-service-sso-config /PARTITION/Exchange_ntlmv2
    web-service-url /[ae][pw][is]/*
}
apm sso ntlmv2 /PARTITION/Exchange_ntlmv2 {
    ntlm-domain corp.domain.tld
    partition PARTITION
}

However we do not have BIG-IP NTLM account created in Active Directory. Deployment guide does not instruct to force this action

I tried to switch "auto-discover-sso-config", "offline-address-book-sso-config" and "web-service-sso-config" to "none" instead of ntlmv2 object but issue is still there

Have anybody such issues with APM protected Exchange? Could you please check and share with me your Exchange profile if your EWS test will succeed?

Thanks!