Forum Discussion

Vladimir_Akhmarov's avatar
Aug 11, 2024

APM EWS Remote Connectivity Analyser

Hello

 

Found strange issue with APM protecting Exchange 2019

 

Deployed configuration using Appendix C: Manual configuration tables from https://www.f5.com/pdf/deployment-guides/microsoft-exchange-2016-dg.pdf

 

Everything working fine (all required protocols). But Microsoft Remote Connectivity Analyser https://testconnectivity.microsoft.com/tests/EwsAccess/input shows that Autodiscovery and EWS cannot be reached (timeout error)

 

I took decrypted tcpdump for traffic from Remote Connectivity Analyser (RCA) and found that front-end request (RCA-F5) contains Basic Authorization header, but back-end request (F5-Exchange) does not contain one

 

Front-End request

POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.20.7828.000
Accept-Encoding: gzip,deflate
X-RCA-IgnoreCertificateTrust: true
X-ClientStatistics: MessageId=,ResponseTime=99882,SoapAction=GetFolder;
Authorization: Basic BASE64_STRING
Host: exchange.domain.tld
Content-Length: 764
Expect: 100-continue
X-Forwarded-For: 52.109.8.10

 

Back-End request

Header "Authorization: Basic BASE64_HIDDEN_STRING" is missing

Header "APM_session: a63a0c88" is added by standard iRule from Exchange deployment guide

POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.20.7828.000
X-RCA-IgnoreCertificateTrust: true
X-ClientStatistics: MessageId=,ResponseTime=99882,SoapAction=GetFolder;
Host: exchange.domain.tld
Content-Length: 764
Expect: 100-continue
X-Forwarded-For: 52.109.8.10
APM_session: a63a0c88

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
request-id: b9c88db3-461b-427b-9be0-54915949a9e5
X-OWA-Version: 15.2.1544.11
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
X-FEServer: EXCHANGE_SERVER
Date: Fri, 09 Aug 2024 18:38:16 GMT
Content-Length: 0

 

Logs from APM:

Policy result allow, so everything should be fine

VPE with name "App EXCH" contains SSO credential mapping

# grep a63a0c88 /var/log/apm
2024-08-09T21:33:43.488+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'Client for MS Exchange' from item 'Client for MS Exchange' to terminalout 'Client'
2024-08-09T21:33:43.488+03:00 bigip01 notice apmd[7113]: 01490010:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Username 'domain\test_user'
2024-08-09T21:33:43.507+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'Successful' from item 'AD Auth' to terminalout 'Success'
2024-08-09T21:33:43.516+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'memberOf' from item 'AD Query' to terminalout 'Success'
2024-08-09T21:33:43.517+03:00 bigip01 notice apmd[7113]: 01490009:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: ACL '/PARTITION/Exchange_acl' assigned
2024-08-09T21:33:43.517+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'fallback' from item 'Advanced Resource Assign' to terminalout 'Out'
2024-08-09T21:33:43.517+03:00 bigip01 notice apmd[7113]: 01490005:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'Out' from item 'App EXCH' to ending 'Allow'
2024-08-09T21:33:43.518+03:00 bigip01 notice apmd[7113]: 01490102:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Access policy result: LTM+APM_Mode
2024-08-09T21:33:43.519+03:00 bigip01 notice apmd[7113]: 01490248:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Received client info - Hostname:  Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0

 

APM config:

Exchange profile according to latest docs. Front-end authorization is Basic and back-end is NTLM. As described on page 113 on deployment guide

apm profile access /PARTITION/Exchange_access {
    exchange-profile /PARTITION/Exchange_exchange
}
apm profile exchange /PARTITION/Exchange_exchange {
    app-service none
    auto-discover-auth-type basic
    auto-discover-sso-config /PARTITION/Exchange_ntlmv2
    ntlm-auth-name none
    offline-address-book-auth-type basic
    offline-address-book-sso-config /PARTITION/Exchange_ntlmv2
    rpc-over-http-auth-type basic
    rpc-over-http-sso-config none
    web-service-auth-type basic
    web-service-sso-config /PARTITION/Exchange_ntlmv2
    web-service-url /[ae][pw][is]/*
}
apm sso ntlmv2 /PARTITION/Exchange_ntlmv2 {
    ntlm-domain corp.domain.tld
    partition PARTITION
}

 

However we do not have BIG-IP NTLM account created in Active Directory. Deployment guide does not instruct to force this action

 

I tried to switch "auto-discover-sso-config", "offline-address-book-sso-config" and "web-service-sso-config" to "none" instead of ntlmv2 object but issue is still there

 

Have anybody such issues with APM protected Exchange? Could you please check and share with me your Exchange profile if your EWS test will succeed?

 

Thanks!

    • Vladimir_Akhmarov's avatar
      Vladimir_Akhmarov
      Icon for Cirrus rankCirrus

      Nope, the only service is Exchange for this SSO object

       

      If you have APM policy for Exchange may I ask you to check EWS health on Microsoft Remote Connectivity Analyser?

      • Injeyan_Kostas's avatar
        Injeyan_Kostas
        Icon for Altostratus rankAltostratus

        I mean other Exchange services except EWS, like OWA for example.

  • Depenging on how username is provided in login page, session.logon.last.domain variable might not be setted.

    session.logon.last.domain is used be default on NTLM sso config.

    As you have AD Auth on the VPE, I would suggest changing the sso configuration to use session.ad.last.actualdomain as the domain source and try again.

     

    • Vladimir_Akhmarov's avatar
      Vladimir_Akhmarov
      Icon for Cirrus rankCirrus

      Unfortunately that did not helped me :(

       

      I tried both options:

      1. Use session variable "session.ad.last.actualdomain" for NTLMv2 SSO object. That value exactly matches "ntlm-domain" under apm sso ntlmv2 /PARTITION/Exchange_ntlmv2
      2. Use session.logon.last.domain and set "ntlm-domain" to DOMAIN (NetBIOS domain name) under apm sso ntlmv2 /PARTITION/Exchange_ntlmv2

       

      Seems that something else stops APM from attaching SSO to the back-end request

       

      Moreover all my tests shows now that APM did not send any request to the /EWS/Exchange.asmx even after I reverted all the changes back. BIG-IP reboot did not helped :)