APM Policy Selection Based on URI

First, did you create this configuration with the iApp? You may have missed some steps. The iRule should definitely support your use case.

In lieu of that, or if you're doing something different than the iApp-based deployment, you can technically switch between access policies, but you have to do so through a "layered" VIP architecture. Essentially, you have an LTM VIP in front of two internal APM VIPs that terminates the client side SSL and sports an iRule that switches between the internal APM VIPs using the virtual command.

Before taking that path though, please review your configuration and/or build a separate iApp-based config and compare the two.

Well reading through the deployment guide it mentions that if you already have nodes defined with your CAS server IP addresses that you named they will have to be deleted so the iapp can create them. Well this is in production so I can't remove any of the existing CAS config on the LTM to try the iapp.

From the doc: "If you have existing, manually created Node objects on the BIG-IP system and given these nodes a name, you cannot use the IP addresses for those nodes when configuring the iApp. You must first manually delete those nodes and re-add them without a name, or delete the nodes and let the iApp automatically create them."

When you created the pools and added the nodes, did you give them arbitrary names (other than their default IP:port)? If you didn't, then you shouldn't have a problem using the iApp.

worst case, run the iApp and just make up some node IPs. The whole point is to compare the two configurations.

I can give this a try. One question I had when trying this previously was, in the iapp it asks for the deployment scenario. I have APM/LTM on the same box so I choose the option that says "Big-IP APM will provide secure remote access to CAS"

Then further down in the template it asks "What is the virtual IP address on the remote BIG-IP system to which you will forward traffic? "

Now this field is apparently required so I need another virtual on this same LTM referencing my CAS pool?

Or should I be using the deployment option "Big-IP LTM will receive HTTP-based CAS traffic forwarded by a Big-IP APM" ?

This is the template I'm using and it only has three deployment scenarios. I don't see where any of these apply to using APM and LTM on the same appliance based on the questions that I'm being prompted with for each one.

f5.microsoft_exchange_2010_2013_cas.v1.3.0

1. Big-IP will load balance and optimize CAS traffic (doesn't ask about any APM parameters)

    

2. Big-IP LTM will receive HTTP-based CAS traffic forwarded by a Big-IP APM (doesn't ask about any APM parameters)

    

3. Big-IP APM will provide secure remote access to CAS (asks for all APM parameters for AAA servers, but then asks what the remote IP is of the LTM to forward traffic to as I mentioned above)

    

I think I got this working without the iapp. I just needed to create a branch rule in my policy to determine if it's an activesync client coming in and bypass the resource assign stuff. Seems to be working now for OWA and ActiveSync. I'll keep testing :)