APM VIP with exchange servers and NTLM authentication

Question

I used the exchange 2016 iApp ( latest version) to setup one VIP with all services behind it.

The problem is that /mapi* should be with NTLM authentication, but rest of it like /owa is using basic authentication.

Right now the policy is setup with logon page -> LDAP Authentication -> SSO credential mapping - Allow

Pretty standard. The question is, could I insert upfront logon page NTLM check based on URI ?

Something like this :

and iRule , if needed :

when HTTP_REQUEST {

if { [HTTP::uri] starts_with "/mapi" } {

ECA::enable

ECA::select select_ntlm:/Common/ntlm-auth-exchange-2016

} else {

ECA::disable

}

youssef1 · Answer

Hello Kaloyan,&nbsp;Did you use an Exchange profile?Because you can easly set frontend Authentification and SSO by URL/Service:&nbsp;&nbsp;&nbsp;Regards&nbsp;&nbsp;

kaloyan · Answer

Hi youssef,yes, I have exchange profile.Can I borrow one of the predefined Service Settings and add /mapi* instead of /ews* for example ? And probably will need to add SSO Configuration with Kerberos for NTLM ? Should I change the policy as well with some NTLM checks ?Do I need this ECA enabled on the VIP ? So many questions :)

Forum Discussion

APM VIP with exchange servers and NTLM authentication

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Unblock Request WAF

F5OS login with admin/root failed via console

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Related Content

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

RADIUS server authenticating user with Google Authenticator

Simple HTTP Authentication server

Microsoft Exchange Server

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS