For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ckteur_147055's avatar
ckteur_147055
Icon for Nimbostratus rankNimbostratus
Jun 26, 2014

Connection problem Exchange CAS with iApp configuration

Hi,

 

I deployed the Exchange CAS 2013 configuration with the iApp 1.3.0; the configuration is optimized by default but for example when I try to join my OWA VIP since, the web browser try to load the page (Website found, waiting for reply) but finally the connection fails. The server is ok because is ready when I join it directly. Yet, I see the flow from client to server behind the VIP and the server responds to the client with tcpdump.

 

Another thing I have a second configuration (manual no iapp) where I just configured a HTTPS VIP with a pool which contains the same server (but not ssl client profile, http profile, iRule combined https etc..) and is also ready !

 

My iApp config.: CAS2013 / Incoming client traffic : encrypted / Re-encrypt to CAS: No (ssl offload) / SSL profile with good certificate an key associate / LAN optimized client profil / Different subnet between VS & CAS / Use Big-IP defautl GW / Single IP for all connections / Same set of CAS for services / One FQDN

 

So there are: http profil, webacceleration caching profil, oneconnect profil, ssl client profil, irule for combined pool

 

Some idea why is not ready with iapp configuration ? I think SSL offload is not configured on server but when i deactivate all profil is not ready also .....

 

????

 

Thanks

 

4 Replies

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jun 26, 2014
    Check that the FQDN setting in the iApp is set correctly as per the Exchange setup. Do a tcpdump and capture the traffic on both sides of the f5. Check what happens - see whether you get the response from the server and whether there are TCP Resets, redirects and 404s.
  • ckteur_147055's avatar
    ckteur_147055
    Icon for Nimbostratus rankNimbostratus
    Jun 27, 2014
    Thanks peter, after a good night and reading your answer, I just thought I tried to join the VIP with IP address (not fqdn) ... I think is uncorrect with ssl profile.... I try it.
  • ckteur_147055's avatar
    ckteur_147055
    Icon for Nimbostratus rankNimbostratus
    Jun 27, 2014

    Ok .... The Exchange expert in my team tell me finaly no need SSL Offload because is the Exchange Server which decrypt the client flow, the Big-IP is just passthrough .....

     

    So, I needn't SSL client profile, right ?

     

    But my problem is to use one VS with several services (OWA,OA, ActiveSync etc.); in this case I use an irule which redirect on good pool after reading the HTTP header: so I'm obligated to use a HTTP profil with irule and since my VIP is HTTPS it's possible to use an http profile with https without ssl profile ??

     

    Thanks.

     

  • ckteur_147055's avatar
    ckteur_147055
    Icon for Nimbostratus rankNimbostratus
    Jul 02, 2014
    Ok finally is the same issue with FQDN. But I stop it for the moment because, finally, the BIG IP is not terminated the SSL session ... is on the Exchange CAS Server.