Forum Discussion

ca689_1627's avatar
Icon for Nimbostratus rankNimbostratus
Sep 23, 2011

Exchange 2010 and APM objects

Hello all.



We currently have a single set of LTM virtual server objects set up (created byt he Exchange 2010 template) to provide load balancing for our mutli-member CAS Array. This works great for internal and external users using Outlook Web App.



Now... we need to configure APM access policies to authenticate external users. My questions are as follows:



1. Do we apply the set of APM objects to the existing virtual server that is currently used for both internal and external access?


2. Do we leave the existing virtual server alone, use it for our internal users, and create a new virtual server for our external users and apply APM access policies to that?


3. If 2, would the pool member simply be a single object pointing to the existing virtual server?



Any other ideas or recommendations on what we're trying to accomplish? Any help would be much appreciated.

8 Replies

  • Best practice would be to enable APM functionality on a separate virtual server and use split DNS. That is, if currently your users go to, then you'd want to setup that name to resolve to your existing VIP internally and to your newly-created VIP externally. By deploying this you avoid any potential negative interactions with Autodiscover and Kerberos authentication issues internally, conserve APM resources to protect access only for untrusted(external) access, and completely separate internal and external configuration for ease of troubleshooting, change management, and administration.



    Regarding 3, I'd still recommend doing your own load-balancing for external users - remember that load-balancing happens on the pool level, not on the virtual server level - so if you point your newly-created virtual server to the same pool of CAS servers, the same load-balancing and metrics would be used - no need to point it to the virtual on the same LTM, it will only slow down the communication process - and you don't want to do that. :)



    Hope this works out for you, and please post your feedback on the solution and any further questions that you might have.



    We've configured the environment with spilt DNS. Things are somewhat working. here's what we are seeing:



    1. Internal OWA connections seem to be ok for users with mailboxes moved from EX2003 to EX2010.


    2. Internal OWA connections for users with mailboxes on EX2003 get two logons; one for the F5 and one for legacy OWA.


    3. There's this wierd F5 search box showing up at the top of all our windows after logging in through the F5


    4. External OWA connections are hitting the external VIP then authenticating through the APM then hitting the internal VIP; we could only get this to work if the pool member of the external VIP is a single object pointing to the internal VIP. Does this mean our external connections are NOT load balanced?



    Another question somewhat unrelated is the prospect of simply doing reverse proxy on the external connection as opposed to the APM method of authenticating users. Any insight would be much helpful.
  • I am a bit confused - you're saying internal OWA connections - did you mean external instead? Your internal users should not be going through APM - they should be going to the internal VIP that does not have APM applied to it. External users should be going to APM.



    Regarding Ex2003/2010 - if you use APM and configure SSO, it will send the credentials to 2010 CAS, which will then try to redirect you to Exchange 2003 server. I don't remember the exact details, but I did encounter that with one customer and there was a reason why that wasn't successfully SSOing user to Exchange 2003. My recommendation in this case is to use VPE's AD Query to determine where the mailbox of the user lives(2003 or 2010), and send them directly to the 2003 OWA interface, bypassing 2010 CAS altogether.



    Regarding 3 - are you using portal mode by any chance instead of LTM+APM mode? What guidance did you use to setup APM for Exchange?



    Regarding 4 - still fuzzy on what you mean here - you should be able to associate a pool of CAS servers with the external virtual just as you do with internal. If you point your external VIP to an internal VIP, you are still load-balanced, internal VIP is doing the load-balancing across that pool of CAS servers it has configured on it.



    Yes, I meant external connections.



    I'm not sure what you mean by portal mode. Can you explain?



    We mainly used this guide: - the last section "Deploying APM with Microsoft Active Directory for Exchange or SharePoint Access"



  • Ah, that explains it. You should be deploying according to this guide:





    If you set everything up according to this guide, you shouldn't have any issues.




    But no where in that guide does it talk about setting up "web app" objects in the Visual Policy Editor. Is that image in step 7 of the VPE objects all that I need?
  • Yes, that is correct. You do not want to create Web Applications for OWA. The guide I pointed you to allows you to setup APM to provide secure authentication and proxy of all HTTP-based Exchange services - OWA, ActiveSync, Autodiscover, EWS, and Outlook Anywhere.



    oh, i see. We did originally follow that guide you provided a link to but never got the connection to OWA. We were authenticating just fine but never got connected to OWA. The session log never showed any errors so that when we assumed we needed to define a Web Application with the VPE. I guess that was an incorrect assumption. So the simple Access Policy defined in that guide should do it for me?