Forum Discussion
brent112_11716
Nimbostratus
NimbostratusExchange 2010 and BigIP v11.1??
Does anyone have a successful setup with BigIP V11.1 and Exchange 2010 (with multiple front end CAS servers)? We have had alot of issues since setting it up. The main issue is authentication prompts that Outlook users get, and when a server is rebooted that a users Outlook is pointed to, instead of failing over to another server nicely they get a nice authentication prompt from within Outlook. I have had a ticket opened with F5 since Mid December and while they have worked hard to help figure this out, the issue is still occurring. There is also an issue of sometimes Outlook clients getting a "server not available" when loading Outlook. The only solution is to reboot the computer and then everything works fine. If a computer is manually pointed (via host file) to an Exchange server directly there are 0 issues, only when they go through the F5 do we get these problems.
I was wondering if someone had a similar setup that is working without issue so I could compare some settings and such to see if I can get this working.
Thank's
Brent
Creighton_14452I will be happy when they resolve this issue, since we have been making all types of changes internally trying to rule out F5 as the issue- Brent,
Did you configure the BIG-IP for Exchange using the built-in iApp template and the deployment guide? There are several post-config steps that need to be done, but I assume that F5 support walked you through those.
Are your users connecting via OutlookAnywhere, or MAPI?
thanks
Mike 
brent112_11716Posted By mikeshimkus on 03/22/2012 08:10 AM
Brent,
Did you configure the BIG-IP for Exchange using the built-in iApp template and the deployment guide? There are several post-config steps that need to be done, but I assume that F5 support walked you through those.
Are your users connecting via OutlookAnywhere, or MAPI?
thanks
Mike
Yes, we used the built in iApp template and the deployment guide. It is configured exactly like it should be according to it. F5 has spent alot of time troubleshooting the issue and have been helpful, i just thought it would be a good idea to throw the question out here as well with the large forum base to see if anyone else is having similar issues.The users all connect using MAPI. It is very intermittent, but it seems most users get the authentication popup a couple times a week, Outlook not being able to connect to the Exchange server is even more random but I have even had it happen to me a few times. Again, none of this happens when the users point directly to the server.
- brent112_11716Posted By Creighton on 03/22/2012 08:05 AM
I will be happy when they resolve this issue, since we have been making all types of changes internally trying to rule out F5 as the issue
So you have had issues as well? Care to elaborate? Any authentication prompts issues or Outlook not being able to communicate to your Exchange servers? I am just trying to see if they are similar to what I am experiencing.Brent
- Can you give me your F5 case number so I can have a look?
- brent112_11716C1014424
Josh_41258Our Exchange 2010 infrastructure is staying on v10 for the time being. It was difficult enough to get working properly there, so I can't imagine attempting to migrate to v11 yet.- My colleague and I are having a look at the case notes. About your OneConnect question-manually disabling OneConnect with an iRule was necessary at one point. However, I've been told that as long as you have a correctly configured NTLM profile attached to your combined https virtual server, you *should* not have to do this. I am testing with the same version you are running and this does seem to be true.
That being said, have you tried removing the OneConnect profile altogether from your virtual server, just to eliminate that as a possible cause here? - brent112_11716Yes, we have removed the oneconnect profiles, tcp profiles, http profiles, everything one by one trying to see what would fix it (nothing worked).
I am running a version of the Exchange 2010 iAPP that has not been released yet, and in the persist irule it contains the code to disable OneConnect, this code was not in previous versions.
when HTTP_RESPONSE {
if { [HTTP::header values WWW-Authenticate] contains "Negotiate" } {
ONECONNECT::detach disable
}
}
So should the above really not be there?
Everything is pretty much an out of the box setup as far as Exchange and the F5 VS goes, nothing fancy at all.
It should be said that we have other applications running on the F5 without issue, so whatever the problem is it definetley seems to be related to the Exchange iAPP.
- I did not realize you had a copy of the unreleased iApp template from February 7. We have a newer version but, we'd still like to do some testing with it before we distribute.
I just got more info about the NTLM profile. In fact, it only supports the NTLM auth method, not Negotiate, so you do need to keep that statement in your iRule.
I am going to try to reproduce your issue in our environment. I'll post here with any further questions or suggestions (might be tomorrow).