Forum Discussion

jhanington_1353's avatar
jhanington_1353
Icon for Nimbostratus rankNimbostratus
Mar 13, 2015

Exchange 2010 iRule problem. Help!

BigIP 1600 LTM 10.2.4

I created Exchange 2010 on the F5 using the template on the device. I configured it for OWA/OA/AD/AS/IMAP/POP3 on a single IP address. I followed the deployment guide here https://www.f5.com/pdf/deployment-guides/f5-exchange-2010-dg.pdf and page 24 told me that I needed to download this zip http://www.f5.com/solution-center/deployment-guides/files/exchange-persist.zip and make changes to the persistence iRule.

Now here is my issue: the iRule has this at the end...

when HTTP_RESPONSE {
    if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} {
        ONECONNECT::reuse disable
        ONECONNECT::detach disable
         this command disables NTLM conn pool for connections where OneConnect has been disabled
        NTLM::disable
    }
     this command rechunks encoded responses
    if {[HTTP::header exists "Transfer-Encoding"]} {
        HTTP::payload rechunk
    }        
}

The above script kills Autodiscover completely (Test Email AutoConfiguration on the Outlook client fails, testconnectivity.microsoft.com does not work and going to https://mail.domain.com/Autodiscover/Autodiscover.xml results in a "webpage is not available" error) Commenting out NTLM::disable results with Autodiscover working again. What gives? Is this an incorrect iRule? Do I have an issue with the F5 or is something wrong in Exchange?

application delivery
devops
exchange
exchange 2010
iRules
LTM
microsoft

1 Reply

Sort By
  • he_qiang_137361's avatar
    he_qiang_137361
    Historic F5 Account
    Mar 20, 2015

    The Autodiscover service working as following ways:

     

    1. Outlook sends a Lightweight Directory Access Protocol (LDAP) query to Active Directory looking for all available SCP objects.

       

    2. Outlook sorts and enumerates the returned results based on the client's site by using the keyword attribute of the SCP record. One of two lists is created, an in-site list or an out-of-site list. The in-site list provides the SCP records that have AutodiscoverSiteScope information. If there are no in-site records, an out-of-site SCP record list will be generated. The list is not sorted in any particular order. Therefore, the list is approximately in the order of oldest SCP records (based on creation date) first.

       

    3. Outlook first tries to connect to each Autodiscover URL that it previously generated from either an in-site list or an out-of-site list. If that doesn't work, Outlook will try to connect to the predefined URLs (for example, https://autodiscover.contoso.com/autodiscover/autodiscover.xml) by using DNS.

       

    4. If that fails also, Outlook will try the HTTP redirect method and, failing that, Outlook will try to use the SRV record lookup method. If all lookup methods fail, Outlook will be unable to obtain Outlook Anywhere configuration and URL settings.

       

    According to your description, it sounds like your outlook client is using predefined URL for autodiscover service, that means when trying to access to the URL, let's say https://autodiscover.contoso.com/autodiscover/autodiscover.xml, client need to perform authentication, if your back end exchange server is configured to use NTLM, then NTLM::disable will be triggered, disabling the NTLM processing, thus authentication would fail, in turn autodiscover fails.