F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Vincent_Z_17509's avatar
Vincent_Z_17509
Icon for Nimbostratus rankNimbostratus
Oct 24, 2014
Solved

Exchange 2010, O365, APM and iRule

Hello,   I'm trying to deploy BIG IP with Exchange 2010 in hybrid mode. It involves that there is only authentication for OWA and ActiveSync and no authentication for the EWS and autodiscover. It ...
application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
microsoft
security
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Oct 27, 2014

    For EWS and Autodiscover, you should be able to add an iRule (or disable strictness on the iApp deployment and edit the existing pool assignment iRule) to disable APM for that traffic. For example:

    when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
    "/ews*" {
        ACCESS::disable
    }
    "/autodiscover*" {
        ACCESS::disable
    }
}

    For OWA, you'll need to remove the logon page from the Access Policy and modify the sso_select iRule to choose the NTLM SSO instead of forms:

    when ACCESS_ACL_ALLOWED {
    set req_uri [string tolower [HTTP::uri]]
    if { $req_uri contains "/owa"  } {
        WEBSSO::select [set foo /Common/exchange_2010.app/exch_ntlm_sso]
    }
    unset req_uri
}
mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account
Oct 24, 2014

Hi Vincent, which version of BIG-IP are you running? v11.4 and later have an APM Exchange profile that has superseded the APM iRules on the box. It allows you to configure authentication for each non-OWA service. Ideally, you'd use the iApp template and only select to deploy OWA and ActiveSync.