Exchange 2010, O365, APM and iRule

Hi, I'm trying to get the same results. I'm using version 11.6 with f5.microsoft_exchange_2010_2013_cas.v1.4.0. The goal is to modify an auto created irule via the iapp to have no authentication for EWS and autodiscover. (Lync 2013 does not support basic authentication when it tries to use EWS and autosiscover.) Do I simply remove the configs under the irule for EWS and autodiscover and add "ACCESS disable". Current configurations: "/ews*" { () Exchange Web Services. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source address_addr } pool /Common/Exchange_2013.app/Exchange_2013_oa_pool7 COMPRESS::disable CACHE::disable return } ===================================================== "/autodiscover*" { () Autodiscovery. No Persistence. pool /Common/Exchange_2013.app/Exchange_2013_ad_pool7 persist none return } ============================================================== Please advise!

If you want to disable APM for just these anonymous requests from Lync client, you can create this iRule and then use Advanced mode in the iApp to assign it to the Autodiscover and EWS virtual servers, or the combined virtual server. You shouldn't need to modify the iRule created by the iApp: when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/autodiscover" || [string tolower [HTTP::uri]] contains "/ews" } { if { [string tolower [HTTP::header value "User-Agent"]] contains "microsoft lync" || [string tolower [HTTP::header value "User-Agent"]] contains "ms-webservices" } { ACCESS::disable } } }

Hi Mike, thanks a lot for the quick reply. You gave me the best solution recommendation. I really appreciate it. I created an iRule with your coding and now when I want to assign it to the combined vip do I just attach it with the rest of the iRules. Does the order matter?

The order doesn't matter, but the priority does: https://clouddocs.f5.com/api/irules/priority.html I've tested both of these rules together with the default priority, and it seems to work fine.

Hi Mike, I've attached the iRule that you have suggested to the combined VIP. Right now I have your irule, then owa irule and then the general irule (activesync, etc). When I opened up the lync client and try to connect it doesn't work. When I remove the F5 and connect directly to exchange and I opened up the lync client it works. I was told that owa and autodiscover has to go as "pass through" via F5. Do you think that I should use the original iRule that you have recommended to original poster.

The iRule should be as specific as possible so you're not poking a giant hole in your APM. You should go to System ›› Logs : Configuration : Options and set Access Policy logging to "Debug". You can ssh into the BIG-IP and run "tail -f /var/log/apm" to see which Lync requests are being denied by APM. The log should show you the user agent and URI for those requests. You should be able to modify the [HTTP::uri] and [HTTP::header] checks in the iRule to match those values.

Thanks Mike, I'm on it

Hey Mike, I don't have APM installed on the F5. I can provision it as Nominal Limited Users.

If you don't have APM provisioned and deployed, the ACCESS::disable command won't work. You are having Lync auth problems even without APM deployed?

Yes sir, I was told that the authentication method for autodiscover and ews needs to be set as pass through and not basic. The only way to do it is via an iRule. As a default in using the IApp, the iRule is set to Basic. Is there a way to create an iRule get this resolved without the use of APM