Forum Discussion

Altostratus

Oct 28, 2016

Exchange 2013 iApp Confguration for MobileIron

I've deployed the iApp for Exchange 2013 using the defaults except for using SSL Bridging instead of SSL Offloading. All internal and external mail flows just fine, but mobile devices configured wi...

RainHail_281362
Nov 03, 2016
We resolved this. We had the ActiveSync virtual directory in IIS locked down to the MobileIron servers, but needed to add the self-ip's of the F5 devices as well.

mikeshimkus_111

Historic F5 Account

Hi RainHail, You can't change the iApp virtual server type to Performance L4 because that VS type isn't supported for doing all the things that the iApp deployment needs to do.

I'm unfamiliar with how MobileIron works, so I'm just going to ask some general questions.

Is MobileIron sitting between mobile clients and your Exchange server? Was the previously configured Performance L4 virtual server the target for traffic sourced from MobileIron, and did it work until you switched it to point at the iApp-created virtual server?

Did you deploy APM or AFM with your Exchange iApp?

RainHail_281362

Altostratus

Oct 28, 2016

From MobileIron: "Standalone Sentry serves as an intelligent gatekeeper to the ActiveSync server. It uses the ActiveSync protocol to communicate with the ActiveSync server and with the ActiveSync devices."

Essentially, a MobileIron app sits on the mobile device and is pointed to the MobileIron Sentry device. This Sentry device is in the DMZ and passes the information to the Exchange iApp using ActiveSync over 443. This configuration works fine using the manually created virtual servers, but doesn't work with the iApp. On the external F5 appliance, there is a virtual server that answers all Exchange requests. It points those to an APM 'portal' where the user gets authenticated with username and password, then uses Symantec VIP for two-factor. Once authenticated, the traffic gets passed to the internal F5 device where the Exchange iApp is deployed (along with the old Exchange VS). The only thing that changes in this scenario is the internal VS that the traffic gets passed to.

Old way: Mobile Device -> Ext F5 -> APM for authentication -> Internal F5 w/created VS

New way: Mobile Device -> Ext F5 -> APM for authentication -> Internal Exchange F5 iApp

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Exchange 2013 iApp Confguration for MobileIron

Recent Discussions

Problem with lets encrypt and redirect after update

Should config via cli rather than gui?

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

iRule for client certificate verification and inserting CN

Related Content

The Business Partner Exchange - An F5 Distributed Cloud Services Demonstration

MobileIron MDM APM Integration iApp Template

Rustls with NGINX, Password Based Key Exchange, & Llama Drama

Integrating APM with MobileIron MDM – Part 1

Exchange 2016

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS