Exchange 2016 iApp - APM Configuration

Exchange 2016 v1.0

Can you take a look at your Exchange virtual server and tell me if you have the /Common/_sys_APM_Exchange rule assigned to it? 11.4 and later should use the Exchange APM profile, and should not have the iRule directly assigned.

these irules are applied to the vs.

external.mail.company.com_owa_redirect_irule7

I found the machine account and name had hashs "-" so I removed them and recreated the iapp just in case but no luck.

tcpdump from the f5 show kerberos ports are opening for owa but we get no kerberos connections for autodiscover etc.... really odd

This issue is on our lab device. Wondering if this is the cause

481987-6 : Allow NTLM feature to be enabled with APM Limited license

Component: Access Policy Manager

Symptoms: When a BIG-IP system has an APM Limited license, NTLM is silently disabled and the connection goes through.

This breaks many (all) use-cases for Exchange + APM.

Conditions: APM and Exchange are deployed together with APM Limited / Lite license.

Impact: Exchange cannot be used with APM Limited license when NTLM frontend authentication is selected, which is used in essentially all APM + Exchange deployments.

Fix: The NTLM frontend authentication (ECA) feature can now be used with an APM Limited license. Typically, this is for Exchange deployments.

https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-hotfix-bigip-11-6-0.htmlA481987-6

Yes, that would do it. I disagree that it breaks all use cases with Exchange, however, since we support Basic and Forms client-side auth as well.

Unsure if I should laugh or cry... anyways will upgrade to 11.6 and see if it works with the same config.

Thanks