For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Misty_Spillers_'s avatar
Misty_Spillers_
Icon for Nimbostratus rankNimbostratus
Feb 14, 2013
Solved

Exchange iapp for multiple Exchange servers (different customers)

I'm on version 11.2.1 and using f5.microsoft_exchange_2010_cas.2012_06_08.     I created an "APM will provided secure remote access" iapp for one of our customers and it worked for the most p...
automation
devops
iApps
management
TMSH
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Jun 19, 2013
    Misty,

     

    This morning I successfully tested deploying two separate Exchange environments behind a single BIG-IP running APM. I can think of at least two features required by this solution that are only available in BIG-IP v11.3 and above, which are the AAA server pool and client-initiated forms SSO.

     

     

    You will also want to use the latest version of the iApp, RC3, which we expect to release in the next day or so. Can you send me a private message on DevCentral with your email contact info? I can let you know as soon as that RC has been declared.

     

    Mike
mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account
Jun 18, 2013
I believe it should work with some post-configuration steps depending on the what you are doing with APM, but it will take me a bit of time to investigate that.

 

 

One issue I know of off the top of my head is the DNS server settings in the System menu. You can put multiple DNS servers in the list, but APM will only check the first one and if no information is found at that server for the requested domain, it considers that a successful response and doesn't check any further down the list.

 

 

So, if your APM policies use objects that need to do DNS lookups and you have multiple policies doing lookups against multiple DNS servers that don't know about each other, you are going to have problems with the policy that uses the 2nd DNS server on the list. An example of this is the AAA server object in v11.2 and earlier, which allows you to configure just an FQDN for the AAA server, which of course means that BIG-IP has to go look that IP up using DNS. In 11.3, the AAA server pool requires that you put in both a domain controller FQDN and IP address, so it doesn't need to rely on DNS anymore. It's a simlar story for the Kerberos SSO, which relies on reverse DNS lookups to build a Kerberos ticket request. This can also be worked around in BIG-IP.

 

 

I'll do a bit of work here and let you know how it goes. It may require an upgrade to v11.3; looks like you are on v11.2?

 

Mike