Forum Discussion
Raman_75055
Nimbostratus
NimbostratusF5 with mixed Exchange 2007 and 2010 Client Access Servers
Hello,
We are new on F5 devices. My question as follows: -
Currently all are users on Exchange 2007. We have Exchange 2010 servers as well in our environment. Exchange 2010 Client Access Servers (Outlook Web Access) servers can not handle Exchange 2007 mailboxes same with the Exchange 2007 Client Access Servers.
This is the follwoing we want to do: -
We have a OWA URL as messages.company.com
If user mailbox is on Exchange 2007 servers F5 direct that connection to Exchange 2007 Client Access Servers.
If user mailbox is on Exchange 2010 servers F5 direct that connection to Exchange 2010 Client Access Servers.
I was wondering if their is a way that F5 could determine using LDAP query or some other method and check with our Active Directory and find out if that particular user's mailbox is on Exchange 2007 or Exchange 2010 and according to that it redirects the connection to respective Exchange 2007 or 2010 Client Access Servers. I would appreciate it. If someone would advise.
Thanks, Raman Email: raman03@msn.com
11 Replies
- Hi Raman,
You might consider looking at the Advanced Client Authentication module, which runs on just about any LTM box. That would give you the ability to check your user against Active Directory. I would also suggest forming an iRule that keys off some specific attribute unique to either an Exchange 2007 or 2010 user, and then sends them to the appropriate Client Access Server for their Exchange version.
I'd have to think about what this would look like...stay tuned.
cheers,
Helen 
Raman_75055Thanks Helen.- Raman_75055Hello Helen,
We have GTM box but we do not have Advanced client authentication module. IS there any other way that we can make it work.
Please advise.
Thanks,
Regards
Raman - Hi Raman,
GTM is more appropriate for disaster recovery or geographical load balancing between different data centers, so just using GTM to remedy this situation wouldn't necessarily work.
Do you have LTM as well in your environment? If you do, I'd suggest looking at the combination of things I had stated previously.
Please let me know if you have further questions.
-Helen 
Wand_97484Hi,
we had a similar issue with EXC2003K (de-centralized)mailboxes and EXC2007(centralized) mailboxes.
Basically CAS Servers are running at EXC2007 and have a default.asp which looks up the user via LDAP to determine the Mailbox Server version.
If it's a EXC2003 the user is redirected to /upn-suffix, while EXC2007 Mailbox users are redirected to /owa.
Never tried to do the LDAP stuff at the BigIP, but since we are moving RSA Authentication for the external CAS to the APM module, maybe I will take a look into this.
I'll let you know if I found a solution at the BigIP, or if this needs to be done at the CAS servers.
BTW: you should be able to send EXC2007 User through a EXC2010 CAS, shouldn't you? Normal hotfix/upgrade procedure for EXC is: start at CAS, then MBX...
Cheers
jp- Raman_75055Hello Jp,
Thanks for your response.
I made the required changes on Exchange side and now everything is woring as expected. Exchange 2010 can proxy the connections to Exchange 2007 if mailbox is located on Exchange 2007.
I opened up this thread when I was thinknig that if we can do the re-direction on F5 side so we may not need to make any changes on Exchange side.
I appreciate your response.
Thanks once again.
Raman 
jlarosa_44289My organization is about to migrate from Exchange 2007 to 2010 and have a very similar problem. We were advised by Microsoft Consulting Services that an F5 with the APM is what we need to achieve our rather unique requirements.
While I understand that relying on 2010 CAS to proxy/redirect users to 2007 CAS is the official supported method by Microsoft, that does not work for Mac Mail users. For some reason, the Mac Mail client will never proxy to a 2007 mailbox when connected to a 2010 CAS. Since we have a very large number of Mac Mail users, Microsoft recommend we go the F5 route, and use it's logic to redirect to 2 different pools.
I am very new to F5 and so far have had some success in using the 2010 iApp to load balance AS/OWA/OA/AD to either the 2010 or 2007 CAS Pools. I just don't know where to begin with creating redirection logic either with iRules or the APM.
Has anyone here actually done this before?
Thanks in advance...
Michael_Koyfma1Cirrus
jlarosa,
Indeed we have quite a few customers where we helped them solve a problem like your using LTM+APM combination. The reason you need APM for this is because it is responsible not just for pre-authenticating user, but also does a lookup on the user's attribute to see which version of Exchange the user is on and then in combination with the small iRule directs traffic to the right pool - 2007 or 2010.
F5 Consulting Services has done quite a few of these implementations, and can help make it a smooth process for you. Also, APM-Lite is included in every version of LTM(up to 10 concurrent users), so you can just provision APM-Lite and try out APM in front of Exchange to see how it works(just follow the instructions in guide for v10.2.x - v11 guide has not been updated yet.
And please post here and let us know how things are going and if you need any additional help.- jlarosa_44289I originally tried following the APM implementation instructions using the f5-exchange-2010-dg.pdf file. Is that the one you were referring to?
If so, I have had zero success with it. While the logon page loads and I appear to successfully authenticate, SSO does not appear to work as I am subsequently greeted with the OWA Logon Form. Additionally, Outlook Anywhere immediately broke. Once I deselected the access policy from the Virtual Server and put back the original iRules, everything started working again. I have no idea where else to look to find what the issue was.
I am also curious about how Outlook Anywhere is supposed to work at all when "logon page" is the first node in the policy. With APM, are all OA users supposed to authenticate via web first?
Thanks,
Joe - Michael_Koyfma1Joe,
Yes, that's the one I am referring to. SSO is fairly easy to troubleshoot - something probably got misconfigured in the profile - you can definitely open a case on it. Regarding Outlook Anywhere - what method are your OutlookAnywhere users use to authenticate? Are they using Basic Authentication? If so, the _sys iRule that handles all Exchange protocols grabs OA credentials and runs them through the Access Policy - so you don't need to see a web logon page first - same thing for ActiveSync and Mac Mail.
