Forum Discussion
tristan_46655
Nimbostratus
NimbostratusF5/ISA/Exchange
We have two F5 LTMs behind a firewall load balancing several Web servers/FTP/Citrix ...We are deploying Exchange in our environment (We currently have GroupWise) and the consultant helping us prepare for the migration insists that we have to have ISA server behind the F5s because ISA can do pre-authentication and reverse proxying.
Do we really have to have ISA? Couldn't we just have the client Access servers behind the F5s? Would that be a secure implementation?
Thanks in advance for any insights.
Leslie_South_55We are working on the same implementation. IMO you would have to put the CAS servers in the DMZ (unless you want to allow inbound INET access to your back-end network) and from our Windows guys, MS states that putting the CAS boxes in the DMZ will not work and is not advised. If you look at this PDF http://download.microsoft.com/download/b/2/0/b20ed7c4-4c29-4e8c-8bce-02f3a7bc0071/ExchangePoster.pdf you will see that the CAS servers have access from the INET and appear to be on the Inside of the network. We are planning on using ISA, behind the LTM with SSL off-loading and load balancing (2 ISA servers) and then put 2 CAS servers behind another VIP for the ISA servers to talk to. At this time, we do not plan on using HTTPS between the ISA and CAS. I am still looking and researching for any and all available methods.
-L
tristan_46655We have a firewall fronting the F5. When I go to the F5 web site they have a document on how to configure F5 for exchange, but there is now mention of an ISA server. See http://www.f5.com/solutions/applications/microsoft/exchange-server/
Thanks,
Juan- Leslie_South_55I agree that there is no mention of an ISA server..I am in the same situation as you, in that we are going to have to "wing-it" with ISA and see how it works. I will update this thread after we do the initial config, should be in the next 3 to 5 days.
-L 
Kevin_52586We are testing ISA as well behind two LTMs. Here's what I sent to F5...
"When using LTM to communicate with Microsoft ISA servers, need to override Auto Last Hop(?) with a static ARP entry? This is because the ISA servers also load balance between themselves and use a virtual MAC. Traffic originating from inside the ISA firewalls come to the LTM with a local MAC address, but the ISA's expect the response to use the virtual MAC address. Our alternatives are to code one static entry for each ISA IP address, or turn off Auto Last Hop. We are not sure we want to turn Auto Last Hop off, due to possible SNAT problems(?). "
Traffic that originates from the outside works fine because the Big IP uses the virtual MAC. Any comments?- tristan_46655Why don't you let the LTMs do the load balancing and disable the ISA server load balancing? Let all users go through the the LTMs.
- DarkSideOfTheQ_So on the Micorosoft site that the F5 document linked to,it says that ActiveSync is not supported for SSL offloading, which is what the F5 doc says to setup for this. How have others gotten around this...or is this the problme people are having??? I'm just now researching putting our E2k7 CAS behind our LTM.
Josh_41258I am somewhat in the same boat.. We were advised NOT to use ISA. We have two CSA/OWA/Front-end servers the inside LAN. We were just going to use a pair of LTM's to reverse proxy requests to them for OWA purposes. SSL would be offloaded to the LTM's, and the F5's would use HTTP to talk to the CSA servers on the inside. You guys are saying to use ISA behind the F5's as well? I'm not sure what benefit that would give us -- other than the pre-authentication. Can anyone give some insight?