Health Monitor (Synthetic transaction)for Exchange2010

Hello everyone-

I’m sorry that some of you that are having trouble with OWA monitors on BIG-IP. We try to make our Deployment Guides as complete and correct as possible, and I believe that the Exchange 2010 guide is both. However, since there’s some confusion, we’ll revisit the narrative section of the guide to make sure it’s easy to follow from start to finish.

A future iApp will make this almost entirely automatic for BIG-IP 11.x systems.

In the meantime, I’ll provide some instructions here for setting up Exchange 2010 OWA monitors. Whether you’re on BIG-IP v10.x or 11.x, the instructions are the same. If you’re still on 9.x, let me know – the instructions will be a little different.

Setting up the monitors is easiest if you’re doing SSL Offloading; if so, you must have already configured your Client Access Servers appropriately. See http://social.technet.microsoft.com/wiki/contents/articles/1267.how-to-configure-ssl-offloading-in-exchange-2010.aspx for full instructions. If you are *not* doing SSL Offloading, you can still set up the monitors, but you have to choose “HTTPS” (rather than “HTTP”) as the parent monitor type. Troubleshooting will also be a little harder, since the traffic is encrypted.

For simplicity, I’ll refer to the v11 Deployment Guide, version 1.4, found at this link: http://www.f5.com/pdf/deployment-guides/microsoft-exchange2010-iapp-dg.pdf The following is information that is based on the guidance starting on page 31 of the Deployment Guide mentioned above.

Procedure 1 (forms-based authentication)

Are you using OWA with the default Forms-Based Authentication? In other words, when you use a browser to go to OWA, do you get the regular HTML login page? If so, proceed with the steps below. Otherwise, use Procedure 2 later in this post.

The OWA forms-based monitor does *not* use an authenticated login; rather, it checks for the existence of the login page (which OWA will not provide if the service is down). The advantages of an unauthenticated health check are that you don’t need to store credentials on the BIG-IP and that you’re only monitoring one specific service, as opposed to a monitor that uses authentication and which therefore also is dependent on the status of the chosen account, the associated mailbox and mailbox server, and the like.

To create the monitor:

1. On the Main tab, expand Local Traffic, and then click Monitors.

2. Click the Create button.

3. In the Name box, give the monitor a unique name. For example: exchange-new-OWA-monitor.

4. From the Type list, select HTTP (or HTTPS if you are not doing SSL Offloading).

5. In the Interval box, type an interval. We recommend 30.

6. In the Timeout box, type a timeout. We recommend 91.

7. In the Send String box, enter the following as one continuous line, replacing ‘mail.example.com’ with the External FQDN of your OWA server pool (that you’ve already configured using the Exchange Management Console or Exchange Management Shell):

GET /owa/auth/logon.aspx?url=https://mail.example.com/owa/&reason=0HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: mail.example.com\r\n\r\n

8. In the Receive String box, type: OutlookSession=

(We have more notes in the Deployment Guide, on page 32, about why this string was chosen. If you have deployed Exchange using a language other than English, you may have to experiment to find a suitable string.)

9. Do not enter anything in the User Name or Password fields.

10. Click Finished.

I end up with a monitor in bigip.conf that looks like this:

ltm monitor http /Common/exchange-new-OWA-monitor {
    defaults-from /Common/http
    destination *:*
    interval 30
    recv OutlookSession=
    send "GET /owa/auth/logon.aspx\?url=https://mail.example.com/owa/&reason=0 HTTP/1.1\\r\\nUser-Agent: Mozilla/4.0\\r\\nHost: mail.
example.com\\r\\n\\r\\n"
    time-until-up 0
    timeout 91
}

Now you just have to associate the monitor with your OWA pool. When I do that with the monitor created above, I get a green (“Up”) status.

Procedure 2 (Basic or Integrated Windows authentication)

If you have modified OWA to use Basic or Windows Integrated authentication, use this procedure. The normal user experience when an alternate login method is selected is that the user’s browser will provide pop-up authentication. Behind the scenes, this is in response to a 401 response when a resource in the /owa/ subdirectory of the server is selected. All access is authenticated, so you will have to provide user credentials for this method.

Prior to BIG-IP version 11.1, you must select Basic authentication as one method, though you may additionally select Integrated Windows authentication. Beginning with BIG-IP version 11.1, you do not have to select Basic and may select only Integrated Windows authentication if you want.

You must make the authentication change to both the OWA and ECP configuration in your Exchange Management Console or Shell.

If you are using authenticated health checks, please keep in mind that user account and mailbox management becomes an integral part of your health monitoring solution. If the user account you select is locked, the password expires, or the associated mailbox is deleted or otherwise rendered inaccessible, your monitor will mark the OWA service down. For that reason, we usually recommend using two monitors for each pool, each configured to use a separate account and mailbox, and set so that both would have to fail before the service is marked down.

For each monitor you create, do these steps:

1. On the Main tab, expand Local Traffic, and then click Monitors.

2. Click the Create button.

3. In the Name box, give the monitor a unique name. For example: exchange-new-OWA-monitor.

4. From the Type list, select HTTP (or HTTPS if you are not doing SSL Offloading).

5. In the Interval box, type an interval. We recommend 30.

6. In the Timeout box, type a timeout. We recommend 91.

7. In the Send String box, enter the following:

GET /owa/\r\n

Note the single set of \r\n in that string, as opposed to the \r\n\r\n in the Forms-based Authentication string. We do this because we still need to provide authentication; if we sent a \r\n\r\n at the initial request, the connection would get closed before credentials are presented.

8. In the Receive String box, type: OutlookSession=

9. In the User Name box, type the name of a user with a valid mailbox.

10. In the Password box, type the password associated with that user mailbox.

11. Click Finished.

Remember to associate your monitor with the pool.

In bigip.conf, my monitor now looks like this:

ltm monitor http /Common/exchange-new-OWA-monitor {
    defaults-from /Common/http
    destination *:*
    interval 30
    password Pass1word
    recv OutlookSession=
    send "GET /owa/\\r\\n"
    time-until-up 0
    timeout 91
    username user01
}

After switching my CAS box over to Basic and Integrated Windows authentication and restarting IIS, I also get a green monitor status.

If these steps don’t work for you, or anything is unclear, please follow up to this forum and we’ll see what we can do to provide additional guidance or troubleshooting steps.