Health Monitor (Synthetic transaction)for Exchange2010

Hi Techgeeeg,

 

 

What authentication method are you using on the Exchange servers? And which protocol(s) are you trying to monitor?

 

 

Another option would be to use wmic to monitor the Windows services:

 

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086419/Monitoring-Windows-Terminal-Services-from-BIG-IP.aspx

 

 

Aaron

Hi Aaron,

 

You must have seen the template for citrix on LTM which on one stage accepts the user-id and password of the valid citrix user and it logs all the way into the server to declare the server is up or not. I need a similar sort of monitor to be avaliable for MS Exchange 2010 environment that I have. If there is any other work around can you let me know.

 

 

Regards,

I assume you want to monitor the client access servers which use HTTP(S). That's possible with LTM for Exchange as well. But I'm not sure what authentication method you are using on the Exchange servers? It could be NTLM, basic or digest auth:

 

 

 

http://technet.microsoft.com/en-us/library/bb125207.aspx

 

 

In Exchange 2010, Client Access servers support Integrated Windows authentication and HTTP 1.1 Digest authentication for Exchange 2010 virtual directories. Exchange 2010 virtual directories on a server that's running only the Client Access server role support only Basic and forms-based authentication.

 

 

Standard authentication methods include Basic authentication, Digest authentication, and Integrated Windows authentication.

 

 

 

For basic or digest auth, you should be able to specify the user:pass in a custom inbuilt HTTP monitor. For NTLM, I think you'd need to use an external monitor which references curl:

 

 

http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/TemplateForExternalLtmMonitors.html

 

http://www.the-little-things.net/blog/2011/01/21/big-ip-sharepoint-2010-monitor/

 

 

Aaron

Did you read the deployment guide for Exchange 2010 published on f5.com?

 

 

http://www.f5.com/pdf/deployment-guides/microsoft-exchange2010-iapp-dg.pdf

 

 

I believe what you're looking for is covered on page 30 of the guide.... If not, please let us know. Thanks!

well I am using firefox 9.0.1 to import the files and receiving the similar issues I have not tried using other browsers I will try with IE and Chrome. For now if i have to do it through the command line can you refer any document which i may follow to do the same.

 

 

Regards,

Hi Everyone,

 

I am again back.... Michael I went through the deployment guide of Exchange 2010 and configured everything. The document says to configure the monitors for outlook web by manually creating it. In my case I created the monitor and assigned it to the pool and it is not work. It makes the pool down so there some problem with this monitor. More over the iAPP uses the Exchange template to create everything and under the POP3 and IMAP section it asks for the user name and password to create the monitors it self. The monitors created by the iAPP are not working once the same monitors were created manually they are working. But for me the most imp thing is to configure the synthatic transaction for the HTTP based Exchange service which is given in the document how to configure it but none of them is working .... can any one help me out in this matter.

 

 

Regards,

 

Just something I'm observing more and more as a trend here in this forum. Literally about every one of the OWA/Exchange monitor login issue threads on this site invetibaly ends with no resolution.. it simply seems that no one really understands exactly how to setup the LTMs to properly monitor OWA services using F5 monitoring capabilities. It seems that we should be able to use built-in HTTPS monitors and use the user/pass combo to accomplish the required Basic Authentication to allow the monitors to work. However, this doesn't really seem to be happening.

 

 

Anyone have this working?

 

 

Thanks!

 

B

Hello everyone-

I’m sorry that some of you that are having trouble with OWA monitors on BIG-IP. We try to make our Deployment Guides as complete and correct as possible, and I believe that the Exchange 2010 guide is both. However, since there’s some confusion, we’ll revisit the narrative section of the guide to make sure it’s easy to follow from start to finish.

A future iApp will make this almost entirely automatic for BIG-IP 11.x systems.

In the meantime, I’ll provide some instructions here for setting up Exchange 2010 OWA monitors. Whether you’re on BIG-IP v10.x or 11.x, the instructions are the same. If you’re still on 9.x, let me know – the instructions will be a little different.

Setting up the monitors is easiest if you’re doing SSL Offloading; if so, you must have already configured your Client Access Servers appropriately. See http://social.technet.microsoft.com/wiki/contents/articles/1267.how-to-configure-ssl-offloading-in-exchange-2010.aspx for full instructions. If you are *not* doing SSL Offloading, you can still set up the monitors, but you have to choose “HTTPS” (rather than “HTTP”) as the parent monitor type. Troubleshooting will also be a little harder, since the traffic is encrypted.

For simplicity, I’ll refer to the v11 Deployment Guide, version 1.4, found at this link: http://www.f5.com/pdf/deployment-guides/microsoft-exchange2010-iapp-dg.pdf The following is information that is based on the guidance starting on page 31 of the Deployment Guide mentioned above.

Procedure 1 (forms-based authentication)

Are you using OWA with the default Forms-Based Authentication? In other words, when you use a browser to go to OWA, do you get the regular HTML login page? If so, proceed with the steps below. Otherwise, use Procedure 2 later in this post.

The OWA forms-based monitor does *not* use an authenticated login; rather, it checks for the existence of the login page (which OWA will not provide if the service is down). The advantages of an unauthenticated health check are that you don’t need to store credentials on the BIG-IP and that you’re only monitoring one specific service, as opposed to a monitor that uses authentication and which therefore also is dependent on the status of the chosen account, the associated mailbox and mailbox server, and the like.

To create the monitor:

1. On the Main tab, expand Local Traffic, and then click Monitors.

2. Click the Create button.

3. In the Name box, give the monitor a unique name. For example: exchange-new-OWA-monitor.

4. From the Type list, select HTTP (or HTTPS if you are not doing SSL Offloading).

5. In the Interval box, type an interval. We recommend 30.

6. In the Timeout box, type a timeout. We recommend 91.

7. In the Send String box, enter the following as one continuous line, replacing ‘mail.example.com’ with the External FQDN of your OWA server pool (that you’ve already configured using the Exchange Management Console or Exchange Management Shell):

GET /owa/auth/logon.aspx?url=https://mail.example.com/owa/&reason=0HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: mail.example.com\r\n\r\n

8. In the Receive String box, type: OutlookSession=

(We have more notes in the Deployment Guide, on page 32, about why this string was chosen. If you have deployed Exchange using a language other than English, you may have to experiment to find a suitable string.)

9. Do not enter anything in the User Name or Password fields.

10. Click Finished.

I end up with a monitor in bigip.conf that looks like this:

ltm monitor http /Common/exchange-new-OWA-monitor {
    defaults-from /Common/http
    destination *:*
    interval 30
    recv OutlookSession=
    send "GET /owa/auth/logon.aspx\?url=https://mail.example.com/owa/&reason=0 HTTP/1.1\\r\\nUser-Agent: Mozilla/4.0\\r\\nHost: mail.
example.com\\r\\n\\r\\n"
    time-until-up 0
    timeout 91
}

Now you just have to associate the monitor with your OWA pool. When I do that with the monitor created above, I get a green (“Up”) status.

Procedure 2 (Basic or Integrated Windows authentication)

If you have modified OWA to use Basic or Windows Integrated authentication, use this procedure. The normal user experience when an alternate login method is selected is that the user’s browser will provide pop-up authentication. Behind the scenes, this is in response to a 401 response when a resource in the /owa/ subdirectory of the server is selected. All access is authenticated, so you will have to provide user credentials for this method.

Prior to BIG-IP version 11.1, you must select Basic authentication as one method, though you may additionally select Integrated Windows authentication. Beginning with BIG-IP version 11.1, you do not have to select Basic and may select only Integrated Windows authentication if you want.

You must make the authentication change to both the OWA and ECP configuration in your Exchange Management Console or Shell.

If you are using authenticated health checks, please keep in mind that user account and mailbox management becomes an integral part of your health monitoring solution. If the user account you select is locked, the password expires, or the associated mailbox is deleted or otherwise rendered inaccessible, your monitor will mark the OWA service down. For that reason, we usually recommend using two monitors for each pool, each configured to use a separate account and mailbox, and set so that both would have to fail before the service is marked down.

For each monitor you create, do these steps:

1. On the Main tab, expand Local Traffic, and then click Monitors.

2. Click the Create button.

3. In the Name box, give the monitor a unique name. For example: exchange-new-OWA-monitor.

4. From the Type list, select HTTP (or HTTPS if you are not doing SSL Offloading).

5. In the Interval box, type an interval. We recommend 30.

6. In the Timeout box, type a timeout. We recommend 91.

7. In the Send String box, enter the following:

GET /owa/\r\n

Note the single set of \r\n in that string, as opposed to the \r\n\r\n in the Forms-based Authentication string. We do this because we still need to provide authentication; if we sent a \r\n\r\n at the initial request, the connection would get closed before credentials are presented.

8. In the Receive String box, type: OutlookSession=

9. In the User Name box, type the name of a user with a valid mailbox.

10. In the Password box, type the password associated with that user mailbox.

11. Click Finished.

Remember to associate your monitor with the pool.

In bigip.conf, my monitor now looks like this:

ltm monitor http /Common/exchange-new-OWA-monitor {
    defaults-from /Common/http
    destination *:*
    interval 30
    password Pass1word
    recv OutlookSession=
    send "GET /owa/\\r\\n"
    time-until-up 0
    timeout 91
    username user01
}

After switching my CAS box over to Basic and Integrated Windows authentication and restarting IIS, I also get a green monitor status.

If these steps don’t work for you, or anything is unclear, please follow up to this forum and we’ll see what we can do to provide additional guidance or troubleshooting steps.

Thanks for spelling that out Dayne. It's great info.

 

 

Aaron

One quesiton I have is for the fqdn in the send strng (mail.example.com in the example above). That should be the DNS name that points to the virtual IP of the F5, correct? So if I have CAS servers of server1.co.com, server2.co.com and server3.co.com that I want to be front-ended by the fqdn of web.co.com the monitor should use web.co.com. Correct?