Forum Discussion

jkrumenacher_13's avatar
jkrumenacher_13
Icon for Nimbostratus rankNimbostratus
Apr 01, 2014

iAPP Exchange 2010 deployment

I am trying to deploy 2010 in the following design. DMZ -> BIG-IP APM will provide secure remote access to CAS

 

What IP address do you want to use for the BIG-IP APM virtual server? 50.50.50.1

 

SSL Bridging

 

sslclient_X

 

sslServer_x

 

What is the virtual IP address on the remote BIG-IP system to which you will forward traffic? 10.10.10.1

 

Outlook Anywhere not used or clients use basic auth

 

This work fine.

 

What is not working is I want to setup the same scenario from our internal network and forward traffic to 10.10.10.1

 

So I ran the iApp and setup Internal -> BIG-IP APM will provide secure remote access to CAS

 

What IP address do you want to use for the BIG-IP APM virtual server? 10.10.10.20

 

SSL Bridging

 

sslclient_X

 

sslServer_x

 

What is the virtual IP address on the remote BIG-IP system to which you will forward traffic? 10.10.10.1

 

Outlook Anywhere not used or clients use basic auth

 

I get the Secure Logon for F5 Networks, enter my credentials (as before) and it times out "IE cannot display the webpage" The stats on the pool (vs 10.10.10.1) are not changing. I don't see traffic from 10.10.10.20 to 10.10.10.1 (tcpdump). If I put in the wrong credentials I get an error stating username or password is not correct so I know I get to AD auth.

 

Any help is greatly appreciated.

 

jkrum

 

  • The IP address of the CAS should be the actual Client Access servers, not the IP address of the other internal virtual server.

     

7 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    Hi jkrum,

     

    How did you answer the question, Where will your BIG-IP virtual servers be in relation to your Client Access Servers?" in the internal iApp?

     

    Mike

     

  • That question is not asked under the deployment scenario "BIG-IP APM will provide secure remote access to CAS"

     

    That is asked under BIG-IP LTM will receive HTTP-based CAS traffic forwarded by a BIG-IP APM.

     

    I might not have been clear enough with what I am trying to do. Today I have run the iApp in our DMZ F5 - using the deployment scenario "BIG-IP APM will provide secure remote access to CAS" (notes in initial question)

     

    Forwarding traffic to the internal F5 where the deployment scenario is BIG-IP LTM will load balance and optimize CAS traffic. (Here I state they will be on different subnets)

     

    This works.

     

    What I want to do is create another instance of the iApp, just like the DMZ deployment, to hit first and just forward traffic to the internal F5 iApp VS.

     

    We have a custom login form used externally, I am looking to have the displayed when accessing Exchange internally as well.

     

    Does that help clear it up a bit?

     

    Thanks, jkrum

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    Just asked around a bit, and it seems that you need an iRule to perform the VIP-targeting-VIP scenario (where a virtual server forwards traffic to another virtual server on the same BIG-IP): https://devcentral.f5.com/articles/20-lines-or-less-64-vip-to-vip-redirection-url-separation-and-redirect-rewriting.Uzszxfld_0Q

     

    The Exchange iApp doesn't support this. So in your situation, instead of running the "BIG-IP APM will provide secure remote access to CAS" scenario on the internal BIG-IP, you should run "BIG-IP LTM will load balance and optimize CAS traffic" again, but configure the iApp for LTM+APM mode using 10.10.10.20 as the VIP address.

     

  • I created another iApp instance as stated above. With the same results.

     

    ( At first I read the reply stating "What IP address do you want to use for your virtual servers?" to equal 10.10.10.20 but that errors that "there is a VS already created ...." from the iApp for the internal F5)

     

    BIG-IP LTM will load balance and optimize CAS traffic

     

    Provide secure authentication to CAS HTTP-based services with BIG-IP Access Policy Manager - Yes, provide secure authentication using BIG-IP APM

     

    SSL Bridging

     

    sslclient_X

     

    sslServer_x

     

    Different subnet for BIG-IP VS and CAS

     

    Servers do NOT use BIG-IP as D.G.

     

    Fewer than 6000

     

    use single IP for all connections

     

    All services will be handled by the same set of CAS

     

    use settings recommended by F5

     

    address for your VS = 10.10.10.20 . . . IP address of the CAS 10.10.10.1

     

    jkrum

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    The IP address of the CAS should be the actual Client Access servers, not the IP address of the other internal virtual server.

     

  • O.K. I think I was focused on my logic of

     

    DMZ APM --> Internal 2010 iApp --> CAS

     

    internal users --> Internal APM --> Internal 2010 iApp --> CAS

     

    Where as all 2010 logic as with Internal 2010 iApp

     

    Really I should deploy

     

    DMZ APM --> Internal 2010 iApp --> CAS

     

    internal users --> Internal 2010 iApp2 --> CAS

     

    Where as iApp2 has Yes, provide secure authentication using BIG-IP APM

     

    Let me give that a try.

     

    Thanks again,

     

    jkrum

     

  • Thanks mikeshimkus, I do have 2010 functioning with what is required.

     

    Thanks for your feed back.

     

    jkrum