Forum Discussion
jkrumenacher_13
Nimbostratus
NimbostratusiAPP Exchange 2010 deployment
I am trying to deploy 2010 in the following design. DMZ -> BIG-IP APM will provide secure remote access to CAS
What IP address do you want to use for the BIG-IP APM virtual server? 50.50.50.1
SSL Bridging
sslclient_X
sslServer_x
What is the virtual IP address on the remote BIG-IP system to which you will forward traffic? 10.10.10.1
Outlook Anywhere not used or clients use basic auth
This work fine.
What is not working is I want to setup the same scenario from our internal network and forward traffic to 10.10.10.1
So I ran the iApp and setup Internal -> BIG-IP APM will provide secure remote access to CAS
What IP address do you want to use for the BIG-IP APM virtual server? 10.10.10.20
SSL Bridging
sslclient_X
sslServer_x
What is the virtual IP address on the remote BIG-IP system to which you will forward traffic? 10.10.10.1
Outlook Anywhere not used or clients use basic auth
I get the Secure Logon for F5 Networks, enter my credentials (as before) and it times out "IE cannot display the webpage" The stats on the pool (vs 10.10.10.1) are not changing. I don't see traffic from 10.10.10.20 to 10.10.10.1 (tcpdump). If I put in the wrong credentials I get an error stating username or password is not correct so I know I get to AD auth.
Any help is greatly appreciated.
jkrum
The IP address of the CAS should be the actual Client Access servers, not the IP address of the other internal virtual server.
Hi jkrum,
How did you answer the question, Where will your BIG-IP virtual servers be in relation to your Client Access Servers?" in the internal iApp?
Mike
jkrumenacher_13That question is not asked under the deployment scenario "BIG-IP APM will provide secure remote access to CAS"
That is asked under BIG-IP LTM will receive HTTP-based CAS traffic forwarded by a BIG-IP APM.
I might not have been clear enough with what I am trying to do. Today I have run the iApp in our DMZ F5 - using the deployment scenario "BIG-IP APM will provide secure remote access to CAS" (notes in initial question)
Forwarding traffic to the internal F5 where the deployment scenario is BIG-IP LTM will load balance and optimize CAS traffic. (Here I state they will be on different subnets)
This works.
What I want to do is create another instance of the iApp, just like the DMZ deployment, to hit first and just forward traffic to the internal F5 iApp VS.
We have a custom login form used externally, I am looking to have the displayed when accessing Exchange internally as well.
Does that help clear it up a bit?
Thanks, jkrum
Just asked around a bit, and it seems that you need an iRule to perform the VIP-targeting-VIP scenario (where a virtual server forwards traffic to another virtual server on the same BIG-IP): https://devcentral.f5.com/articles/20-lines-or-less-64-vip-to-vip-redirection-url-separation-and-redirect-rewriting.Uzszxfld_0Q
The Exchange iApp doesn't support this. So in your situation, instead of running the "BIG-IP APM will provide secure remote access to CAS" scenario on the internal BIG-IP, you should run "BIG-IP LTM will load balance and optimize CAS traffic" again, but configure the iApp for LTM+APM mode using 10.10.10.20 as the VIP address.
- jkrumenacher_13
I created another iApp instance as stated above. With the same results.
( At first I read the reply stating "What IP address do you want to use for your virtual servers?" to equal 10.10.10.20 but that errors that "there is a VS already created ...." from the iApp for the internal F5)
BIG-IP LTM will load balance and optimize CAS traffic
Provide secure authentication to CAS HTTP-based services with BIG-IP Access Policy Manager - Yes, provide secure authentication using BIG-IP APM
SSL Bridging
sslclient_X
sslServer_x
Different subnet for BIG-IP VS and CAS
Servers do NOT use BIG-IP as D.G.
Fewer than 6000
use single IP for all connections
All services will be handled by the same set of CAS
use settings recommended by F5
address for your VS = 10.10.10.20 . . . IP address of the CAS 10.10.10.1
jkrum
The IP address of the CAS should be the actual Client Access servers, not the IP address of the other internal virtual server.
- jkrumenacher_13
O.K. I think I was focused on my logic of
DMZ APM --> Internal 2010 iApp --> CAS
internal users --> Internal APM --> Internal 2010 iApp --> CAS
Where as all 2010 logic as with Internal 2010 iApp
Really I should deploy
DMZ APM --> Internal 2010 iApp --> CAS
internal users --> Internal 2010 iApp2 --> CAS
Where as iApp2 has Yes, provide secure authentication using BIG-IP APM
Let me give that a try.
Thanks again,
jkrum
- jkrumenacher_13
Thanks mikeshimkus, I do have 2010 functioning with what is required.
Thanks for your feed back.
jkrum