Forum Discussion
NimbostratusiAPP f5.microsoft_exchange_2010_2013_cas.v1.3.0 and /powershell issues
We are trying to implement exch13 using the iAPP f5.microsoft_exchange_2010_2013_cas.v1.3.0 but whenever our MDM (AirWatch) makes /powershell commands we have issues, it seems to us that persistence and communcation between CAS and F5 needs to be over 443 and not 80 to have this work, but yet the iAPP doesnt allow this. Trying to modify the combined iRULE exch-2013-iapps_combined_pool_irule3 to allow this but not so much luck and not sure the details of what else can be done.
Has anyone else had issues with /powershell, or is it likley our implemenmtation of MDM and /powershell?
7 Replies
Hi mikeshift4, you are saying that AirWatch needs an encrypted connection to CAS, and also needs to persist to the same CAS for the duration of the session, correct?
You can choose SSL bridging in the iApp to accomplish 1, although that means you're not getting the benefits of SSL offload for the other services. It's possible to do just SSL bridging for one service by setting the iApp up for that, then making modifications after the fact.
For 2, the iApp doesn't apply any persistence for 2013. However, using the iApp, you should be able to append an iRule that does that for just the /powershell requests.
Mike
dk_01I am trying to implement the same thing with Airwatch and Exchange 2010. Did you ever figure this out? I have been trying to modify irule for powershell, but no luck....- Hi dk 01, if you deployed the iApp for Exchange 2010, there should be a default case in the persistence iRule that forwards traffic to the OWA pool and uses source IP persistence. That case should catch the PowerShell requests and forward them to the CAS. What is it you are trying to do with the iRule? thanks
- dk_01Hi mikeshimkus, I am trying to get the https://exchangevip.com/powershell to connect through F5 VIP created with iApp, however i get page can't be displayed. When I create a new vip for https, it works fine. I'd like to keep all the Exchange traffic on the same VIP, but it's not working. We are bridging SSL through F5, and I thought default would catch it, but it's not...
- You can create an iRule like this and add it to the deployment using the iApp (it'll need to be in advanced mode). The pool member command can be used to send the request directly to a specific CAS, since you may only want to have one server with PowerShell remoting enabled: when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::uri]] { "/powershell*" { pool powershell_pool member 1.2.3.4 443 return } } }
mikeshift4_6102we ended up turning on persistence on the VS itself, then in the iRule turning off persistence for all the entities like /owa/ /rpc, etc.... and then created a "/powershell*" { MDM Service. pool exch_443_pool SSL::enable serverside return } in that same iRule from the iAPP and a new https pool with persistence. This worked perfectly for us. Of course we had to modify the iapp itself so now it is customized so any changes we have to be aware since we added changes.- You shouldn't have to modify the iApp. Based on what you posted, you should be able to do this in a separate iRule that you select with the iRule picker in the iApp: when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::uri]] { "/powershell*" { pool exch_443_pool SSL::enable serverside persist source_addr return } } }
