For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Martin_Kaiser_1's avatar
Martin_Kaiser_1
Icon for Nimbostratus rankNimbostratus
May 25, 2011

iRule error in F5's MS Exchange 2010 deployment guide V2.1?

hi guys,

 

 

I'm struggling with MS Exchange 2010 load balancing, especially with authentication issues. The f5 provided deployment guide (which is currently being updated every few days) isn't quite helpful at all, especially since they decided to have include only instructions on how to use those pesky wizards in the LTM web GUI...

 

 

http://www.f5.com/pdf/deployment-guides/f5-exchange-2010-dg.pdf

 

 

However, the newest version includes an iRule for turning off oneconnect transformations during autodiscovery. The instructions concerning that iRule read as follows:

 

 

Single virtual server

 

If you chose a single virtual server, you must add the a small iRule to the secure Autodiscover virtual server created by the template that removes the OneConnect profile only from relevant service. You must first create the iRule and then associate it with the Autodiscover virtual server. To create the iRule

 

1. On the Main tab, expand Local Traffic and then click iRules.

 

2. Click the Create button.

 

3. In the Name box, type a name. In our example, we type autodiscover-irule.

 

4. In the Definition section, copy the following iRule

 

when HTTP_RESPONSE {

 

if { [HTTP::header values WWW-Authenticate] contains "Negotiate" } { ONECONNECT::detach disable }

 

}

 

 

Now, as I understand ONECONNECT::detach, in order to achieve the de-activation of oneconnect, that line should read ONECONNECT::detach ENable instead of DISable. Do you agree?

 

 

Regards

 

Martin

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 25, 2011
    Hi Martin,

     

     

    I think the idea is that you prevent OneConnect from detaching the serverside connection for this client and allowing it to be reused for other client connections by calling 'ONECONNECT::detach disable'.

     

     

    Michael Koyfman suggested this fix in a recent thread. As he's tested this quite extensively, I think 'ONECONNECT::detach disable' is correct.

     

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aff/25/afv/topic/aft/1177067/afc/1249651/Default.aspx

     

     

    Aaron
  • Martin_Kaiser_1's avatar
    Martin_Kaiser_1
    Icon for Nimbostratus rankNimbostratus
    May 26, 2011
    Hi Aaron.

     

     

    Understood.

     

    IMHO, the trouble with that deployment guide is, it does not even try to explain the settings, it just tells you where to enter which information (why vs. how it is done). When you are experiencing trouble afterwards (and aren't really deep into that exchange/microsoft stuff), you don't know where to start troubleshooting or how it's even supposed to work.

     

     

    However... many thanks for pointing out again!

     

     

    Martin

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 26, 2011
    Yeah, I think all of the manuals could use a lot more explanatory text which covers the whys not just the buttons to click. You could try opening a case with F5 Support to provide this kind of feedback. Concrete examples definitely help.

     

     

    Aaron