Issue regarding Outlook for android/ios (Oauth) to on-prem exchange behind BIG-IP LTM

Question

Are there any caveats with Outlook for android and IOS when hybrid modern authentication is enabled and only using the LTM module?

The outlook app is unable to add the mailaccount which is on-premise exchange 2016.

About:

iApp is based on template f5.microsoft_exchange_2016.v1.0.2
BIG-IP ver 12+ using LTM only
SSL bridging is utilized
Authentication method = ADFS
Outlook app config+architecture : https://docs.microsoft.com/en-us/exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth?view=exchserver-2016

It works just fine when Azure's autodetect service communicates directly with an exchange server (no load balancer in front)

It also worked with basic authentication with the load balancer in front.

The only debug hints i got, is from the Test-HMAEAS.ps1 script (https://gallery.technet.microsoft.com/office/Validating-Hybrid-Modern-ad4c2b16)

Output from that script looks like this on the picture (the part with black strikethrough is what i'm missing)

Anyone who can point me in the right direction?

yoann_le_corvi1 · Answer

Hi&nbsp;I personnally have not yet implemented this architecture, but saw something in the DG (p. 7) that could be applicable to you...&nbsp;Extract -----In a hybrid scenario, the BIG-IP is located between the Exchange Web Services and the Office 365 infrastructure, and F5 provides seamless access to the on-premise Exchange components in a secure fashion without causing failures for the hybrid-related traffic. The iApp template (v1.0.2 and later) now includes the question Would you like to bypass APM for hybrid services? on page 18. Select Yes for hybrid deployments. This will prevent failures in federated requests for Autodiscover and free/busy information, as well as remote moves and migrations between your Exchange organization and Exchange Online.&nbsp;Yoann

badministrator · Answer

Hi&nbsp;I noticed that part in the DG aswell, however there is no option similar to "Would you like to bypass APM for hybrid services?" anywhere. So I just figured it was because the APM isn't fully licensed or disabled.&nbsp;

badministrator · Answer

any other sugestions?

yoann_le_corvi1 · Answer

Hi&nbsp;One thought. Have you checked that the certificate you have on LTM is valid publicly ? Issued by a trusted CA, and so on... ?&nbsp;Yoann

Forum Discussion

Issue regarding Outlook for android/ios (Oauth) to on-prem exchange behind BIG-IP LTM

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

The Business Partner Exchange - An F5 Distributed Cloud Services Demonstration

Query Regarding extramb

Question & Answer: Regarding CVE-2020-5902

Rustls with NGINX, Password Based Key Exchange, & Llama Drama

Exchange 2016

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS