F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Aaron_Warner_11's avatar
Aaron_Warner_11
Icon for Nimbostratus rankNimbostratus
Apr 30, 2013

Issue with Exchange 2010+ federation on BIGIP VE LTM+APM

Environment   Exchange 2010 Org   Published Via TMG 2010     Exchange 2013 Org   Published via BIGIP VE LTM+APM     Outlook anywhere is configured for basic authentication on...
microsoft
partner
matt_64003's avatar
matt_64003
Icon for Cirrus rankCirrus
Mar 10, 2016

I was running into the same issue. Here is what I did to fix it:

First, I copied the iRule from OP (above) and called it Exchange2013_Federation:

when HTTP_REQUEST {
   Check the requested HTTP path 
   switch -glob [string tolower [HTTP::path]] {
      "/ews/mrsproxy.svc" -
      "/ews/exchange.asmx/wssecurity" -
      "/autodiscover/autodiscover.svc/wssecurity" -
      "/autodiscover/autodiscover.svc" {
      Disable APM for these paths
      pool Exchange2013_oa_pool7
      ACCESS::disable
      log local0. "Disabled APM enforcement for HTTP path: [HTTP::path]"
      }
   }
}

My iApp-generated configuration was using the Exchange profile in APM. My understanding is that the Exchange profile is just an easier-to-configure replacement for the _sys_APM_ExchangeSupport_OA_* iRules. I didn't know how to modify the Exchange profile so I replaced it with a modified iRule. I copied the _sys_APM_ExchangeSupport_OA_BasicAuth iRule and modified the copy to include these lines before the pre-existing "/ews/*" match:

     "/ews/mrsproxy.svc" {
         log local0. "OA_BasicAuth trigger for [IP::client_addr]:[TCP::client_port] -> [HTTP::path]"
         return
     } 
     "/ews/exchange.asmx/wssecurity" {
         log local0. "OA_BasicAuth trigger for [IP::client_addr]:[TCP::client_port] -> [HTTP::path]
         return
     } 
     "/ews/*/exchange.asmx/wssecurity" {
         log local0. "OA_BasicAuth trigger for [IP::client_addr]:[TCP::client_port] -> [HTTP::path]"
         return
     } 
     "/ews/*" {     pre-existing

I then added this new iRule to my VS and removed the Exchange profile in the access policy.

iRules attached to VS:

Exchange2013_AppCache  recommended by iApp
Exchange2013_OWA_redirect
Exchange2013_Federation  new from OP
mod_APM_ExchangeSupport_OA_BasicAuth  modified sys rule
Exchange2013_session_timeout  recommended bu iApp
Exchange2013_APM_combined  iApp original
Exchange2013_select_SSO  iApp originial
Exchange2013_MAPI  recommended by iApp