Issues with Exchange 2013 iApp on 11.4.1

Hi Alex-

Thanks for providing so much information.

Please open a case with F5 Support and send me a private message with the case ID so I can take a closer look at your configuration (or the engineer you talk to may very well be able to help directly, of course).

In the meantime, how did you discover that "No TLSv1.2" is the option that makes your connections work? I'm not aware of a specific IIS or Exchange configuration that would require that; is there a MSFT TechNet, F5 Support, or related article that you referenced to find that? If so can you provide that to us?

What happens if you let the iApp build its own new server SSL profile, rather than selecting one you've customized?

I have a few theories on the monitor situation, though nothing definitive without more information. The fact that your advanced monitors succeed shows that your auth credentials are fine (which is good). The fact that the advanced [EAV, i.e. external] monitors (which use curl) work and the built-in BIG-IP monitors don't, AND you have a seemingly-unusual SSL/TLS config on the server side, makes me think that BIG-IP's internal HTTPS monitor (which does not use curl) is somehow receiving a certificate error or having the connection reset. However, we really don't know at this point.

When you talk to Support, they'll probably ask that you grab a server-side tcpdump capture and decrypt it with your private key so we can see what's going on with the monitor traffic. If the problem is during SSL negotiation, the decryption may not be necessary (or possible); if it's right after negotiation and something that's occurring at the HTTP level, we'll need to see what Exchange/IIS is doing.