Hey, I am deploying a whole new Exchange 2013 Server on our BIGIP (11.4.1). I have used the iApp and have run across several issues. In the server ssl profile I had to enable the option "no tlsv1.2". Otherwise nothing would become available. Is this kind of normal? The deployment guide does not mention this issue. Some Services work, others don't: Outlook Web App (including the advanced monitor) works ActiveSync works (advanced monitor does not work) Autodiscover does not work, not even the advanced monitors. What is the problem, when some monitors configured by the iApp work while others not? Thanks for help! Alex

Hi Alex- Just to make sure--are you running the 1.3.0 version of the iApp? For your SSL question: What do you mean by "nothing would become available"? Do you mean that there weren't any serverssl profiles to select from the drop-down (meaning that you're not choosing the option to "Create a new Server SSL profile), or that you can't pass traffic when you select a profile that doesn't have the 'No TLSv1.2' option enabled? Or something else? If you provide some more details, we should be able to help. Based on the fact that your OWA monitor works and your other two don't, I believe you have incorrect authentication credentials. The OWA monitor, even in Advanced mode, doesn't perform an authenticated connection when OWA is configured with Forms-Based Authentication. Instead, it just checks for the availability of the login form. The other two services use authenticated monitors; since they're failing, I suspect the format of the credentials you entered might not be quite right. The 4 credential questions, and required format, are: What email address do you want to use for the advanced monitors? This is required to format a valid XML POST for Autodiscover. It should be in normal user@mycompany.com format. Which mailbox account should be used for monitors? This is the Windows username. Mine, for instance, might be dmiller (exact format will be specific to your domain, of course). This has to be the username associated with the mailbox email address entered in the previous field. What is the password for that mailbox account? Self-explanatory ;) I believe we accept all extended characters that are valid for Windows passwords; the only exception is that a password can not start with one or more leading blank spaces. What is the domain name of the user account for the monitors? This is the question most often answered incorrectly. The domain is the short (NetBIOS) version of the Windows domain (example: MYDOMAIN) or the FQDN (example: mydomain.com). In neither case should you have a trailing backslash or any other character. Please try adjusting the credentials; make sure you're using an account that hasn't been locked!

Hey Dayne, iApp Version is f5.microsoft_exchange_2010_2013_cas.v1.3.0 The SSL Problem: When I remove the "No TLSv1.2" no services will be available, not even owa. The BIGIP Logon Form will be displayed but after logging on the connection will be reset. After activitating the option and reloading the page owa will work as expected. The ActiveSync and Autodiscover monitor problem: I have verified that email address, user account name, password and fqdn of cas server are correct. (see picture). Is there a way to verify the monitors manually (e.g. by curl), so I can obtain an error message? Kind regards, Alexander

When I execute the following curl command I receive the below answer. To me the answer looks good as it contains a "200 OK" as expected by the monitor (see picture below). Why does the monitor not become green? [admjk@F5BIGIP03:Active:Standalone] tmp curl -k https://172.17.27.192 -d "/Microsoft-Server-Activesync/healthcheck.htm HTTP/1.1\r\nHost: exchange.domain.de\r\nConnection: Close\r\n\r\n" -verbose * About to connect() to 172.17.27.192 port 443 (0) * Trying 172.17.27.192... connected * Connected to 172.17.27.192 (172.17.27.192) port 443 (0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES256-SHA * Server certificate: * subject: C=DE; CN=exchange.domain.de * start date: 2014-05-09 12:43:00 GMT * expire date: 2016-05-08 12:43:00 GMT * common name: exchange.domain.de (does not match '172.17.27.192') * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > POST / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 > Host: 172.17.27.192 > Accept: */* > Referer: rbose > Content-Length: 107 > Content-Type: application/x-www-form-urlencoded > < HTTP/1.1 200 OK < Content-Type: text/html; charset=utf-8 < Server: Microsoft-IIS/8.5 < X-Powered-By: ASP.NET < Date: Fri, 23 May 2014 14:16:14 GMT < Content-Length: 150 < * Connection 0 to host 172.17.27.192 left intact * Closing connection 0 * SSLv3, TLS alert, Client hello (1):

Surprisingly, the advanced monitor wears a fasionable green: Configuration generated by iApp: Why does this one succeed when the other fails?

Oh, similar picture for the advanced owa monitors: ?????

Forum Discussion

Alexander_01_13

Nimbostratus

May 22, 2014

Issues with Exchange 2013 iApp on 11.4.1

Hey,

I am deploying a whole new Exchange 2013 Server on our BIGIP (11.4.1).

I have used the iApp and have run across several issues.

In the server ssl profile I had to enable the option "no tlsv1.2". Otherwise nothing would become available. Is this kind of normal? The deployment guide does not mention this issue.

Some Services work, others don't:

Outlook Web App (including the advanced monitor) works
ActiveSync works (advanced monitor does not work)
Autodiscover does not work, not even the advanced monitors.

What is the problem, when some monitors configured by the iApp work while others not?

Thanks for help! Alex

application delivery

BIG-IP Access Policy Manager (APM)

22 Replies

aschaef_137607
Nimbostratus
Jun 04, 2014
Mike,

I can confirm that this occurred in our environment while running Windows Server 2012 on our CAS servers. I ran multiple tests to confirm that TLS 1.2 was enabled by default and functioning properly when connecting to the CAS servers with TLS 1.2 only.

Andrew
- mikeshimkus_111
  Historic F5 Account
  Jun 04, 2014
  Strange, I'm having no issues with 11.4.1 and Windows 2012. What is your support case ?
- aschaef_137607
  Nimbostratus
  Jun 04, 2014
  Just sent you a PM. Did you configure your Exchange 2013 setup with an iApp or manually? I used both the v1.2.0 and v1.3.0 iApp while testing.
Alexander_01_13
Nimbostratus
Jun 04, 2014
What I have changed on the iis was the order of cipher suites as described in in this post.

The registry keys already existed, so I followed only steps 2.1 to 2.6

Nonetheless this didn't help either.

Next, we will go for 11.5.1 and hopefully solve the problem. Thanks for all the hints!

Regards, Alex
John_Ogle_45372
Nimbostratus
Jul 20, 2014
Alex,

Did you ever get this resolved? If so, what was the fix?

Thank you,
aschaef_137607
Nimbostratus
Jul 22, 2014
John, we were able to resolve this issue by upgrading to 11.5.1.
Alexander_01_13
Nimbostratus
Jul 22, 2014
Sounds good! Now that the recent Hotfix is available, we are going to update soon.
Stephen_Price_1
Nimbostratus
Jan 05, 2016
Just experienced the same issue (11.4.1 HF8) with Exchange 2013, only after updating the certificate on the Exchange server to a SHA-2 keyed cert. F5 support had me disable TLS 1.2 in the SSL profile. Switch the cert back to the previous certificate everything worked. The Exchange server is running server 2012 and TLS 1.2 shows enabled.

Any answers as to option when upgrading to 11.5.x is not an option?
- mikeshimkus_111
  Historic F5 Account
  Jan 05, 2016
  AFAIK, the workaround that support provided is your only option at the moment. I'll try to determine if any upcoming hotfix will include this change.
- Stephen_Price_1
  Nimbostratus
  Jan 05, 2016
  What about KB2992611 (failed cipher order)? Would that help?