Forum Discussion
rich1977_120837
Nimbostratus
NimbostratusIssues with Exchange 2013 owa
I've got the Big IP F5 virtual load balancer set up in my exchange 2013 lab getting ready for our migration in a few months and am having an issue. I've got an exchange 2007 environment set up to mi...
ErikM
Cirrus
CirrusIn our Exchange 2010 environment we use a SAN certificate for client side SSL and per-CAS-server self-signed certificates for server SSL. This works fine thanks to LTM persistence. Connections end up on one and the same server.
The SAN certificate for client SSL contains something like this:
- DNS Name=webmail.xyz.nl
- DNS Name=autodiscover.xyz.nl
- DNS Name=imap.xyz.nl
- DNS Name=pop.xyz.nl
The self signed certificate for server SSL contains only the name of the CAS server:
- DNS Name=CAS-server0944
- DNS Name=CAS-server0944.xyz.nl
In Exchange 2013, without LTM persistence, using the same certificate structure would not work. Connections tend to end up on different CAS servers. Using per CAS server self-signed certificates will screw up encryption consistency, resulting in rebuilding connections between LTM and CAS, and thus producing re-appearing logon screens.
Using one and the same SAN certificate on LTM for client SSL, and on all CAS servers solves this. In our situation, the SAN contains the following names:
- DNS Name=webmail.xyz.nl
- DNS Name=autodiscover.xyz.nl
- DNS Name=imap.xyz.nl
- DNS Name=pop.xyz.nl
- DNS Name=CAS-server1.xyz.nl
- DNS Name=CAS-server2.xyz.nl
- DNS Name=CAS-server3.xyz.nl
- DNS Name=CAS-server4.xyz.nl
- DNS Name=CAS-server5.xyz.nl
- DNS Name=CAS-server6.xyz.nl
- DNS Name=CAS-server7.xyz.nl
- DNS Name=CAS-server8.xyz.nl
- DNS Name=CAS-server9.xyz.nl
Note that the server SSL profile on the LTM does (in our case) not contain the SAN certificate. Somehow LTM and CAS servers agree on using the SAN certificate for server side encryption.
Filed an F5 SR on this on 29-th oct but no answer yet.