Forum Discussion

jlarosa_44289's avatar
jlarosa_44289
Icon for Nimbostratus rankNimbostratus
Sep 24, 2012

Issues with /owa redirect on Exchange 2010

First off, I apologize ahead of time as this is very difficult issue to document in writing...

 

We are using LTM 11.2 with the newest iApp to handle Exchange 2010 LB and SSL Offload. Everything is working great, except for the usage case where end users do not treat OWA properly.

 

If you normally enter http://email.domain.com/, our port 80 VS answers and the https redirect iRule kicks in and issues a 302 redirect to https://email.domain.com/. The owa_append iRule then properly appends /owa so the end user gets the OWA logon screen.

 

This is the issue we are trying to avoid:

 

User logs on to OWA. They then change the URL of the same tab to another site, say www.google.com. After a few minutes, they decide to enter 'email.domain.com', again in the same tab. The port 80 VS answers and redirects to the port 443 VS. The browser then craps out and only displays weird hyperlinks and red X's. The issue is that the browser is NOT going to /owa.

 

Using HTTPwatch, I can see that tons of 403's are being thrown, as the root of Default Web Sites is configured to require SSL (the default). While tracing the path of our interesting use case, I see that upon re-entering email.umd.edu, while a 302 to https://email.umd.edu is issues, the remaining status codes show the browsing is using local cache. I think the owa append iRule never has chance to fire.

 

Does any of this make sense? Can anyone else reproduce this? Is there anything else we can do short of re-educating our 15k+ users?

 

Thanks!

 

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Hi jlarosa, I have reproduced this in the lab and I'll post back here when we have a fix.

     

    thanks

     

    Mike
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Can you try modifying the HTTP::uri command from the iRule (iapp_name)_owa_append_iRule from:

     

     

    HTTP::uri /owa/

     

     

    to

     

     

    HTTP::uri /owa

     

     

    Let me know if that helps.
  • Actually, my iRule already was just /owa.

     

    I tried to change it to /owa/ and get the same behavior.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    When I changed the URI command in the rule, it fixed the issue for me. I changed the the rule back, and added a log statement to fire whenever "/owa" was appended, and the BIG-IP did report that it was appending the URI. However, the traffic sent to the back end server did not get sent to the /owa/ subdirectory.

     

     

    I recommend that you open a case with F5 support so we can track this issue.
  • I guess I should have a paid attention a little closer. On my DEV unti, I actually had 2 OWA Append iRules and looked at the wrong one. That one wasn't added to my 443 VS. Once I found the proper iRule and changed the URI to /owa (from /owa/), things work as expected!!!

     

    Yet again, DevCentral Rocks!!!

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Good to know that it's working for you now. We'll update the deployment guidance.
  • Just wanted to submit a quick note, I was also experiencing this issue using Big-IP 11.2.1 HF6 plus the Exchange iApp version - microsoft_exchange_2010_cas.2012_06_08

     

    Changing the append iRule as described above by mikeshimkus fixes the issue. Thanks Mike!

     

    HTTP::uri /owa/

     

    to

     

    HTTP::uri /owa