Forum Discussion
NimbostratusLync MAPI Connectivity Into Exchange (UcMAPI.exe)
Good afternoon!
I am in the process of integrating Lync clients into our environment. For Exchange integration, I have followed the steps as detailed in the latest iApp Deployment Guide. With that said, we have implemented the iRule included in the Deployment Guide that disables APM Policy Evalulation for Lync client connections to /EWS and /autodiscover.
Since Lync is such a robust client, I have discovered that one of its components [UcMapi.exe] likes to communicate directly to the Outlook Anywhere service over the Landing URI
/rpc/rpcproxy.dll?%SERVER_FQDN_REDACTED%:6001MSRPCOct 6 16:40:23 %DEVICE_REDACTED% err apd[6689]: 01490000:3: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 174 Msg: Unknown HTTP method: RPC_OUT_DATA
Oct 6 16:40:23 %DEVICE_REDACTED% err apd[6689]: 01490093:3: 00000000: Request header parsing failed while processing request from remote client
Oct 6 16:40:23 %DEVICE_REDACTED% err apd[6689]: 01490000:3: AccessPolicyD.cpp func: "process_request()" line: 748 Msg: EXCEPTION AccessPolicyD.cpp line:664 function: process_request - error 7 reading/parsing response from socket
At the end of the day, a valid APM session is opened and communciation continues. HOWEVER, it would be awesome to see if there is a way to eliminate the above messages before I add my 100K+ Lync clients to this service. My initial guess is that the onboard iRule that facilitates Outlook Anywhere connectivity would have to be modified in order to handle this traffic without the errors. However, since this client is impersonating an Outlook client, I can see where that could be a challenge.
Another thought would be to write an iRule that disables the HTTP method RPC_OUT_DATA for the MSRPC User-Agent. However, this would eliminate APM Policy Evaluation all together and I'm sure my security team would frown on that.
Here's an interesting article that explains WHAT the client is actually doing in this case: http://www.proexchange.be/blogs/lync2010/archive/2012/02/10/microsoft-lync-2010-mapi-com-server-authentication-prompt-explained.aspx
Any ideas?
Thanks!! -Cory
4 Replies
Hi Cory, that's unusual. APM can absolutely handle the RPC-over-HTTP traffic, since that's also what Outlook Anywhere uses.
You are saying that you see this error, but the MSRPC traffic from Lync does in fact authenticate successfully through APM?
- Cory_O
Cirrus
It does. Authentication initiated through both the Outlook client and Lync's UcMAPI.exe process both seem to throw the errors into the APM log as they are both initiating connectivity to APM with a HTTP method of RPC_OUT_DATA. However, the session successfully passes Policy Evaluation and holds consistently throughout the entire usage of either client. All in all, this appears to be more of a cosmetic concern than anything functional.
On another note, we JUST upgraded to 11.5.3 HF2, so I'm wondering if we may be seeing some fallout from a recent bug fix. Perhaps this may not be related to the Exchange Profile/iApp and it could be a new finding.
I will continue to poke around today and see if I can find anything else.
-Cory
- Cory_O
This appears to be a net new issue for some reason.
In our case, we are using the APM iRule to add persistence, and I have buried this iRule within a Universal Persistence Profile so we can enable persistence mirroring across our HA Pairs.
Now when we fire up a new client, an ADDITIONAL persistence record is created to Pool Member 127.20.2.254:10001 which I can only guess is some kind of internal proprietary system IP. After this, that particular record immediately goes idle and expires at our pre-determined interval.
Here's our persistence iRule (modified from the Deployment Guide since we use multiple Virtual Servers):
when ACCESS_ACL_ALLOWED { set sessionid [ACCESS::session data get "session.user.sessionid"] switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" - "/owa*" - "/ews*" - "/ecp*" - "/oab*" - "/rpc/rpcproxy.dll*" { persist uie $sessionid 1800 return } "/autodiscover*" { persist none return } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } }Any ideas?
-Cory
- Cory_O
Well, this is a good one! Apparently, the pool statements in this Persistence iRule are meant to cover more than just circumstances where a single Virtual Server is used.
After changing to the shortened iRule above, we get the aforementioned errors in the APM log along with a single persistence record created WITHOUT A Pool to member IP 127.20.2.254:10001. This record goes idle immediately and expires at the inactivity timeout count.
When I restored the Persistence iRule back to the following (inclusive of pool statements), we no longer saw this issue:
when ACCESS_ACL_ALLOWED { set sessionid [ACCESS::session data get "session.user.sessionid"] switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" { pool APM_EXCHANGE2010_as_pool2 persist uie $sessionid 1800 return } "/owa*" { pool APM_EXCHANGE2010_owa_pool2 persist uie $sessionid 1800 return } "/ews*" { pool APM_EXCHANGE2010_oa_pool2 persist uie $sessionid 1800 return } "/ecp*" { pool APM_EXCHANGE2010_owa_pool2 persist uie $sessionid 1800 return } "/oab*" { pool APM_EXCHANGE2010_oa_pool2 persist uie $sessionid 1800 return } "/rpc/rpcproxy.dll*" { pool APM_EXCHANGE2010_oa_pool2 persist uie $sessionid 1800 return } "/autodiscover*" { pool APM_EXCHANGE2010_ad_pool2 persist none return } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App pool APM_EXCHANGE2010_owa_pool2 persist uie $sessionid 1800 } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } definition-checksum f41bb1953d96f40c57b91ae927bcaa4fDoes anyone know what would be happening with this strange IP? I'm just curious at this point as I seem to have corrected my own foul-up. 🙂
-Cory
