Microsoft Exchange 2013 iApp - Can't login to OWA or ECP if more than one server is active in pool

Easily done...with my local host file. I can route to CAS directly.

I just tried that...and it worked...so you are on to something. Are you an engineer?! You are helping out a lot!

I didn't think you could do DNS round robin with a hosts file, are you sure you're connecting to both servers? It should just use the first IP in the list IIRC.

maybe...I can't change the production DNS record until I confirm this is working though.

but luckily I have the outlookwebdr SAN name I can use for this test. So I set up a DNS round robin for it

Still works...so something with traffic between F5 and Exchange CAS?

The proxy back to the production 2010 servers even works.

Hope I get a new engineer that can start at this spot we are on, you have been most helpful.

To know that you're truly bypassing BIG-IP you'll need to confirm that you are hitting more than one server. I'm guessing you'd need to disable DNS caching on your client as well to allow this: http://support.microsoft.com/kb/245437/EN-US

You can look at the response in HTTPWatch or Fiddler. There should be a header named "X-FEServer" that should change part of the way through your session. This indicates which CAS you are connecting to.

If it is really working, I suggest reconfiguring the iApp for SSL bridging mode. When you connect directly to the server you are encrypted all the way through; by turning on SSL bridging you'll also be encrypted from the client to BIG-IP to CAS. You shouldn't need to change anything on the CAS since encrypted connections are expected by default.

I am out of time for the day, and a holiday weekend now. But I really want to get this working cause we have a consultant onsite and we need to get back this part. I just now tried flipping the config to SSL bridging just to see what the results would be. Same thing as before though.

I am also almost done, but one more thing you could try is to set up a "pass through" performance L4 virtual server on port 443 at a different IP address, with a default pool containing your CAS servers, and SNAT Automap enabled, with no other profiles added to the VIP. The pool can be set for round robin load balancing. Point your clients at that VIP using the host file and see if it works; it'll still load balance between servers but none of our other optimizations will be used.

Tried that last one, but get page cannot be displayed when trying to access it via the VIP

If you see this...how can I get this escalated more quickly? I asked my engineer to escalate, and he said ok and I never heard back the rest of the day. I know tomorrow is a holiday, but I have permission for a short period early Saturday morning to make changes in production to test if needed. I put this info in my ticket via the web site, and still nothing.

I don't have enough insight into the process to be able to tell you if it will get escalated by then. The engineer who gets the case will need time to review it, as well.

Also, I'd open a case with Microsoft on this, since it's very possible that something is going on with the CAS that's causing this.

You can work around the problem and still get the EAC restriction by adding the command "persist cookie insert 0" to the "/owa*" case in the pool assignment iRule that was created by the iApp. You'll need to go into the properties of the iApp and disable strictness first.