Forum Discussion
NimbostratusMS Exchange ActiveSync iRule with HOST header routing not working
Hi all,
Glad to be back on the F5 forums. Hope you're all doing well today! I have been working to implement Exchange behind our v9.4.8 LTMs (our 11.3 appliances are built and almost ready for migration) in the Test environment.
Anyway, I've moved our ActiveSync traffic to another virtual server, and left our other Exchange web services on a separate shared VIP. That said our Mobile Iron Sentry appliances point to the ActiveSync VS. I should also note that we have two separate ActiveSync traffic flows coming in - one for Exchange 2007 and one for Exchange 2010.
So I need the LTMs to do a few things, which I've attempted to implement in this iRule:
Current "non-working" iRule:
================================================================
when HTTP_REQUEST {
Offline Address Book and Autodiscover do not require persistence.
switch -glob -- [string tolower [HTTP::path]] {
"/microsoft-server-activesync" {
ActiveSync.
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} elseif
if { [HTTP::host] contains "*deveas07.lifetech.com" } {
if { [HTTP::header exists "Authorization"] } {
persist uie [HTTP::header "Authorization"] 7200
} else {
persist source_addr }
pool dev.mail.lifetech.com_eas
} elseif { [HTTP::header exists "Authorization"] } {
persist uie [HTTP::header "Authorization"] 7200
} else {
persist source_addr }
pool devmail10.lifetech.com_eas
COMPRESS::disable
If you selected LAN when asked from where clients are primarily
connecting, you MUST remove or comment out the CACHE::disable line
CACHE::disable
}
}
}
when HTTP_RESPONSE {
if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} {
ONECONNECT::reuse disable
ONECONNECT::detach disable
this command disables NTLM conn pool for connections where OneConnect has been disabled
NTLM::disable
}
this command rechunks encoded responses
if {[HTTP::header exists "Transfer-Encoding"]} {
HTTP::payload rechunk
}
}
================================================================
As you can see, I'm trying to do the following:
1. Look for HTTP requests that have Microsoft-Server-ActiveSync in the path, then continue processing.
2a). Look at the HTTP host field value and if it matches "deveas07", execute the If-Else conditional loop to set the appropriate persistence record and forward the request to the Exchange 2007 pool.
2b). If the HTTP host field value does not match "deveas07", execute the If-Else conditional loop to set the appropriate persistence record and forward the request to the Exchange 2010 pool.
3). Look for the Transfer-Encoding header in the server response traffic and implement paylod rechunk where appropriate.
I am not able to get the iRule above working, as my mobile device cannot connect to send/receive email with that iRule in place.
I should also note that I was able to get a stripped-down version of this rule working with only one pool (no host header match), meaning the EAS traffic through the LTM was being load-balanced to the Exchange 2007 servers and mail could be sent/received from my mobile device.
Working "simplified" iRule:
================================================================
when HTTP_REQUEST {
Offline Address Book and Autodiscover do not require persistence.
switch -glob -- [string tolower [HTTP::path]] {
"/microsoft-server-activesync" {
ActiveSync.
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} elseif
if { [HTTP::header exists "Authorization"] } {
persist uie [HTTP::header "Authorization"] 7200
} else {
persist source_addr
}
pool dev.mail.lifetech.com_eas
COMPRESS::disable
If you selected LAN when asked from where clients are primarily
connecting, you MUST remove or comment out the CACHE::disable line
CACHE::disable
}
}
}
when HTTP_RESPONSE {
if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} {
ONECONNECT::reuse disable
ONECONNECT::detach disable
this command disables NTLM conn pool for connections where OneConnect has been disabled
NTLM::disable
}
this command rechunks encoded responses
if {[HTTP::header exists "Transfer-Encoding"]} {
HTTP::payload rechunk
}
}
================================================================
Any help or suggestions you guys may have is much appreciated!
Thanks,
B
7 Replies
- Hi Brian,
You could get by with this iRule, if you assign devmail10.lifetech.com_eas as the default pool on the separate ActiveSync virtual server:
when HTTP_REQUEST {
if { [HTTP::header exists "Authorization"] } {
persist uie [HTTP::header "Authorization"] 7200
} else {
persist source_addr
}
if { [HTTP::host] contains "deveas07.lifetech.com" } {
pool dev.mail.lifetech.com_eas
}
}
If there are any syntax errors in your irule, you will usually see them in the /var/log/ltm log. You can add logging statements anywhere in your irule to confirm that it's meeting your conditions, for example:
when HTTP_REQUEST {
if { [HTTP::header exists "Authorization"] } {
persist uie [HTTP::header "Authorization"] 7200
} else {
persist source_addr
}
if { [HTTP::host] contains "deveas07.lifetech.com" } {
pool dev.mail.lifetech.com_eas
log local0. "Forwarded to 2007 pool"
}
}
Also, are you planning on manually configuring your v11 boxes, or using the iApp template? We recommend using the iApp and disabling strictness if you need to do any special post-configuration.
thanks
Mike 
Brian_Mayer_841Thanks Mike. And yes, I will definitely be using the iApp template in a few weeks when those LTMs are online. :) I may need to tweak things such as this ActiveSync service but I'd like to keep it as vanilla as possible. I'll give your iRule a go.
A quick questions on the logging statements, is it as simple as this?
1. I put a [log local0. "Log Details"] statement immediately after any command or operator, and if that entry hits the LTM log, then the iRule successfully reached that particular statement for processing?
Thanks,
B- That's correct. It doesn't necessarily mean that the command itself didn't result in an error, but the log should indicate that regardless.
- Brian_Mayer_841Hi Mike,
So I implemented your second recommendation above - with the logging statement - (I've put it further below for clarity) and it seems that the LTM is still processing the old iRule. Both the CACHE::DISABLE and APM_Session components referenced in the error are not in the current iRule. Here's the error. Any idea why this could be happening?
Error in LTM log:
May 16 11:27:39 tmm tmm[2089]: 01220001:3: TCL error: dev.mail.lifetech.com-pools - Operation not supported (line 2) invoked from within "CACHE::disable" ("/microsoft-server-activesync" arm line 14) invoked from within "switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { ActiveSync. if { [HTTP::header exists "APM_session"] } { ..."
CURRENT iRule on the VS:
when HTTP_REQUEST {
if { [HTTP::header exists "Authorization"] } {
persist uie [HTTP::header "Authorization"] 7200
} else {
persist source_addr
}
if { [HTTP::host] contains "deveas07.lifetech.com" } {
pool dev.mail.lifetech.com_eas
log local0. "Forwarded to 2007 pool"
}
} - I assume you've removed the previous iRule from the virtual server config, and DNS is pointing to the correct VIP address. I would try deleting any current open connections on the LTM, and try it again, just in case you're reusing a connection that the previous rule was applied to.
- Brian_Mayer_841Forget it... I see the Mobile Iron Sentry is still sending traffic to the old VS. Our MI Admin is having trouble getting it to forward to the correct VS. Stay tuned and thanks again for the help.
- Brian_Mayer_841All is well in my world now. Looks like my original iRule was actually working... after the Mobile Iron Admin pointed the MI Sentry to the correct VS, both EAS 2007 and 2010 traffic streams are working perfectly through the 9.4.8 LTMs! Thanks again for the prompt advice.
-B
