Forum Discussion
azinser_7642
Mar 10, 2011Nimbostratus
NTLM/ Outlook Anywhere/ Big-IP APM
We're using NTLM for Outlook internally. We wanted to use the APM to force clients to manually authenticate externally. NTLM worked internally, but when we took the Outlook client external we would get login box pop up over and over again with this error on F5 APM:
Feb 2 13:30:03 local/tmm3 debug tmm3[13431]: 01490000:3: Not basic authentication. Ignore received auth header
If we manually changed the Outlook client to Basic Auth it would work external through the APM (though it wouldn't work internal with the NTLM CAS). If we made a local hostfile entry for Outlook Autodiscover externally then every fourth or so time the log in box popped up it would be from Autodiscover and the client would reconfigure itself as Basic Auth. Then when we took the client internal it would have to be opened and closed a couple times to get back to NTLM. Not desirable issues for users.
Here's what we got from F5 support:
"The BigIP-APM only supports Basic Authentication from the Outlook Client. That's why it keeps on prompting for Basic Auth, whenever the client sends NTLM. Although the frontend is Basic, the Authentication on the backend (bigip -> exchange) is done on NTLM. "
-----------------
My question:
Has anyone had a smoother ride with this sort of set up? Any advice?
- Is configuring internal users to go through an internal APM-enabled VIP an option? Also, is there a reason you have clients internally that are not using direct MAPI RPC and are using OutlookAnywhere both internally and externally? Please post more details, and we'll definitely help you find the right solution to this deployment snag.
- azinser_7642NimbostratusTo give you a bit more architecture overview: Internally our servers are being load balanced by a Cisco ACE module in a Cat6509 chassis. We're using the the F5s with APM/ASM to load balance into the DMZ. In the case of the CAS servers, internal users go straight to the ACE vIP and get load-balanced to the servers. External users hit the F5 which has a vIP for "loadbalancing" (reverse proxying in this case really) that points over to the single ACE vIP and then to the CAS servers.
- brad_11480NimbostratusI"m sure there must have been a solution for this. I had the same question today.. could we have a CAS farm where users would enter either NTLM or Basic depending on various conditions.. what subnet (external or internal), perhaps what hostname, etc. Thanks all.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects