NTLM/ Outlook Anywhere/ Big-IP APM

To give you a bit more architecture overview: Internally our servers are being load balanced by a Cisco ACE module in a Cat6509 chassis. We're using the the F5s with APM/ASM to load balance into the DMZ. In the case of the CAS servers, internal users go straight to the ACE vIP and get load-balanced to the servers. External users hit the F5 which has a vIP for "loadbalancing" (reverse proxying in this case really) that points over to the single ACE vIP and then to the CAS servers.

 

 

This is a centralized solution and we're using OA as access over the WAN.

 

 

NTLM is being used internally so that users don't have to sign in to computer and then also e-mail. This was a selling point of Exchange2010 over our current Notes environment.

 

 

It was designed that internet users would still have to log in manually through the APM as security prior to them ever touching an actual server. This login does get relayed to the internet user.

 

It was designed that the F5 would exchange NTLM with the CAS farm. This proves to work as the CAS farm won't accept anything less and internet users configured for Basic -can- get connected.

 

It was designed that users wouldn't have to manually switch their devices between NTLM when internal and Basic when external... this did not work so well. If the client is configured as NTLM the F5 logs the error in my previous posts and just repeatedly prompts the user for name/password. Apparently the APM doesn't speak NTLM on client side, only server side? This makes no sense either because our deployment isn't the standard anticipated deployment and we have something bass ackwards... or because the F5 APM is not intended for this service. As it stands, if we were to change the CAS to Basic, there'd be no value in having the F5 able to use NTLM on the backend / with the CAS as NTLM there's no value in having the F5 able to use NTLM on the backend and -not- able to recieve it on the front end.