Outlook Anywhere 2016 - APM/RPC issues

Hello,

 

We have been trying to deploy a all-in-one VS for Exchange 2016 (OWA, ActiveSync, Autodiscover, Outlook Anywhere) using the latest iapp template provided by f5. ActiveSync, Autodiscover and OWA work like a charm.

 

But we are having issues with Outlook Anywhere... Basically, here is what we have in the /var/log/apm while a user try to setup his account through Outlook client, while being from home:

 

Feb 12 16:11:31 F5-TEST notice tmm[22913]: 01490506:5: /Common/exchange2016:Common:8014e002: Received User-Agent header: Microsoft%20Office%2f16.0%20(Windows%20NT%2010.0%3b%20Microsoft%20Outlook%2016.0.4266%3b%20Pro).

 

Feb 12 16:11:31 F5-TEST notice tmm[22913]: 01490500:5: /Common/exchange2016:Common:8014e002: New session from client IP x.x.x.x (ST=Ile-de-France/CC=FR/C=EU) at VIP x.x.x.x Listener /Common/VS-EX2016-IQR_https (Reputation=Unknown)

 

Feb 12 16:11:31 F5-TEST notice apmd[15789]: 01490010:5: /Common/exchange2016:Common:8014e002: Username 'foodomain\foo'

 

Feb 12 16:11:33 F5-TEST notice apmd[15789]: 01490005:5: /Common/exchange2016:Common:8014e002: Following rule 'fallback' from item 'SSO Credential Mapping' to ending 'Allow'

 

Feb 12 16:11:33 F5-TEST notice apmd[15789]: 01490102:5: /Common/exchange2016:Common:8014e002: Access policy result: LTM+APM_Mode

 

Feb 12 16:11:33 F5-TEST notice apmd[15789]: 01490248:5: /Common/exchange2016:Common:8014e002: Received client info - Hostname: Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0

 

Feb 12 16:11:33 F5-TEST debug websso.3[24262]: 014d0044:7: /Common/exchange2016:Common:8014e002: metadata len 333

 

Feb 12 16:11:33 F5-TEST info websso.3[24262]: 014d0014:6: /Common/exchange2016:Common:8014e002: Found HTTP 401 response for SSO configuration '/Common/ex2016_ntlm_sso' type:'ntlmv1'

 

Feb 12 16:11:33 F5-TEST info websso.3[24262]: 014d0010:6: /Common/exchange2016:Common:8014e002: Websso NTLM authentication for user 'foo' using config '/Common/ex2016_ntlm_sso'

 

Feb 12 16:11:36 F5-TEST notice tmm2[22913]: 01490506:5: /Common/exchange2016:Common:36e6238b: Received User-Agent header: MSRPC.

 

Feb 12 16:11:36 F5-TEST notice tmm2[22913]: 01490500:5: /Common/exchange2016:Common:36e6238b: New session from client IP x.x.x.x (ST=Ile-de-France/CC=FR/C=EU) at VIP x.x.x.x Listener /Common/VS-EX2016-IQR_https (Reputation=Unknown)

 

We did a tcpdump of the traffic. Here is what we see:

 

First attempt to setup outlook account fail because the client try to authenticate with email as login name (that's outlook client behavior and our AD does not support email login): F5 response is an HTTP/1.1 401 Unauthorized.

 

On client side, because first attempt fails, a login/password prompt appears in Outlook. So we are able to modify login to actual foodomain\foousername. This second attempt is successfull and the F5 response is an HTTP/1.1 200 OK.

 

From this point, the client sends RPC_OUT_DATA and RPC_IN_DATA (/rpc/rpcproxy.dll) with Authorization field set to NTLM, and that's where the F5 responds (without even contacting server side) with HTTP/1.0 302 Found, Location set to /my.policy.

 

So it seems the F5 does not link the RPC requests with the already allowed previous session (no MRH session cookie). Is this normal behavior ? How am I to make it work ? We see the authentication of the RPC request as NTLM, but it should be Basic right ? So is this a server configuration problem ?