Forum Discussion
NimbostratusOWA link doesn't work
I have followed everything whats given in "f5-exchange-2010-dg.pdf" document; most of exchange services are running fine except for OWA service on internal network; best part is it works in off hours; but start having issues during day time. In our company setup; we have external F5 and internal F5. Both use same FQDN but DNS servers (Internal/External) takes care of sending request to proper VIPs. CAS servers are on Internal network; external F5 is behind Firewall which load balances to internal CAS server and Internal F5 goes to same CAS servers.
Externally and Internally following Pools/VIPs are created. I am using Single VIP; hence most of the FQDN's are pointed to single VIP IP (Of course as said above Int/Ext DNS takes care of resolving proper VIP IP).
Pools = AD,AS,OA,OWA
VIP's = HTTPS, HTTP (HTTP is forwarding everything to HTTPS); HTTPs VIP has SNAT Pool iRule, Append iRule, Persist iRule and Persist Profile
These are my FQDNs = "webmail.xyz.com", "autodiscover.xyz.com"
I am using client & server side SSL certs
I am following extactly whats given in F5 document; because i used F5 template i also followed what given on page 22; which ask to make various changes.
What i am observeing is "Keep Accept Encoding" is required to be kept enabled where as document says it to be disabled. I asked my exchange guys there servers are doing compression. Hence as per F5 document i disabled the "Keep Accept Encoding" but that brakes everything (OWA/EWS/OAB etc) but if i enable this feature everything works. Then the confusion starts; all but OWA service doesn't work during day time. It doesn't matter which browser users are using IE/Firefox its same; in evening or late evening eveything works but during day time users experiance problem.
http://webmail.xyz.com doesn't show anything; browsers circule just keep moving. I do see in users desktop that they are establishing connection to http and https (https after redirection) but nothing comes on browser.
In night all works.
This only happens on internal F5!
External F5 work has no issues!.
PLEASE HELP!
5 Replies
- Hi jachalke, it is odd that the problem only seems to happen in the daytime. This makes me suspect that it could be related to something in the BIG-IP HTTP profile in combination with IIS automatically switching from dynamic to static compression when the server is under load during the day.
Which version of BIG-IP are you running? I assume it's v10.x, since that's the deployment guide you are using. In v10, caching and compression are features of the HTTP profile, which means that you must modify the combined persistence iRule in order to troubleshoot them. You can go to the "/owa*" section in the iRule attached to the internal VIP and add the following commands to disable caching, compression, or both:
"/owa*" {
Outlook Web Access
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} else {
persist cookie insert
}
pool owa_pool_name
CACHE::disable
COMPRESS:disable
return
}
You could also compare the HTTP profile settings between the internal and external VIPs for clues as to why one is working and the other is not. If you want, you can post them here and we'll have a look. The tmsh command to show the profile configuration is "list ltm profile http".
thanks
Mike 
jachalke_39650Thanks Mike,
I did look closely on Int/Ext iRule they are exactly the same. I will go ahead and try disabling cache and COMPRESS for /owa*;
Whats other odd part we observed is if i only keep one server in OWA pool it works fine. Its most like possible due to non persistance as its only going to one server. Here is my iRule on Int/Ext F5's
Bold italic will be changed as you mentioned before to trial. Other option which F5 tech said to do is; disable compression completely and comment out all the COMPRESS & cache in following iRule; also change oneconnect profile from 255.255.255.255 to 0.0.0.0
iRule to select pool and persistence method when all Exchange Client
Access HTTP-based services are accessed through the same BIG-IP virtual
server. This iRule will use an HTTP header inserted by a BIG-IP Edge
Gateway for persistence (if that header is present); otherwise it will
set persistence according to traditional methods.
CHANGE ALL POOL NAMES TO MATCH THOSE IN YOUR ENVIRONMENT.
when HTTP_REQUEST {
Offline Address Book and Autodiscover do not require persistence.
switch -glob -- [string tolower [HTTP::path]] {
"/microsoft-server-activesync" {
ActiveSync.
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} elseif { [HTTP::header exists "Authorization"] } {
persist uie [HTTP::header "Authorization"] 7200
} else {
persist source_addr
}
pool XYZ_2010__single_as_pool
COMPRESS::disable
If you selected LAN when asked from where clients are primarily
connecting, you MUST remove or comment out the CACHE::disable line
CACHE::disable
return
}
"/owa*" {
Outlook Web Access
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} else {
persist cookie insert
}
pool XYZ_2010__single_owa_pool
return
}
"/ecp*" {
Exchange Control Panel.
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} else {
persist cookie insert
}
pool XYZ_2010__single_owa_pool
return
}
"/ews*" {
Exchange Web Services.
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} else {
persist source_addr
}
pool XYZ_2010__single_oa_pool
COMPRESS::disable
If you selected LAN when asked from where clients are primarily
connecting, you MUST remove or comment out the CACHE::disable line
CACHE::disable
return
}
"/oab*" {
Offline Address Book.
pool XYZ_2010__single_oa_pool
return
}
"/rpc/rpcproxy.dll" {
Outlook Anywhere.
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} elseif { [string tolower [HTTP::header "Authorization"]] starts_with "basic" } {
persist uie [HTTP::header "Authorization"] 7200
} else {
persist source_addr
}
pool XYZ_2010__single_oa_pool
COMPRESS::disable
If you selected LAN when asked from where clients are primarily
connecting, you MUST remove or comment out the CACHE::disable line
CACHE::disable
return
}
"/autodiscover*" {
Autodiscover.
pool XYZ_2010__single_ad_pool
return
}
default {
This final section takes all traffic that has not otherwise
been accounted for and sends it to the pool for Outlook Web App
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} else {
persist source_addr
}
pool XYZ_2010__single_owa_pool
}
}
}
when HTTP_RESPONSE {
if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} {
ONECONNECT::reuse disable
ONECONNECT::detach disable
this command disables NTLM conn pool for connections where OneConnect has been disabled
NTLM::disable
}
this command rechunks encoded responses
if {[HTTP::header exists "Transfer-Encoding"]} {
HTTP::payload rechunk
}
}- Can you send me your F5 case number?
thanks - jachalke_39650
1-168334238.. Its active Case
- I looked over the case notes and your configuration. It makes sense to comment out the CACHE::disable and COMPRESS::disable commands, since F5 support has recommended that you remove caching and compression from the HTTP profile. I was unable to access the HTTPwatch capture of the problem, unfortunately. Do you recall which file the page gets stuck on loading?
I will monitor this case for updates. F5 support can escalate this case internally if necessary, and we can take it from there.
