For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jkrumenacher_13's avatar
jkrumenacher_13
Icon for Nimbostratus rankNimbostratus
Apr 04, 2014

random active sync password requests

I have used iApp f5.microsoft_exchange_2010_2013_cas.v1.2.0 to deploy Exchange 2010.

 

In the DMZ I deployed BIG-IP APM will provide secure remote access to CAS

 

Then I forward that traffic to a VS on the internal network setup with the iApp as well. Exchange is working with this deployment.

 

My problem is that randomly users will need to enter their passwords again. I have opened a case with F5, C1550198, and have attached log file examples (debuggin on) I just haven't had any response back from support. If there are any ideas or if I can post some of the log files please let me know.

 

jkrum

 

BIG-IP Access Policy Manager (APM)
deployment
devops
iApps
security

8 Replies

  • jkrumenacher_13's avatar
    jkrumenacher_13
    Icon for Nimbostratus rankNimbostratus
    Apr 06, 2014
    *** Additional information *** Partial log at failure (middle of the night and phone syncs up 20 min. later) This wouldn't be a big issue if it didn't happen on the stock exchange floor. Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: Trying 1 for POST /Microsoft-Server-ActiveSync?Cmd=Sync&User=us%5Cdmyhre&DeviceId=SEC105B502C85881&DeviceType=SAMSUNGSCHI545 58 Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: Reading us\dmyhre.2626b2321575508bfee6c5d9a3d00ee9 from table _access_userkey Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: Setting us\dmyhre.2626b2321575508bfee6c5d9a3d00ee9=policy_inprogress 300 300 Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: Releasing request POST /Microsoft-Server-ActiveSync?Cmd=Sync&User=us%5Cdmyhre&DeviceId=SEC105B502C85881&DeviceType=SAMSUNGSCHI545 Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 notice apd[20679]: 01490010:5: d429ba59: Username 'us\dmyhre' Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: HTTP uri: /Microsoft-Server-ActiveSync?Cmd=Sync&User=us%5Cdmyhre&DeviceId=SEC105B502C85881&DeviceType=SAMSUNGSCHI545 Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: apm_username: us\dmyhre Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: user_key = us\dmyhre.2626b2321575508bfee6c5d9a3d00ee9 Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: Trying 1 for POST /Microsoft-Server-ActiveSync?Cmd=Sync&User=us%5Cdmyhre&DeviceId=SEC105B502C85881&DeviceType=SAMSUNGSCHI545 39 Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: Reading us\dmyhre.2626b2321575508bfee6c5d9a3d00ee9 from table _access_userkey Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: Setting us\dmyhre.2626b2321575508bfee6c5d9a3d00ee9=policy_inprogress 300 300 Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug tmm1[22279]: 01490000:7: Releasing request POST /Microsoft-Server-ActiveSync?Cmd=Sync&User=us%5Cdmyhre&DeviceId=SEC105B502C85881&DeviceType=SAMSUNGSCHI54 5 Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 debug apd[20679]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 74 Msg: Header received: POST / HTTP/1.1 Authorization: Basic dXNcZG15aHJlOiRoYXJlUDBpbnQr MS-ASProtocolVersion: 14.1 Connection: keep-alive User-Agent: SAMSUNG-SCH-I545/101.403 X-MS-PolicyKey: 2916148434 Content-Type: application/vnd.ms-sync.wbxml Content-Length: 0 Host: pocbwm.rwbaird.com X-Forwarded-For: 72.131.77.14 clientless-mode: 1 username: us\dmyhre password: %%%$$$ client-session-id: 4ea762677544f416a8bf65fc1b7c0b8a session-key: 524157ea32c175bce37ed96f1b7c0b8a profile-id: /server_team/DMZDV_BWM_iAPP.app/exchange_access session-id: 1b7c0b8a snapshot-id: cmp-pu: 1 Apr 4 00:03:39 slot1/MIL-ADCDMZDV-01 notice apd[20679]: 01490010:5: 1b7c0b8a: Username 'us\dmyhre' Apr 4 00:03:53 slot1/MIL-ADCDMZDV-01 info apd[20679]: 01490017:6: 1beb9880: AD agent: Auth (logon attempt:0): authenticate with 'dmyhre' failed Apr 4 00:03:53 slot1/MIL-ADCDMZDV-01 info apd[20679]: 01490007:6: 1beb9880: Session variable 'session.logon./server_team/DMZDV_BWM_iAPP.app/exchange_logon.logonname' set to 'us\dmyhre'
  • Mark_van_D's avatar
    Mark_van_D
    Icon for Cirrostratus rankCirrostratus
    Apr 07, 2014

    Try adding an * after /microsoft-server-activesync in the combined_vs_persist_iRule 

    switch -glob -- [string tolower [HTTP::path]] {
    "/microsoft-server-activesync*" {
         pool exchange_vs_as_pool
        persist uie $sessionid 7200
  • jkrumenacher_13's avatar
    jkrumenacher_13
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2014

    Mark, I am wondering if there was something in the log that see prompting the suggestion to add the *? Or what the logic is in adding the *, with this issue being random etc.

     

    Thanks,

     

    jkrum

     

  • jkrumenacher_13's avatar
    jkrumenacher_13
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2014

    Mark, I realize that I don't have that combined_VS_Persist irule. I ran the iApp to deploy 2010 in the following design. DMZ -> BIG-IP APM will provide secure remote access to CAS.

     

    Then on the Internal -> BIG-IP APM will provide secure remote access to CAS.

     

    All the log info happens in the DMZ with active sync. The only iRule I see "/microsoft-server-activesync" {

     

    is _sys_APM_Exchange_Support_OA_Basic_Auth

     

    I don't have the combined iRule in the DMZ,but I do see it on the Internal VS. I am not sure with all the loging taking place in the DMZ for active sync, does the combined iRule come into play here?

     

    Thanks again,

     

    jkrum

     

    • Mark_22062's avatar
      Mark_22062
      Icon for Nimbostratus rankNimbostratus
      Apr 08, 2014
      Reason I had for checking the * is that we had weird random issues as well and by adding that it resolved the issue. I had a look through the 1.2.0 template and it appears to have been fixed in that, so probably a red herring. Does you APM forward the request to a different LTM or are they both on the same device?
  • jkrumenacher_13's avatar
    jkrumenacher_13
    Icon for Nimbostratus rankNimbostratus
    Apr 08, 2014

    They are both guests on the same viprion. But logically they would be different devices. I did add the * in _sys_APM_Exchange_Support_OA_Basic_Auth (DMZ APM)

     

    "/microsoft-server-activesync*" { Supports for ActiveSync set f_activesync 1

     

    and combined_persist_irule on the Internal LTM

     

    when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" { Direct all ActiveSync clients to a common pool; use Auth header value if it exists (Basic auth only, which is the default); otherwise we fall back to client IP if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } elseif { [HTTP::header exists "Authorization"] } { persist uie [HTTP::header "Authorization"] 7200 } else { persist source_addr } pool RWB_as_pool7 COMPRESS::disable CACHE::disable return }

     

    I did this about 14 hours ago so I will see if it had any impact.

     

    Also I did search through the f5.microsoft_exchange_2010_2013_cas.v1.2.0 template and did not see any reference to activesync*

     

    Thanks and I will keep you posted.

     

    jkrum

     

    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      Apr 08, 2014
      FYI, the iRule was updated in the soon-to-be-released v1.3.0 Exchange iApp. Page 56 of this guide also includes that change: https://www.f5.com/pdf/deployment-guides/microsoft-exchange-2010-2013-iapp-dg.pdf Mike