Setup for UAG proxying Activesync traffic

Hey Bill, I'm unlikely to be able to help here but I'm sure it'll save a bit of time for others if you could let us know what version of TMOS you are running and provide the Virtual Server, Pool, Persistence and any other applied profile configurations, ideally in tmsh format;

 

 

-[tmsh] list ltm virtual 'name'

 

-[tmsh] list ltm pool 'name'

 

-[tmsh] list ltm persistence ...

 

-[tmsh] list ltm profile http ...

Hi Steve,

 

Here is the config and version listed below.

 

 

BIG-IP 10.2.2 Build 852.0 Hotfix HF1

 

 

ltm virtual aaa.bbb.com-uag-https-vs {

 

destination 1.1.1.1:https

 

ip-protocol tcp

 

mask 255.255.255.255

 

persist {

 

source_addr {

 

default yes

 

}

 

}

 

pool uag01-uag02-aaa.bbb.com-https

 

profiles {

 

bbb.com {

 

context clientside

 

}

 

http { }

 

serverssl {

 

context serverside

 

}

 

tcp { }

 

}

 

snat automap

 

vlans {

 

prod-vip-amber

 

}

 

vlans-enabled

 

}

 

 

ltm pool uag01-uag02-aaa.bbb.com-https {

 

load-balancing-mode least-connections-member

 

members {

 

2.2.2.2:https {

 

session monitor-enabled

 

}

 

2.2.2.3:https {

 

session monitor-enabled

 

}

 

}

 

monitor uag-https-healthcheck

 

}

 

 

ltm persistence global-settings { }

 

 

ltm profile http http {

 

adaptive-parsing enabled

 

basic-auth-realm none

 

compress disabled

 

compress-allow-http-10 disabled

 

compress-browser-workarounds disabled

 

compress-buffer-size 4096

 

compress-content-type-exclude none

 

compress-content-type-include { text/ "application/(xml|x-javascript)" }

 

compress-cpu-saver enabled

 

compress-gzip-level 1

 

compress-gzip-memory-level 8k

 

compress-gzip-window-size 16k

 

compress-keep-accept-encoding disabled

 

compress-method-prefer gzip

 

compress-min-size 1024

 

compress-uri-exclude none

 

compress-uri-include none

 

compress-vary-header enabled

 

lws-width 80

 

max-header-size 32768

 

oneconnect-transformations enabled

 

pipelining enabled

 

ramcache disabled

 

ramcache-aging-rate 9

 

ramcache-cache-control-mode all

 

ramcache-insert-age-header enabled

 

ramcache-max-age 3600

 

ramcache-max-entries 10000

 

ramcache-object-max-size 50000

 

ramcache-object-min-size 500

 

ramcache-size 100

 

ramcache-uri-exclude none

 

ramcache-uri-include none

 

ramcache-uri-pinned none

 

response-chunking selective

 

}

OK, thank you. I'd say in general it mostly looks OK. However, assuming NTLM authentication is being used then I don't think you should be using OneConnect as the two are not compatible prior to v11.

 

 

Also, nothing to do with your issue but you don't seem to be doing compression. Are you doing it on the internal F5's?

 

Steve,

 

 

I'll have to verify the authentication we are using with activesync. If we are using NTLM, should I disable the OneConnect?

 

 

I don't think we are using compression on the internal F5s. As best practice should we do compression?

 

 

Thanks,

 

 

Bill

Yes, if using NTLM authentication, don't use OneConnect as well. Note this applies where a single layer of F5s are used. In your case things may be a bit more 'nuanced' but I'd certainly disable it all round and see if this solves the first issue. If not, put it back.

 

 

Compression is definitely a good idea for any HTTP traffic and will reduce bandwidth usage and improve apparent client performance significantly. I'd recommend it, but implement it only on one set of F5's. I'd say the external ones to prevent any possible issues with the proxies not understanding the compressed content. I typically configure deflate (rather than gzip) and a level of 8.