For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

andrews_128547's avatar
andrews_128547
Icon for Nimbostratus rankNimbostratus
Feb 15, 2013

Which method for sso and basic auth

Hi

 

New to F5, currently evaluating APM/LTM on virtual BIG IP

 

currently reading the implementation guide for exchange

 

our environment - single cas, owa,ews,ecp, activesync, autodiscover

 

plan, to deploy bip ip to provide proxy access to this server, for both single sign on from various applications for various exchnage services (Lync, outlook anywhere) and also support basic auth for the same services

 

what is the best implementation plan to follow in the exchange guide for a combined LTM/APM

 

currently i was thinking of going with option 1, LTM will load balance and optimize CAS traffic, however on exploring this further it seems I will be limited to forms based authentication, which is fine if it is restricted to the /owa iis folder.

 

is scenario 1 my best option given my LPM/ATM combination or would scenario 3 be better 3. BIG-IP Edge Gateway or APM will provide secure remote access to CAS, even though they are on the same box ?

 

just discussing at this stage and looking for input, whilst I kick the tyres.

 

Thanks

 

Andrew

 

 

 

microsoft
partner

5 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Feb 15, 2013
    Hi Andrew, if you have a BIG-IP with both LTM and APM licensed, deploying scenario 1 with the APM option selected is probably your best bet. That would allow you to add more CAS in the future, whereas with scenario 3 you are limited to forwarding that traffic to one CAS (or another BIG-IP).

     

    The authentication options should be the same for both scenarios.

     

    thanks

     

    Mike
  • andrews_128547's avatar
    andrews_128547
    Icon for Nimbostratus rankNimbostratus
    Feb 16, 2013
    thanks for the reply Mike, I am in the office today and will give it wizz and see how it progresses and post back here with the outcome.
  • andrews_128547's avatar
    andrews_128547
    Icon for Nimbostratus rankNimbostratus
    Feb 16, 2013
    Ok, so good news all seems to work,

     

    One thing i have spotted is the following in the exchange event log - i will research further but it might be an easy answer on here

     

     

    Exchange ActiveSync device requests for your users are being blocked. This problem frequently occurs when the HTTP OPTIONS method request isn't allowed by the firewall. Please check the firewall that filters requests in front of your Client Access server and the Microsoft-Server-ActiveSync virtual directory.

     

     

    any thoughts on that one ?

     

     

    thanks in advance,

     

    I am now going to do the following with a bit of luck

     

    configure a web portal

     

    configure radius authentication

     

    configure a revserse proxy to replace TMG role for Lync

     

     

    will post back here with updates
    • Stig_88256's avatar
      Stig_88256
      Icon for Nimbostratus rankNimbostratus
      May 23, 2016
      Did you resolve this HTTP OPTIONS-"blocking"? We are observing the same behaviour now on 12.0HF2 using Exchange 2010/2013 iApp (v1.5.1) and Exchange 2013.
  • mgmontgomery_60's avatar
    mgmontgomery_60
    Icon for Nimbostratus rankNimbostratus
    May 08, 2013
    We are seeing the exact same error as andrews. "Exchange ActiveSync device requests for your users are being blocked. This problem frequently occurs when the HTTP OPTIONS method request isn't allowed by the firewall. Please check the firewall that filters requests in front of your Client Access server and the Microsoft-Server-ActiveSync virtual directory."

     

     

    Does anyone know the resolution for this error?

     

     

    Thank you.