EV Integration with Exchange 2013

Question

Hello Experts,&nbsp;we are having one issue with the EV integration, we have already deployed the LTM_APM for our exchange server Kerberos authentication, everything is working fine with the Exchange and Kerberos with the APM.&nbsp;we are also having enterprise vault which published with a separate URL like ev.example.com, in all other deployments we have seen that all the users are using the same VIP for OWA and EV, in our case we have two VIP one for EV and one for OWA, we would like to know how do we achieve sso for the EV as well. EV will be opened from the OWA page.&nbsp;could someone help with the configuration how do I achieve the above requirement?&nbsp;Thank youBasavaraj&nbsp;

sanjayp · Answer

I believe, OWA and EV would be under same domain e.g. https://owa.example.com and EV on https://ev.example.com? You can use, single domain cookie SSO feature to have single sign on login to EV from OWA page.

https://clouddocs.f5.com/training/community/iam/html/archived/class7/module1/lab7.html

basavaraj · Answer

Dear Sanjay,&nbsp;yes, your right, both EV and OWA under the same domain. OWA we have deployed using iapp template with NTLM authentication on the client-side and Kerberos on the server-side, OWA is working fine as I said earlier. now I have also configured the EV VIP only mapped with client ssl profile and default server ssl profile along with EV POOL. EV is not working at the moment, it's asking for the credentials, already tried mapping the access profile to EV VIP still not working.&nbsp;I would like to know that are you suggesting me to configure one more access profile for the EV VIP and map it to the EV VIP, what are the options i have to configure under the VPE?&nbsp;ThanksBasavaraj

sanjayp · Answer

What is the backend server auth for EV? What's the expectation of standalone EV VIP, if accessed directly?

Depending on auth need of EV VIP, you can configure new Access policy for it. (e.g. Kerberos SSO on clienside and Kerberos SSO on serverside.)

Then, for SSO between OWA and EV you can use single domain cookie (example.com) on both access policies. SSO should work if user access EV link from OWA session.

please go through the link provided.

https://clouddocs.f5.com/training/community/iam/html/archived/class7/module1/lab7.html

basavaraj · Answer

Dear Sanjay,&nbsp;The backend server for the EV VIP is the actual EV server ( Enterprise vault Server ), for the OWA we have configured Kerberos authentication, EV will be working as a plugin within the owa page, when the user wants to open any archived email he will click on the enterprise vault plugin from owa it will open a connection to EV server  IE ev.example.com, this session should work without asking for any credentials and should use previously authenticated owa session, actually this is what my goal is&nbsp;ThanksBasavaraj

sanjayp · Answer

I understand, what I meant was whatever EV server is using for authentication either windows integrated or forms based, you can bring it behind F5 APM (new access policy) and use single domain SSO cookie (example.com) on both policies (OWA and EV) and it should work.

Now, this is the one way I know to have SSO working between F5 APM sessions for 2 applications. If someone else has any other thoughts we will wait for their feedback.

Forum Discussion

EV Integration with Exchange 2013

5 Replies

Recent Discussions

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Related Content

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

Ensuring Security in Continuous Integration and Continuous Deployment (CI/CD) Pipelines

Integrating with your IPv6 Kubernetes Cluster