Exchange 2016 iApp - APM Configuration

Question

Hi There, &nbsp;
I have been having issues with our external APM config for our new Exchange 2016 solution via the Iapp. We are running TMOS version 11.4 (Already resolved the "No tls 1.2" issue)&nbsp;
Owa and ECP is working but autodiscover, ews, oab, and outlook anywhere is failing with ERR_CONNECTION_RESET.  
&nbsp;
enabled debugging logging for websso and apm services confirmed port 88 is open and authenticating via adtest confirmed the forward and reverse dns is working correctly connection stats show connections are made to the virtual server but not to pools for each service
I assume that we have a problem in our kerberos SSO iapp config. I'm not seeing any websso logging which is odd. Any thoughts would be helpful.&nbsp;
/var/log/apm&nbsp;
Oct  4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: Matches Autodiscover&nbsp;
Oct  4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: method:      GET&nbsp;
Oct  4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: Src IP:      10.230.1.44&nbsp;
Oct  4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: User-Agent:  Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 S&nbsp;
Oct  4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: HTTP uri:    /autodiscover/autodiscover.xml&nbsp;
Oct  4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: HTTP len:&nbsp;
Oct  4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: Request Authorization: NTLM + Basic&nbsp;
Oct  4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: Matches Autodiscover&nbsp;
Oct  4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: method:      GET &nbsp;
Oct  4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: Src IP:      10.230.1.44&nbsp;
Oct  4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: User-Agent:  Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Sa&nbsp;
Oct  4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: HTTP uri:    /autodiscover/autodiscover.xml&nbsp;
Oct  4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: HTTP len:&nbsp;
Oct  4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: Recv'd HTTP NTLM Authentication&nbsp;
Oct  4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: Enable ECA: 
select_ntlm:/Common/external.webmail.company.com.app/exch_ntlm_combined_https&nbsp;
Oct  4 16:43:20 bigip1 notice tmm[10674]: 01490506:5: de8aa909: Received User-Agent header: Mozilla%2f5.0%20(Windows%20NT%206.1)%20AppleWebKit%2f537.36%20(KH2f53.0.2785.116%20Safari%2f537.36.&nbsp;
Oct  4 16:43:20 bigip1 notice tmm[10674]: 01490544:5: de8aa909: Received client info - Type: Mozilla Version: 5 Platform: Win7 CPU: unknown UI Mode: Full Javrt: 0 Plugin Support: 1&nbsp;
Oct  4 16:43:20 bigip1 notice tmm[10674]: 01490500:5: de8aa909: New session from client IP 10.230.1.44 (ST=/CC=/C=) at VIP 10.228.1.119 Listener /Common/exte.au.app/external.webmail.company.com_combined_https (Reputation=Unknown)&nbsp;
/var/log/ltm&nbsp;
TCL error: /Common/_sys_APM_Exchange  - can't read "user_key": no such variable while executing "ACCESS::session data set "$static::__APM_ACCESS_SESS_USER_UUID"         $user_key"&nbsp;

mikeshimkus_111 · Answer

Hi Joshua, which version of the iApp are you running?&nbsp;

joshua_bines_12 · Answer

Exchange 2016 v1.0&nbsp;

mikeshimkus_111 · Answer

Can you take a look at your Exchange virtual server and tell me if you have the /Common/_sys_APM_Exchange rule assigned to it? 11.4 and later should use the Exchange APM profile, and should not have the iRule directly assigned.

joshua_bines_12 · Answer

these irules are applied to the vs. &nbsp;
external.mail.company.com_owa_redirect_irule7&nbsp;
external.mail.company.com_login_timeout&nbsp;
external.mail.company.com_select_sso_irule7&nbsp;
external.mail.company.com_apm_combined_pool_irule7  
&nbsp;
I found the machine account and name had hashs "-" so I removed them and recreated the iapp just in case but no luck. &nbsp;
tcpdump from the f5 show kerberos ports are opening for owa but we get no kerberos connections for autodiscover etc.... really odd  
&nbsp;

joshua_bines_12 · Answer

This issue is on our lab device. Wondering if this is the cause&nbsp;
481987-6 : Allow NTLM feature to be enabled with APM Limited license&nbsp;
Component: Access Policy Manager&nbsp;
Symptoms:
 When a BIG-IP system has an APM Limited license, NTLM is silently disabled and the connection goes through.&nbsp;
This breaks many (all) use-cases for Exchange + APM.&nbsp;
Conditions:
 APM and Exchange are deployed together with APM Limited / Lite license.&nbsp;
Impact:
 Exchange cannot be used with APM Limited license when NTLM frontend authentication is selected, which is used in essentially all APM + Exchange deployments.&nbsp;
Fix:
 The NTLM frontend authentication (ECA) feature can now be used with an APM Limited license. Typically, this is for Exchange deployments.&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-hotfix-bigip-11-6-0.htmlA481987-6 &nbsp;

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Exchange 2016 iApp - APM Configuration

7 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Request for Bug Tracker/Known Issues – BIG-IP Version 17.5.1.2

AST Configuration Assistance

Related Content

Exchange 2016

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

Anonymous DDOS Tools 2016

Equinix and F5 Distributed Cloud Services: Business Partner Application Exchanges

wccp configuration for SSL Orchestrator

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS