Forum Discussion

wng_98840's avatar
wng_98840
Icon for Nimbostratus rankNimbostratus
Jan 22, 2013

Setup for UAG proxying Activesync traffic

Hi all,

 

I was wondering if anyone has setup an F5 VIP going to a UAG which proxies the traffic to exchange. Below is a crude diagram of the setup.

 

 

Internet--->External F5--->UAG Array (UAG1 and UAG2)--->Internal F5--->Exchange

 

 

The external F5 load balancer VIPs between the 2 servers in the UAG array. The internal F5 VIP appears to be running correctly. I see the following errors 24 and 47 on the UAGs with this setup.

 

Error 24

 

 

The request from user xxxx at source IP address 1.1.1.1 to trunk 2010gaowa; Secure=1 failed because the request was unable to reply to an HTTP 401 request from application Exhcange 2010 EAS and OA of type ExchangePub2010. The session ID is C6B5DA33-51FE-4A7F-8D08-EA0B26850781.

 

Error 47

 

A request for application Internal Site of type InternalSite on trunk 2010gaowa; Secure=1 failed because a POST action without a content-type header is not allowed. The URL is /InternalSite/InitParams.aspx?referrer=/InternalSite/InternalError.asp&site%5Fname=2010gaowa&secure=1&error%5Fcode=17&policy%5Fid=&ErrorType=HTTPErrorCode. The source IP address is 1.1.1.1. The user is xxxx.

 

I want to know if someone has some suggestions or documentation on how to properly set up the external F5 to load balance the UAGs correctly. I've reviewed the F5 TMG guide and F5 UAG DA guide. Those documents don't seem to reference the setup I have.

 

Thanks in advance.

 

 

Bill

 

6 Replies

  • Hey Bill, I'm unlikely to be able to help here but I'm sure it'll save a bit of time for others if you could let us know what version of TMOS you are running and provide the Virtual Server, Pool, Persistence and any other applied profile configurations, ideally in tmsh format;

     

     

    -[tmsh] list ltm virtual 'name'

     

    -[tmsh] list ltm pool 'name'

     

    -[tmsh] list ltm persistence ...

     

    -[tmsh] list ltm profile http ...
  • Hi Steve,

     

    Here is the config and version listed below.

     

     

    BIG-IP 10.2.2 Build 852.0 Hotfix HF1

     

     

    ltm virtual aaa.bbb.com-uag-https-vs {

     

    destination 1.1.1.1:https

     

    ip-protocol tcp

     

    mask 255.255.255.255

     

    persist {

     

    source_addr {

     

    default yes

     

    }

     

    }

     

    pool uag01-uag02-aaa.bbb.com-https

     

    profiles {

     

    bbb.com {

     

    context clientside

     

    }

     

    http { }

     

    serverssl {

     

    context serverside

     

    }

     

    tcp { }

     

    }

     

    snat automap

     

    vlans {

     

    prod-vip-amber

     

    }

     

    vlans-enabled

     

    }

     

     

    ltm pool uag01-uag02-aaa.bbb.com-https {

     

    load-balancing-mode least-connections-member

     

    members {

     

    2.2.2.2:https {

     

    session monitor-enabled

     

    }

     

    2.2.2.3:https {

     

    session monitor-enabled

     

    }

     

    }

     

    monitor uag-https-healthcheck

     

    }

     

     

    ltm persistence global-settings { }

     

     

    ltm profile http http {

     

    adaptive-parsing enabled

     

    basic-auth-realm none

     

    compress disabled

     

    compress-allow-http-10 disabled

     

    compress-browser-workarounds disabled

     

    compress-buffer-size 4096

     

    compress-content-type-exclude none

     

    compress-content-type-include { text/ "application/(xml|x-javascript)" }

     

    compress-cpu-saver enabled

     

    compress-gzip-level 1

     

    compress-gzip-memory-level 8k

     

    compress-gzip-window-size 16k

     

    compress-keep-accept-encoding disabled

     

    compress-method-prefer gzip

     

    compress-min-size 1024

     

    compress-uri-exclude none

     

    compress-uri-include none

     

    compress-vary-header enabled

     

    lws-width 80

     

    max-header-size 32768

     

    oneconnect-transformations enabled

     

    pipelining enabled

     

    ramcache disabled

     

    ramcache-aging-rate 9

     

    ramcache-cache-control-mode all

     

    ramcache-insert-age-header enabled

     

    ramcache-max-age 3600

     

    ramcache-max-entries 10000

     

    ramcache-object-max-size 50000

     

    ramcache-object-min-size 500

     

    ramcache-size 100

     

    ramcache-uri-exclude none

     

    ramcache-uri-include none

     

    ramcache-uri-pinned none

     

    response-chunking selective

     

    }
  • OK, thank you. I'd say in general it mostly looks OK. However, assuming NTLM authentication is being used then I don't think you should be using OneConnect as the two are not compatible prior to v11.

     

     

    Also, nothing to do with your issue but you don't seem to be doing compression. Are you doing it on the internal F5's?

     

  • Steve,

     

     

    I'll have to verify the authentication we are using with activesync. If we are using NTLM, should I disable the OneConnect?

     

     

    I don't think we are using compression on the internal F5s. As best practice should we do compression?

     

     

    Thanks,

     

     

    Bill
  • Yes, if using NTLM authentication, don't use OneConnect as well. Note this applies where a single layer of F5s are used. In your case things may be a bit more 'nuanced' but I'd certainly disable it all round and see if this solves the first issue. If not, put it back.

     

     

    Compression is definitely a good idea for any HTTP traffic and will reduce bandwidth usage and improve apparent client performance significantly. I'd recommend it, but implement it only on one set of F5's. I'd say the external ones to prevent any possible issues with the proxies not understanding the compressed content. I typically configure deflate (rather than gzip) and a level of 8.
  • a bit too late but I had the same error coming from a uag array and it solved with setting uo a cookie persistence profile. the problem here is I think packets are lost between the vip and the uag arrays servers...