Forum Discussion

raZorTT's avatar
raZorTT
Icon for Cirrostratus rankCirrostratus
Sep 22, 2017

Trying to secure exchange with F5 in D365 hybrid cloud configuration

Hi

 

Apologies in advance for the long post!

 

I'm looking at connecting on-prem exchange (via Exchange Web Services) to Microsoft D365 in the cloud.

 

Microsoft's MSDN article states that for a hybrid setup, exchange MUST have basic authentication enabled. Our exchange and security team are not keen on enabling that and potentially exposing it to the internet.

 

I am looking to put the F5 in between to authenticate incoming request and reverse proxy to exchange. I would like to use APM to provide the basic auth that D365 requires, then use an NTLM SSO configuration to do NTLM authentication to exchange.

 

The access profile has a simple 401 response, with an AD auth on the basic branch.

 

If I attempt to connect to the VIP using a browser, I get a dialog box requesting username and password. Once I submit that I am successfully authenticated and the response from exchange is returned as expected.

 

Trying to configure an "Email Server Profile" in D365 is causing me some problems.

 

After filling in the server location and credentials, there is a "Test connection" button. This fires of requests to check the connetivity. This is the report I get.

 

  1. Checking HTTPS connection- success
  2. Connecting to Exchange with EWS- failure
  3. Connecting to mailbox- failure

If I disable APM, the 3 checks are successful.

 

I did some packet captures on the F5 to try and work out what is going on in the two scenarios

 

With APM

 

  1. When APM sends the initial 302 to redirect to my.policy, the next TCP connection comes from a different source IP address
  2. The MRHSession cookie that the F5 returned in connection 1 response, isn't part of the next request so the F5 denies access.

Without APM

 

  1. The requests and responses occur in a single TCP connection (initial request has Connection: keep-alive)

It appears that D365 expects the authentication to occur in a single connection. And it appears it doesn't return/support cookies, at least as part of this process.

 

Is it possible to have the F5 do authentication in a single TCP connection?

 

Has anyone had any experiences with a hybrid D365 configuration?

 

Cheers, Simon

 

1 Reply

  • FYI

     

    I ended up contacting F5 support, and with their help migrated my solution to the exhange/CAS iApp. With that in place we were able to get D365 to successfully authenticate using basic auth, with the F5 then authenticating with Exchange using NTLM.

     

    Cheers, Simon