Provision IOS profile for Exchange ActiveSync with client certificate authentication
Problem this snippet solves: If you need to use client certificate authentication for ActiveSync services on IOS, you need to deploy custom profiles through a Mobile Device Management. MDM is maybe a little bit too much to achieve only this feature. The irule below provide necessary materials to provision a certificate and an exchange profile on IOS. Tested successfully on IOS 9. We use SCEP protocol for certificate enrollment. How to use this snippet: You need to define a Virtual Server and an access profile to publish ActiveSync. Then, you need to assign the irule on the Virtual Server. The certificate is retrieved using SCEP protocol on a Microsoft ADCS 2012 R2. The SCEP url should be changed in the Exchange payload. We configured APM to protect the access to this service and retrieve attributes from Active Directory but you can change the irule code to retrieve information and protect the service in a different manner. When a user reach /enroll uri with Safari browser, the provisioning process starts. /!\ I provide an IOS payload as example, but you need to modify it to fit your environment and save it as an ifile. Settings that need to be changed in the xml payload : <string>HOST.DOMAIN.COM</string> : Activesync FQDN <string>DOMAIN-Issuer-CA</string> : Issuing CA Name (if exists otherwise related code should be removed) <data>CERTIFICATE</data> : X.509 certificate in Base64 for Issuing CA <string>DOMAIN-Root-CA</string> : Root CA Name <data>CERTIFICATE</data> : X.509 certificate in Base64 for the Root CA <string>DOMAIN</string> : Organization name to be present in the user certificate <string>http://scep.domain.com/scep</string> : SCEP url External links Github : github.com/e-XpertSolutions/f5 Code : 68654 Tested this on version: 11.5794Views0likes1CommentExchange 2010 ActiveSync Problem
Hello, we're running Exchange 2010 in a 3-node DAG (all-in-one mailbox servers), and have noticed some problems - specifically sporadic delays, up to 20-30 minutes, with ActiveSync, only on iOS devices (Android/TouchDown is fine). I've been working with engineers at Microsoft, and they believe our mail system is OK, and are questioning our persistence settings on the F5 - running v10.2.3. They have seen connections from the iOS devices bouncing between the CAS servers when they should be sticking to a single server. When I take a look at the F5 statistics, I'm not seeing any hits at all - ever - on our ActiveSync pool, which makes me think the AS connections are likely hitting a different pool and possibly being impacted by its persistence settings. All other pools have statistics to support usage. When we first configured the default iRule, we had some trouble getting ActiveSync to work, and ended up adding a "/" after microsoft-server-activesync, and that seemed to resolve the issue. Of course now I'm questioning whether that was the right thing to do. I've pasted the persistence, followed by the append iRules below. Any thoughts at all would be appreciated. Persistence: when HTTP_REQUEST { Offline Address Book and Autodiscover do not require persistence. switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync/" { ActiveSync. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } elseif { [HTTP::header exists "Authorization"] } { persist uie [HTTP::header "Authorization"] 7200 } else { persist source_addr } pool Exchange__single_as_pool COMPRESS::disable return } "/owa*" { Outlook Web Access if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist cookie insert } pool Exchange__single_owa_pool return } "/ecp*" { Exchange Control Panel. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist cookie insert } pool Exchange__single_owa_pool return } "/autodiscover*" { Autodiscover. pool Exchange__single_ad_pool return } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source_addr } pool Exchange__single_owa_pool } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable this command disables NTLM conn pool for connections where OneConnect has been disabled NTLM::disable } this command rechunks encoded responses if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } Append: when HTTP_REQUEST { if {([HTTP::uri] == "/") } { HTTP::uri /owa } }359Views0likes6CommentsExchange 2013 iApp - Block Activesync except from one IP
Have only used the iApp templates with their defaults in the past but now I'm needing to allow only one IP to ActiveSync to it. We are using MobileIron for mobile devices and I want to only allow MobileIron to talk to the F5 for ActiveSync traffic. I believe they will be pointing their MobileIron server to the F5 VIP. Any easy way to do this? I've seen one post with code for an iRule to 'block' all activesync traffic but not allow only one IP. This is what I was referring to: when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" { drop } } }Solved726Views0likes16Commentsreplace domain user for exchange active sync
Hi, We are required to change the user connecting to the domain for our exchange active sync iapp. We are using SLADP to connect - can I use a regular domain user? We won't be making any password changes but we will need it for active sync. Thanks454Views0likes2CommentsOWA Exchange 2016 - Problems with Autodiscover from external access
Hey F5 Community! At the Exchange-Server of the customers, the Login-Syntax from the Outlook-Autodiscovery, like its usually pre-configured from Microsoft, does not work. The customers have an outlook.customer.com OWA Access, and also an autodiscover.customer.com URL. They login with "domain\SamAccountName" or "UserPrincipalName". The Login possibilities at the F5 should have the same Login-Syntax like OWA for AutoDiscover. On the testconnectivity.microsoft.com site belongs to the SamAccountName also the intern domain, which should not be missing. Because without it will not work. At the moment the the Autodiscovery works only with the SamAccountName, without entering the local "domain\" infront of the username. This leads to conflicts with other internal structures at the Outlook-Autodiscovery. I work in public services, this is the case: There are problems with Outlook-Autodiscovery for the "public utility" but with the "townhall" it works fine. Independent from the Windowsdomain, the Exchange-Server have to find the intern domain or? Exchange Server is placed in the Townhall. Public Utility used the old OWA 2013 via TMG from the Townhall. Now Autodiscover does not work for Public Utility but works fine in the Townhall. The Access Policy is pretty basic: Logon Page -> AD Query (with Cross Domain enabled) -> AD Auth (with Cross Domain enabled) -> SSOCredentialMapping (with custom mcget {session.logon.last.logonname}) -nothing else changed Published on F5 BigIP v13.1.1 with Exchange 2016 template.836Views0likes0CommentsCONFIGURING HEARTBEAT VALUE FOR ACTIVESYNC
How does one configure heartbeat values for ActiveSync on F5 I have been mandated to configure the following on loadbalancer, MinHeartbeatInterval value MaxHeartbeatInterval value HeartbeatSampleSize value HeartbeatAlertThreshold" value441Views0likes1CommentSizing BIG-UP LTM with APM module
Hi, We have below expectations on user load. How to we get initiated our sizing discussions ? Is there any sizing calculator? ~31,000 devices with ~81,000 connections That apart, what are the other considerations and parameters we should ask for sizing ? We want to use F5 mainly for reverse proxy and ActiveSync SSL authentication + Forms based authentication. Any insight much appreciated.Solved649Views0likes8Commentsdeviceid for exchange activesync
We have APM set up for exchange activesync - we are also using the deviceid parameter as an added security measure. This is giving me a lot of grief, as this ID is relevant to the email client being used by the device and not to the device itself. With most phones the built in client identifier can be located when you set up the server details, but it's not so with the LG3 built-in client. I need to check the logs for a blocked user in order to locate this ID and it is proving impossible with the LG3. (using other non-built-in clients is possible but the users are not happy with their experience). I am wondering if instead of the email client ID, I could use the actual device ID of the phone (IMEI or UUID). If so, how can this be done? Thanks, Vered1.2KViews0likes2CommentsConfig Sync Between Active-Offline Nodes
Hello All, I have two Big IP Devices working in cluster environment. The Standby Node is currently set to Offline. My question is, when I apply a change on the Active Node and then perform a config sync, will the config be updated on the Standby Node as well? Or shall I Sync after getting the node Online?450Views0likes1CommentAD group control on Activesync and outlook anywhere access
Saw this: https://devcentral.f5.com/questions/checking-group-when-doing-apm-for-activesync And also checked out the latest iapp but it only applies AD group control to ECP which is a bit different as it works as a website. I need this only for activesync and outlook anywhere which obviously dont use a form to auth, they should use basic auth then check the users group and deny if not in certain group. Can anyone help?158Views0likes0Comments