Exchange 2010 ActiveSync Problem
Hello, we're running Exchange 2010 in a 3-node DAG (all-in-one mailbox servers), and have noticed some problems - specifically sporadic delays, up to 20-30 minutes, with ActiveSync, only on iOS devices (Android/TouchDown is fine). I've been working with engineers at Microsoft, and they believe our mail system is OK, and are questioning our persistence settings on the F5 - running v10.2.3. They have seen connections from the iOS devices bouncing between the CAS servers when they should be sticking to a single server. When I take a look at the F5 statistics, I'm not seeing any hits at all - ever - on our ActiveSync pool, which makes me think the AS connections are likely hitting a different pool and possibly being impacted by its persistence settings. All other pools have statistics to support usage. When we first configured the default iRule, we had some trouble getting ActiveSync to work, and ended up adding a "/" after microsoft-server-activesync, and that seemed to resolve the issue. Of course now I'm questioning whether that was the right thing to do. I've pasted the persistence, followed by the append iRules below. Any thoughts at all would be appreciated. Persistence: when HTTP_REQUEST { Offline Address Book and Autodiscover do not require persistence. switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync/" { ActiveSync. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } elseif { [HTTP::header exists "Authorization"] } { persist uie [HTTP::header "Authorization"] 7200 } else { persist source_addr } pool Exchange__single_as_pool COMPRESS::disable return } "/owa*" { Outlook Web Access if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist cookie insert } pool Exchange__single_owa_pool return } "/ecp*" { Exchange Control Panel. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist cookie insert } pool Exchange__single_owa_pool return } "/autodiscover*" { Autodiscover. pool Exchange__single_ad_pool return } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source_addr } pool Exchange__single_owa_pool } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable this command disables NTLM conn pool for connections where OneConnect has been disabled NTLM::disable } this command rechunks encoded responses if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } Append: when HTTP_REQUEST { if {([HTTP::uri] == "/") } { HTTP::uri /owa } }
OWA Exchange 2016 - Problems with Autodiscover from external access
Hey F5 Community! At the Exchange-Server of the customers, the Login-Syntax from the Outlook-Autodiscovery, like its usually pre-configured from Microsoft, does not work. The customers have an outlook.customer.com OWA Access, and also an autodiscover.customer.com URL. They login with "domain\SamAccountName" or "UserPrincipalName". The Login possibilities at the F5 should have the same Login-Syntax like OWA for AutoDiscover. On the testconnectivity.microsoft.com site belongs to the SamAccountName also the intern domain, which should not be missing. Because without it will not work. At the moment the the Autodiscovery works only with the SamAccountName, without entering the local "domain\" infront of the username. This leads to conflicts with other internal structures at the Outlook-Autodiscovery. I work in public services, this is the case: There are problems with Outlook-Autodiscovery for the "public utility" but with the "townhall" it works fine. Independent from the Windowsdomain, the Exchange-Server have to find the intern domain or? Exchange Server is placed in the Townhall. Public Utility used the old OWA 2013 via TMG from the Townhall. Now Autodiscover does not work for Public Utility but works fine in the Townhall. The Access Policy is pretty basic: Logon Page -> AD Query (with Cross Domain enabled) -> AD Auth (with Cross Domain enabled) -> SSOCredentialMapping (with custom mcget {session.logon.last.logonname}) -nothing else changed Published on F5 BigIP v13.1.1 with Exchange 2016 template.
deviceid for exchange activesync
We have APM set up for exchange activesync - we are also using the deviceid parameter as an added security measure. This is giving me a lot of grief, as this ID is relevant to the email client being used by the device and not to the device itself. With most phones the built in client identifier can be located when you set up the server details, but it's not so with the LG3 built-in client. I need to check the logs for a blocked user in order to locate this ID and it is proving impossible with the LG3. (using other non-built-in clients is possible but the users are not happy with their experience). I am wondering if instead of the email client ID, I could use the actual device ID of the phone (IMEI or UUID). If so, how can this be done? Thanks, VeredConfig Sync Between Active-Offline Nodes
Hello All, I have two Big IP Devices working in cluster environment. The Standby Node is currently set to Offline. My question is, when I apply a change on the Active Node and then perform a config sync, will the config be updated on the Standby Node as well? Or shall I Sync after getting the node Online?
AD group control on Activesync and outlook anywhere access
Saw this: https://devcentral.f5.com/questions/checking-group-when-doing-apm-for-activesync And also checked out the latest iapp but it only applies AD group control to ECP which is a bit different as it works as a website. I need this only for activesync and outlook anywhere which obviously dont use a form to auth, they should use basic auth then check the users group and deny if not in certain group. Can anyone help?
Office365 AUTH requests for ActiveSync Clients
trying to deploy APM SSO for Office365 and ran into a few issues, mostly on our side though. The latest issue is that it seems like Office365 removes the user's domain from the authorization request for ActiveSync clients, so when I look in the APM logs, I see failed attempts for "firstname.lastname" from Office365 instead of "firstname.lastname@mydomain.com." this wouldn't be an issue if our UPNs and email addresseses matched and we didn't have multiple email domains in our company. but in this case, our UPN and email address don't match and we have multiple domains that are being migrated to Office365. I have been able to get around this by adding a variable that adds "@mycompany" to the username, but that will not work once we start migrating other domains. so my question is, has anybody else noticed that Office365 removes the user's domain from the request? or is there some misconfiguration on my side that is removing the user's domain?
