Hybrid Exchange traffic and Starttls
we need to forward traffic from Exchange Online to the Exchange on premise server. direct connexion thru the firewall is working. We wanted to use the F5 to loadbalance the trafic on the 2 on premise exchange server. It seem that is a speciality with the starttls smtp trafic to do on the tcp port 25 😃. Thanks for your help Daniel50Views0likes1CommentProvision IOS profile for Exchange ActiveSync with client certificate authentication
Problem this snippet solves: If you need to use client certificate authentication for ActiveSync services on IOS, you need to deploy custom profiles through a Mobile Device Management. MDM is maybe a little bit too much to achieve only this feature. The irule below provide necessary materials to provision a certificate and an exchange profile on IOS. Tested successfully on IOS 9. We use SCEP protocol for certificate enrollment. How to use this snippet: You need to define a Virtual Server and an access profile to publish ActiveSync. Then, you need to assign the irule on the Virtual Server. The certificate is retrieved using SCEP protocol on a Microsoft ADCS 2012 R2. The SCEP url should be changed in the Exchange payload. We configured APM to protect the access to this service and retrieve attributes from Active Directory but you can change the irule code to retrieve information and protect the service in a different manner. When a user reach /enroll uri with Safari browser, the provisioning process starts. /!\ I provide an IOS payload as example, but you need to modify it to fit your environment and save it as an ifile. Settings that need to be changed in the xml payload : <string>HOST.DOMAIN.COM</string> : Activesync FQDN <string>DOMAIN-Issuer-CA</string> : Issuing CA Name (if exists otherwise related code should be removed) <data>CERTIFICATE</data> : X.509 certificate in Base64 for Issuing CA <string>DOMAIN-Root-CA</string> : Root CA Name <data>CERTIFICATE</data> : X.509 certificate in Base64 for the Root CA <string>DOMAIN</string> : Organization name to be present in the user certificate <string>http://scep.domain.com/scep</string> : SCEP url External links Github : github.com/e-XpertSolutions/f5 Code : 68654 Tested this on version: 11.5794Views0likes1CommentiRule to Redirect autodiscover traffic
Dear all, the SSL certificate in my current virtual server points to autodiscover.abc.com and not autodiscover.abccommodities.com I would like F5 to redirect from autodiscover.abccommodities.com to autodiscover.abc.com in hopes to eliminating the SSL security warning popup from Outlook clients as seen below. Is that possible? I tried this iRule but it wasn't working, still prompts warning. I believe Outlook client is using HTTPS traffic to contact the mail server? when HTTP_REQUEST { if { [string tolower [HTTP::host]] ends_with ".abccommodities.com" } { HTTP::redirect "https://autodiscover.abc.com" } }Solved1.3KViews0likes6CommentsF5 webmail exchange 2016 - "Access policy evaluation is already in progress for your current session."
We recently moved over to outlook 2016. Users that are on 2010 connect fine and never have an issue. the new users that have moved over to 2016 mailboxes get the error message above in the title. When they connect, they get the following addons to their URL: ?bO=1 sessiondata.ashxappcacheclient=1&acver=15.1.1591.8&crr=1 I have tried irules from the following devcentral questions and answers with no success: Access policy evaluation is already in progress for your current session How to avoid "Access policy evaluation is already in progress" - (irules from matt, Misty Spillers & Stanislan Piron tested and didn't help) If i have users open a browser in "InPrivate Browsing" or "Incognito" mode, they don't get the error. I have also tried the windows_10_anniversary_fix as well as all the irules on page 76 of the iapp deployment guide for exchange 2016. Deployment guide stuff i tested and doesn't work: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } and tried this: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } } I have a ticket open with F5 but they are saying oh just check the guide. not helpful. Hoping someone from the community can help me. thanks in advance!1KViews0likes1CommentExchange iApp and app service name with dots
Hi! I deployed Exchange iApp v1.5.1 and used our FQDN as App service name, and ran into an issue with the generated snatpool irule. When connecting to the VIP this error message is logged TCL error: /Exchange/mail.domain.com_Internal.app/mail.domain.com_Internal_snatpool_irule3 - can't read "static::snat_ips_domain": no such variable while executing "snat $static::snat_ips_mail.domain.com_Internal([expr {[crc32 [IP::client_addr]] % [array size static::snat_ips_mail.domain.com_Internal]}])" The generated iRule looks like this when RULE_INIT { Use a local array to configure SNAT addresses. These addresses do not need to be defined in a SNAT pool or elsewhere. set static::snat_ips_mail.domain.com_Internal(0) 10.10.1.151 set static::snat_ips_mail.domain.com_Internal(1) 10.10.1.152 set static::snat_ips_mail.domain.com_Internal(2) 10.10.1.153 } when CLIENT_ACCEPTED { Calculate the crc32 checksum of the client IP Use the modulo of the checksum and number of SNAT IPs to pick a SNAT IP snat $static::snat_ips_mail.domain.com_Internal([expr {[crc32 [IP::client_addr]] % [array size static::snat_ips_mail.domain.com_Internal]}]) } Just from reading the error it looks like the reference to $static::snat_ips_mail.domain.com_Internal "breaks" after the first dot. I've tried enclosing the array name in curly braces in different ways but that only produces various syntax errors. TCL and arrays are not quite what I do every day 🙂 Is there any way to modify the snat statement so that it can reference static::snat_ips_mail.domain.com_Internal? Thanks /AndreasSolved412Views0likes3CommentsExchange 2010 iRule problem. Help!
BigIP 1600 LTM 10.2.4 I created Exchange 2010 on the F5 using the template on the device. I configured it for OWA/OA/AD/AS/IMAP/POP3 on a single IP address. I followed the deployment guide here https://www.f5.com/pdf/deployment-guides/f5-exchange-2010-dg.pdf and page 24 told me that I needed to download this zip http://www.f5.com/solution-center/deployment-guides/files/exchange-persist.zip and make changes to the persistence iRule. Now here is my issue: the iRule has this at the end... when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable this command disables NTLM conn pool for connections where OneConnect has been disabled NTLM::disable } this command rechunks encoded responses if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } The above script kills Autodiscover completely (Test Email AutoConfiguration on the Outlook client fails, testconnectivity.microsoft.com does not work and going to https://mail.domain.com/Autodiscover/Autodiscover.xml results in a "webpage is not available" error) Commenting out NTLM::disable results with Autodiscover working again. What gives? Is this an incorrect iRule? Do I have an issue with the F5 or is something wrong in Exchange?284Views0likes1CommentiRule in Exchange VS throwing error
Hi, I asm receiving an error every second for the same iRule over the last few days, and understand where it is being triggered, but not seeing a solution. I would appreciate any type of direction or ideas to help stop this error. Thanks in advance.....Ray Error: TCL error: /Common/Exchange_CAS.app/Exchange_CAS_apm_combined_pool_irule7 - attempt to use empty persistence key (line 2) invoked from within "persist uie $sessionid 7200" ("/owa" arm line 4) invoked from within "switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { pool Exchange_CAS_as_pool7 persist u..." iRule: when ACCESS_ACL_ALLOWED { set sessionid [ACCESS::session data get "session.user.sessionid"] switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { pool Exchange_CAS_as_pool7 persist uie $sessionid 7200 COMPRESS::disable CACHE::disable return } "/owa" { pool Exchange_CAS_owa_pool7 persist uie $sessionid 7200 return } "/ews*" { pool Exchange_CAS_oa_pool7 persist uie $sessionid 7200 COMPRESS::disable CACHE::disable return } "/ecp*" { pool Exchange_CAS_owa_pool7 persist uie $sessionid 7200 return } "/oab*" { pool Exchange_CAS_oa_pool7 persist none return } "/rpc/rpcproxy.dll*" { pool Exchange_CAS_oa_pool7 COMPRESS::disable CACHE::disable persist uie $sessionid 7200 return } "/autodiscover*" { pool Exchange_CAS_ad_pool7 persist none return } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App pool Exchange_CAS_owa_pool7 persist uie $sessionid 7200 } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } }352Views0likes2CommentsForward Compatibility with Irule BIG-IP APM with OWA 2016 and IE10 or Google Chrome
Morning All, Re: Which irule should be used to resolve the error "Access policy evaluation is already in progress" We are currently on BIG-IP 11.6.0 Build 6.0.442 Hotfix HF6 but I cannot guarantee that the device will not be patched to v11.6.1 HF1. Should we deploy the normal irule and will this be a issue in the device is upgraded to v11.6.1 HF1? Is there any issues deploying the irule for v11.6.1 HF1 instead? when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } or Code when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } }529Views0likes4CommentsAPM Activesync iRule and PROFILE_RESTRICT_SINGLE_IP variable
Hi, When configuring APM to authenticate Activesync connections, there are 2 solutions: enable irule _sys_APM_ExchangeSupport_main or _sys_APM_ExchangeSupport_main configure exchange profile which enable one of these irule (or another one...) In these irule, there is the following code: if { ! [ info exists PROFILE_POLICY_TIMEOUT ] } { set PROFILE_POLICY_TIMEOUT [PROFILE::access access_policy_timeout] } if { ! [ info exists PROFILE_MAX_SESS_TIMEOUT ] } { set PROFILE_MAX_SESS_TIMEOUT [PROFILE::access max_session_timeout] } if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } { set PROFILE_RESTRICT_SINGLE_IP 1 } Why the irule does not retrieve PROFILE_RESTRICT_SINGLE_IP from [PROFILE::access restrict_to_single_client_ip] instead of setting it to 1 which create lots of active sync sessions from several different IPs? to set the variable before , I created the following irule: when HTTP_REQUEST priority 1 { if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } { set PROFILE_RESTRICT_SINGLE_IP [PROFILE::access restrict_to_single_client_ip] } } Is there best solution?308Views0likes1CommentExchange 2013 iApp - Block Activesync except from one IP
Have only used the iApp templates with their defaults in the past but now I'm needing to allow only one IP to ActiveSync to it. We are using MobileIron for mobile devices and I want to only allow MobileIron to talk to the F5 for ActiveSync traffic. I believe they will be pointing their MobileIron server to the F5 VIP. Any easy way to do this? I've seen one post with code for an iRule to 'block' all activesync traffic but not allow only one IP. This is what I was referring to: when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" { drop } } }Solved726Views0likes16Comments