Exchange 2010 iRule problem. Help!
BigIP 1600 LTM 10.2.4 I created Exchange 2010 on the F5 using the template on the device. I configured it for OWA/OA/AD/AS/IMAP/POP3 on a single IP address. I followed the deployment guide here https://www.f5.com/pdf/deployment-guides/f5-exchange-2010-dg.pdf and page 24 told me that I needed to download this zip http://www.f5.com/solution-center/deployment-guides/files/exchange-persist.zip and make changes to the persistence iRule. Now here is my issue: the iRule has this at the end... when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable this command disables NTLM conn pool for connections where OneConnect has been disabled NTLM::disable } this command rechunks encoded responses if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } The above script kills Autodiscover completely (Test Email AutoConfiguration on the Outlook client fails, testconnectivity.microsoft.com does not work and going to https://mail.domain.com/Autodiscover/Autodiscover.xml results in a "webpage is not available" error) Commenting out NTLM::disable results with Autodiscover working again. What gives? Is this an incorrect iRule? Do I have an issue with the F5 or is something wrong in Exchange?Exchange 2010 and Commvault Simpana V10 issues
Hi all, I've got a bit of an issue since we upgraded our Commvault Simpana from v9 to v10 with recalling archived emails from stubs. What we have is: Client->F5(SSL Offload)->CAS Servers,Commvault Web server CAS servers are configured Client is targeting "casarray.example.com" that points to a VS on F5 (config done through iApps) with SSL offload and it works fine. Commvault has a VS on a different IP pointing to single Commvault Web Server (IP_address_of_Commvault_VS) With Simpana v9, recall of messages went from CAS server to Simpana proxy and message was delivered to the client through CAS server. In v10, Client gets a 302 response from CAS server pointing him to "http://simpanawebserver.example.com/webconsole/RestServlet/Recall?dynamicmessagestring". I've tried with HTTP profile that has Rewrite_redirect set to all with no success so I've put in an iRule: when HTTP_RESPONSE { if { ([HTTP::is_redirect]) and ([HTTP::header "Location"] starts_with "http://simpanawebserver.example.com/") } { HTTP::header replace "Location" [string map {simpanawebserver.example.com IP_address_of_Commvault_VS} [HTTP::header "Location"] ] } { log local0. "Rewriting to http://IP_address_of_Commvault_VS/" } } I get plenty of hits in the Log saying rewrite has happened but don't see client then hitting the rewritten URL as if nothing happens. What am i missing?
SSL bridging and Exchange 2010 hybrid
Hello, We are attempting to use the exchange hybrid wizard to configure our Exchange 2010 environment for O365 migration. The wizard runs fine, but we are not able to get the MRS proxy working due to our SSL offloading configuration at the F5. We would like to configure the Exchange VIP using SSL bridging - is it as simple as adding a server SSL profile? The CAS servers are listening on 443, and have a valid cert installed. I created a server SSL profile using the same cert as the client SSL profile, and my Outlook client was unable to connect. Is there something I am missing?
How do I pass IMAP(s) to APM for NTLM/AD Group Membership authentication?
My internal MS Exchange 2010 CAS and MB platforms are setup to enable IMAP globally to all domain users, and my v11.6 LTM is properly handling all the iApp features to support OWA, ECP, IMAP, ActiveSync, etc. internally as well. Externally, we have an additionally iApp that serves public-facing ActiveSync, as well as utilizes the APM functionality to limit OWA and Outlook Web access to specific Active Directory users. We now have a need to extend that 'limited' external use to IMAP as well, but have not been able to figure out how to configure an iRule that will pass SSL (tcp/993) NTLM-based IMAP user credentials into APM for pre-authentication, prior to allowing connectivity. I have found many examples that use "ACCESS::policy" and "ECA::enable" that I think are just what I need, but everything I have tried requires that I associate an Access Policy directly to the Virtual Server which then requires I associate a HTTP profile, breaking IMAP communications completely.
Blocking Exchange 2010 ECP while allowing OWA
Using Big IP 12.1.1, I have OWA+Activesync enabled through the exchange iApp and I'd like to block /ECP. Currently when I login to owa I can simply type "/ecp" instead of /owa in the URL and it comes up, but I'd like to block that. I tried creating an ACL but not sure how to tie it in so that it works. Also tried removing the resource item "https://hostname:443/*" (the other sub resources with /owa/ are already listed) in Portal Access Links. Anything else I can try on the F5? Perhaps an irule?ASM Policy Template for OWA Exchange with Active Sync 2010
Hi, We face a lot of False positives attackes, in te emails body, attachments,... I'm at version 11.5.4 and using OWA Exchange 2010 template, So the question, is there any template for both OWA and Active sync. and if not, how can we avoid these false positive blocks, specially they vary.
F5 LTM exchange 2010 issue
Hello Folks I am having issue with exchange 2010 load balancing , whenever one server failed in pool member outlook client appear with error msg on users pc and required outlook client to close and open again, although ltm detect the failure in pool member , i have tried pool member when service went down reselect option but it didn't helped much,current ltm version is 11.6.1 and using latest iapp template as well service i am using in nlb is mapi,addressbook,pop3 any help appreciated
Exchange 2010 monitors
I'm configuring my LTM for Exchange 2010. I'm not using the iApp to do it. Yes, I know, it would be easier/better/faster, but I'm not. Going through the manual configuration pages, for the monitors it says to use the healthcheck.htm page. But according to my Exchange administrator, that page doesn't exist for 2010, only for 2013. And based on my searching the Internet, I'm inclined to agree with her. Everywhere I see that mentioned, I see 2013 referenced. Does anyone know what the guide suggested to use for a monitor string prior to Exchange 2013?
Need some expert advice F5 - 401 access denide - Exchange 2010
I need some help and am hoping someone can give me some direction. We have an application running on a Windows server (Server A) that needs to synch information to an end user's calendar in Exchange 2010 via Autodiscover and EWS. The Exchange, F5, and "Server A" are all on the same subnet. We use an active directory account with elevated permissions on "Server A" with the impersonation role in Exchange to synch data to the end user mailboxes. We can get this to work to two other Exchange sites but not to our main Exchange site. The difference with the site that is not working is that it (2 mailbox servers/2 cas servers in a DAG) sits behind a F5 hlb. The F5 is running 11.4.1 hotfix 5 and we have a single vip with source-ip persistence that all Exchange traffic is being passed through. No SSL offloading being done on the HLB. Outlook clients work fine (no issues there) but I cannot synch any calendar information from the application on Server A to the end user mailboxes if I am passing through the F5 HLB. I see a 401 access denied error in the logs. I know the AD account being used is correct and that the password is correct because I can get the application to synch to mailboxes on other Exchange sites (single servers with all exchange roles installed - no f5). The only way I have been able to get the application to synch is having our Exchange admin change the internal URL (for autodiscover and ews virtual directories) on the Exchange CAS server from the vip URL to the FQDN of the cas server. Obviously this is not want we want to do because it defeats the purpose of having load balancing and failover capability.