ASM Policy Template for OWA Exchange with Active Sync 2010
Hi, We face a lot of False positives attackes, in te emails body, attachments,... I'm at version 11.5.4 and using OWA Exchange 2010 template, So the question, is there any template for both OWA and Active sync. and if not, how can we avoid these false positive blocks, specially they vary.
ActiveSync and Multi Domain SSO issue
Hello all, I'm currently implementing a SSO at a costumer using APM and we are using Multiple Domain SSO to accomplish that. As Outlook 2010 is part of the SSO I'm having some problems with ActiveSync. Webmail is working great but the redirection between "outlook.example.com" and "authentication.example.com" breaks ActiveSync. So when I try to access outlook_VS I get a HTTP 302 to authentication_VS, I authenticate the user and then get another HTTP 302 back to outlook_VS and it works great. So what I'm trying to accomplish is really to block this redirection and authenticate ActiveSync at the outlook_VS. Have anyone else experienced this problem? I was told that inserting a HTTP::header "clientless-mode" could help disabling the redirection, but I still have to figure out a way to send the user/password to be able to authenticate at AD servers. Basicly that's my config: VS 1: authentication_VS VS2: outlook_VS AAA: AD authentication SSO for outlook_VS: Basic Authentication Thanks in advance Pedro
Discrepancy: Current Virtual Server Connections
I've noticed a discrepancy between the way the F5 cluster and Exchange measures CAS connections. When checking the number of current connections in the F5 virtual server stats for Exchange OWA (HTTP/HTTPS), I was very surprised to see that the number of connections was far higher (as much as 5 times higher!) than the number being reported by Exchange. I was wondering if this is due to a difference in how "connections" are counted. If so, how are connections counted by the F5 virtual server stats?
Blocking Exchange 2010 ECP while allowing OWA
Using Big IP 12.1.1, I have OWA+Activesync enabled through the exchange iApp and I'd like to block /ECP. Currently when I login to owa I can simply type "/ecp" instead of /owa in the URL and it comes up, but I'd like to block that. I tried creating an ACL but not sure how to tie it in so that it works. Also tried removing the resource item "https://hostname:443/*" (the other sub resources with /owa/ are already listed) in Portal Access Links. Anything else I can try on the F5? Perhaps an irule?Microsoft Exchange 2010 - Autodiscover not working through F5 but works when going to real server's IP
I am trying to get autodiscover up an running on our 2010 boxes but I cannot get it to work over the f5 VIP. I have two BIG-IP 1600 LTMs (BIG-IP 10.2.4 Build 591.0 Hotfix HF2) in an active/standby config. https:///Autodiscover/Autodiscover.xml prompts me for a username and password (domain.local\username:password) and I get a 600 error code with invalid request (that looks bad but a 600 error means everything is working properly and that I gave a valid username). https:///Autodiscover/Autodiscover.xml prompts me for a username and password (domain.local\username:password) but it prompts me again for a username and password instead of bringing me to the page with the 600 error. I set up everything using the exchange 2010 template on the LTM. Here is everything it created... and here is the https virtual server config Any ideas? I can provide more information if requested.
Need some expert advice F5 - 401 access denide - Exchange 2010
I need some help and am hoping someone can give me some direction. We have an application running on a Windows server (Server A) that needs to synch information to an end user's calendar in Exchange 2010 via Autodiscover and EWS. The Exchange, F5, and "Server A" are all on the same subnet. We use an active directory account with elevated permissions on "Server A" with the impersonation role in Exchange to synch data to the end user mailboxes. We can get this to work to two other Exchange sites but not to our main Exchange site. The difference with the site that is not working is that it (2 mailbox servers/2 cas servers in a DAG) sits behind a F5 hlb. The F5 is running 11.4.1 hotfix 5 and we have a single vip with source-ip persistence that all Exchange traffic is being passed through. No SSL offloading being done on the HLB. Outlook clients work fine (no issues there) but I cannot synch any calendar information from the application on Server A to the end user mailboxes if I am passing through the F5 HLB. I see a 401 access denied error in the logs. I know the AD account being used is correct and that the password is correct because I can get the application to synch to mailboxes on other Exchange sites (single servers with all exchange roles installed - no f5). The only way I have been able to get the application to synch is having our Exchange admin change the internal URL (for autodiscover and ews virtual directories) on the Exchange CAS server from the vip URL to the FQDN of the cas server. Obviously this is not want we want to do because it defeats the purpose of having load balancing and failover capability.
How do I pass IMAP(s) to APM for NTLM/AD Group Membership authentication?
My internal MS Exchange 2010 CAS and MB platforms are setup to enable IMAP globally to all domain users, and my v11.6 LTM is properly handling all the iApp features to support OWA, ECP, IMAP, ActiveSync, etc. internally as well. Externally, we have an additionally iApp that serves public-facing ActiveSync, as well as utilizes the APM functionality to limit OWA and Outlook Web access to specific Active Directory users. We now have a need to extend that 'limited' external use to IMAP as well, but have not been able to figure out how to configure an iRule that will pass SSL (tcp/993) NTLM-based IMAP user credentials into APM for pre-authentication, prior to allowing connectivity. I have found many examples that use "ACCESS::policy" and "ECA::enable" that I think are just what I need, but everything I have tried requires that I associate an Access Policy directly to the Virtual Server which then requires I associate a HTTP profile, breaking IMAP communications completely.Exchange 2010 iRule problem. Help!
BigIP 1600 LTM 10.2.4 I created Exchange 2010 on the F5 using the template on the device. I configured it for OWA/OA/AD/AS/IMAP/POP3 on a single IP address. I followed the deployment guide here https://www.f5.com/pdf/deployment-guides/f5-exchange-2010-dg.pdf and page 24 told me that I needed to download this zip http://www.f5.com/solution-center/deployment-guides/files/exchange-persist.zip and make changes to the persistence iRule. Now here is my issue: the iRule has this at the end... when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable this command disables NTLM conn pool for connections where OneConnect has been disabled NTLM::disable } this command rechunks encoded responses if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } The above script kills Autodiscover completely (Test Email AutoConfiguration on the Outlook client fails, testconnectivity.microsoft.com does not work and going to https://mail.domain.com/Autodiscover/Autodiscover.xml results in a "webpage is not available" error) Commenting out NTLM::disable results with Autodiscover working again. What gives? Is this an incorrect iRule? Do I have an issue with the F5 or is something wrong in Exchange?
SSL bridging and Exchange 2010 hybrid
Hello, We are attempting to use the exchange hybrid wizard to configure our Exchange 2010 environment for O365 migration. The wizard runs fine, but we are not able to get the MRS proxy working due to our SSL offloading configuration at the F5. We would like to configure the Exchange VIP using SSL bridging - is it as simple as adding a server SSL profile? The CAS servers are listening on 443, and have a valid cert installed. I created a server SSL profile using the same cert as the client SSL profile, and my Outlook client was unable to connect. Is there something I am missing?
