Kerberos Delegation and NTLM auth Exchange 2013
This is related to a previous post about the Exchange iApp. Everything is working for both internal and internal connections except from Outlook Anywhere clients attempting to connect to the external VS and auth via RPC over HTTP. I enabled all debug logs for APM and ECA since that seemed to be where the failure was occuring. I noticed the following and cannot make much sense of it. Any help would be appreciated. Below is the log file comparison between a successful auth though the internal iApp vs the failed auth through the external iApp. This is just a snippet of the full log. Everything before these lines in the log is the same for both internal and external connections. It seems to fail when the BigIP tries to make a call to itself to process the logon request, anyone ever see this before? Internal success: Aug 12 13:22:12 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 10.1.12.9:46380 (0x09a8b9c8) Server challenge: 24296533D8C59FB4 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[18] from 127.0.0.1:43935 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> client[5]: is ready Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> NLAD_TRACE: nlclnt[53403010a / 01] sending logon = 0xC00000E5 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> nlclnt[53403010a] logon: entering user GRicketts domain JHHC wksta JHHC04619LT Failed auth: Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 warning nlad[8603]: 01620000:4: <0x559058f0> clntsvc: no client for id 6 to service request from connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> nla_rq: response with status [0xc00000ab,NT_STATUS_INSTANCE_NOT_AVAILABLE] for type 'logon' client 6 context 0x5ab82b90 24 bytes to connection[38] from 127.0.0.1:44495: took 0 milli-seconds Aug 12 12:51:10 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 12.181.141.210:45214 (0x5bf14c28) nla_agent::logon, rc = STATUS_NO_LOGON_SERVERS (3221225566)4.9KViews0likes38CommentsExchange 2013 load balancing per preferred architecture
I'm new-ish to Exchange and to the f5 LTM platform, and I'm trying to get a handle on the best way to implement a load balancing configuration that aligns with Microsoft's Exchange Preferred Architecture and their recommendations regarding load balancing. If I understand correctly, the preference is for layer 7, no session affinity, and per-protocol availability. They want to the availability of services on the load balancer to match closely the availability of services on the Exchange server itself, as the Exchange Managed Availability service monitors and responds to service issues. The f5 Exchange 2013 Deployment Guide appears to use a dedicated user account to perform actual connections to OWA in order to check availability, rather than leveraging the /healthcheck.htm URL as recommended by Microsoft. My questions: Is anyone in the community here has configured their LTM to monitor Exchange service availability using the healthcheck.htm URL? Do you encounter any problems with Kerberos when using SSL Offloading? Do you use Layer 4 instead? How do you do nPath routing with two sites and separate vLANs for each? (My two data centers are a few miles apart, with 20 Gb connection between them, so I'm planning to have both sites active.) My team and I aren't particularly enthusiastic about iApp and templates (and $$$) for a config that doesn't align with Microsoft's recommendations. Any suggestions and pointers to docs, sample configs would be most appreciated.898Views0likes8CommentsExchange 2013 - looking for guidance with owa issues
Hello, I need some assistance/guidance with deploying Exchange 2013. I have lots of experience deploying 2010 but not 2013. We have two configs in place right now and they require persistence to work (?). The MS documentation and the F5 Deployment guide state that persistence is not needed due to the change in functionality with the CAS servers. We have a FastL4 config with source_addr persistence and snat. It is working fine as long persistence is enabled. We have another config created with the iApp. We chose SSL Bridging (no APM), using SNAT pool and answered "Yes" to all the services. This configuration does not work. I do not see any persistence applied anywhere which is expected. We just used the self-signed cert for a quick test. Once we say continue past the certificate warning, the browser fails to load the page. Using a quick tcpdump, I do see the initial requests make it to the pool member but then it breaks immediately. Before I add persistence to the iApp created configuration, I wanted to get a sanity check and education on this topic. 1) Are they are any situations using SSL Bridging that would need persistence? Is anyone else using persistence? 2) Please educate me as needed on my potential misunderstanding of persistence with Exchange 2013 as well as any ideas that would assist me with resolving this issue. I need to understand what is going on. Thank you, Thank you,672Views0likes11CommentsF5 Load Balancing Exchange 2013
We are loadbalencing our Exchange 2013 behind F5-LTM. We have Exchange 2013 setup in a DAG (Database Availability Group) with 5 servers. When we place a server in maintenance mode it moves all active mailbox databases on that server to any of the other 4 servers. When this happens Outlook remains connected to the mailbox database fine. However, when we shut down the server that was placed in Maintenance mode Outlook disconnects from the mailbox database and is unable to connect back to it until “the client” close Outlook and relaunch it. According to Microsoft documentation, when the mailbox database fails over to a new server the connection should be proxied over to the new server and be fine and Outlook never loose connection except for a brief second. This does not seem to be happening and it seems as if Outlook’s connection is being maintained to the server in maintenance mode and when it goes offline “the client” does not attempt to connect to any of the other servers and continues to attempt to connect to the offline server. Wondering what can i look at on my LTM ViP or other F5 profiles that could be causing this? We do not have any persistence services or profiles created for this ViP profile.629Views0likes8CommentsIssues with Exchange 2013 load balancing through LTM (v11.6)
I have a support case open for this as well, but since no one has truly engaged in spite of a Sev1 classification, I'm hoping someone in the community can help. Thank you ahead of time. We have an Exchange 2013 (latest CU) cluster with two CAS servers and two DAG servers. We've been load-balanced through Kemp VLMs for a couple years without issues, though only w/ transparent SSL pass-through. Sunday night we migrated to BIG-IP LTM VE running 11.6 HF4 using the latest Exchange iApp. All services are co-located on the same CAS servers and we are using SSL bridging. The Exchange servers are on the internal VLAN by themselves and use the LTM internal self IP as their default gateway. Routing outside of that VLAN is configured to use the LTM external self IP as the route into the internal/Exchange VLAN. After changing routes, DNS, gateways, etc from Kemp to F5, most things worked but clients on the "external" VLAN have difficulty connecting to Exchange. It is intermittent (about 50/50) and appears to be a mix of routing and autodiscover issues as it is slow to create new profiles and to reconnect using Outlook's "Connection Status" tool. After 30-45 seconds typically, it would connect and pass mail fine, but it won't failover if the CAS servers flip (i.e. reboots) and reconnect or fresh opening lags. We can reproduce it readily. Additionally, we show errors with our Lync servers on that same "external" VLAN updating presence/contact subscriptions from Exchange. Of additional note, I have a forwarding virtual server setup to pass all traffic for all VLANs/IPs so that Exchange can be managed, contacted, etc for services other than those in the iApp (the LTM-VE is fully inside, so no interfaces on the internet). That seems to work fine. The challenges have been: 1. The Exchange iApp doesn't cover SMTP, so we had to pull the community RC for that. 2. The Exchange iApp and deployment guide doesn't speak to routing/forwarding, so we had to reference an F5 KB on the IP forwarding virtual server. Main item to troubleshoot: hosts/servers on the "external" VLAN have major connectivity issues to Exchange through the iApp (SSL/443). Lync, in particular, is having presence and contact update issues w/ Exchange. Thanks again for any help.605Views0likes7CommentsExchange 2013 iApp Confguration for MobileIron
I've deployed the iApp for Exchange 2013 using the defaults except for using SSL Bridging instead of SSL Offloading. All internal and external mail flows just fine, but mobile devices configured with MobileIron get an error stating 'Cannot connect to server'. Are there specific settings that are required for MobileIron to work with this iApp? The MobileIron Sentry is a stand-alone VM in the DMZ and not load balanced by F5. A manually created F5 virtual server that was deployed prior to the iApp being utilized is configured for 'Performance (Layer 4)' for the Type, but the iApp-created virtual server for combined_https is using 'Standard' for the type. If I change this to 'Performance (Layer 4)' to match the old virtual server, I get an error stating: "01070394.3: TCP::idletime in rule (/Common/Exchange-2013.app/Exchange-2013_combined_pool_irule7) requires an associated TCP profile on the virtual server (/Common/Exchange-2013.app/Exchange-2013_combined_https).Solved577Views0likes6CommentsEnabling APM on Exchange iApp causes outlook clients to not authenticate
We are utilizing iApps to configure exchange 2013. The scenario we are using is "BIG-IP LTM will load balance and optimize Client Access Server traffic" which works great. We wanted to lock down our OWA, so we reconfigured the iapp for "Provide secure authentication to CAS HTTP-based services with BIG-IP Access Policy Manager?" to use APM. The SSO mappings works great for OWA and our access policy we put in place. But then we noticed regular outlook client could not authenticate. We utilize ntlm for this. People were continually being prompted. Even entering your password for some people did not resolve the issue. Appears to be similar to this thread: https://devcentral.f5.com/questions/microsoft-excange-2013-with-ltm-apm-outlook-client-not-able-to-connect However, I could not find my resolution.554Views0likes4CommentsRestrict Outlook Anywhere
Hi Everyone Does anyone know how you can use the F5 to provide external access to Outlook Anywhere to a specific group op people based on and AD security group. I have been asked to allow external access to our Exchange 2013 servers which involves publishing Outlook Anywhere (RPC over HTTP) to the internet. I cannot see any way to restrict this in Exchange so it is an all or nothing setup which I am not comfortable with and would prefer it if I could restrict access to a select few. I tried a basic Access Policy with iRULES (This worked for OWA) but the rule never gets triggered. From what I can tell, although it is HTTP - it goes not have the same headers so the ap/irules do not work. Would really appreciate your help.. Regards David527Views0likes1CommentForward Compatibility with Irule BIG-IP APM with OWA 2016 and IE10 or Google Chrome
Morning All, Re: Which irule should be used to resolve the error "Access policy evaluation is already in progress" We are currently on BIG-IP 11.6.0 Build 6.0.442 Hotfix HF6 but I cannot guarantee that the device will not be patched to v11.6.1 HF1. Should we deploy the normal irule and will this be a issue in the device is upgraded to v11.6.1 HF1? Is there any issues deploying the irule for v11.6.1 HF1 instead? when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } or Code when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } }520Views0likes4CommentsACCESS_Policy_Agent_Event Remove Session
We have our exchange 2013 environment proxied behind APM via iapp configs. For browser authentication (through OWA and ECP) we have them both going to the same SAML IDP for authentication. However, within the SAML IDP, we have separate security levels. So we have regular /owa access to be just username and password. ECP access however, must go through our multifactor mechanisms. If going to /owa or /ecp from a fresh browser, this works beautifully. However, if a user first authenticates to /owa and then goes to /ecp, APM just automatically logs them in without redirecting the user back to SAML provider to apply the more secure authentication policy. I'm trying to figure out a way to insert an irule event so that when /ecp is accessed (via Landing URI check), the irule event removes any existing access sessions so that APM redirects the user back to SAML to authenticate. I've tried a bunch of different combinations with if/when logic for when http path contains /ecp. But no matter what I try, F5 rejects the irule because "ACCESS:session remove" is not permitted under the ACCESS_Policy_Agent_EVENT. At a basic level, this is essentially what I need: 1) when ACCESS_POLICY_AGENT_EVENT { ACCESS::session remove } or 2) when ACCESS_POLICY_AGENT_EVENT { when HTTP_REQUEST { if { [HTTP::path] contains "/ecp/" } { ACCESS::session remove } } } Has anyone tried something like this before?Solved518Views0likes5Comments