Exchange 2016 iApp RC2 issue
We have implemented our 2 node exchange 2016 environment with the RC2 iApp template. The cluster uses certificates to secure/encrypt traffic, and all appears to be working except EWS related functions with advanced monitors, if we step down to simple monitors everything works. We would like to have the additional application layer validation if possible. Our issue is the EWS advanced health monitor is failing. How can we troubleshoot this pre-scripted monitor? Below is the script the health monitor runs using credentials we provided. The credentials authenticate and are also used for OWA, POP3, IMAP and these health monitors are working/succeeding. It is only EWS that fails. !/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: USER = the username associated with a mailbox PASSWORD = the password for the user account DOMAIN = the Windows domain in which the account lives EMAIL = the email address associated with the user mailbox Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE=`echo ${1} | sed 's/::ffff://'` if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then node is v4 NODE=${NODE} else node is v6 NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/`basename ${0}`.my_new_iapp_test_2010_${USER}_${NODE}_ews.pid" DIR="http://schemas.microsoft.com/exchange/services/2006" XML1=$( cat<IdOnly EOF ) XML2=$( cat< EOF ) XMLFULL=${XML1}${EMAIL}${XML2} EWSURI='/EWS/Exchange.asmx' RECV='' kill of the last instance of this monitor if hung and log current pid if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error kill -9 `cat $PIDFILE` > /dev/null 2>&1 fi echo "$$" > $PIDFILE curl-apd -g -s --ntlm -k -X POST -H 'Content-Type: text/xml; charset=utf-8' -d "${XMLFULL}" -u ${DOMAIN}\\${USER}:${PASSWORD} https://${NODE}${EWSURI} | grep -i "${RECV}" > /dev/null 2>&1 STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit
How to bypass APM profile if uri is "/rpc/rpcproxy.dll" ?
I was trying to bypass APM part for Outlook Anywhere by adding an iRule. But "ACCESS::disable" is not helping. my intention is to disable APM authentication part and do only Loadbalancing or just forward the traffic to Pool if the uri is /rpc/rpcproxy.dll. I have used iAPP for exchange 2016 configuration. when HTTP_REQUEST { if { ([HTTP::path] eq "/rpc/rpcproxy.dll") and \ (([HTTP::method] equals "RPC_IN_DATA") or ([HTTP::method] equals "RPC_OUT_DATA"))}{ ACCESS::disable pool OA_pool log local0. "APM disabled." } else { ACCESS::enable log local0. "APM enabled." } }AutoDiscover Issue with Exchange 2016 iApp
Hello together, got one big problem: I have deployed successfully the iApp template of Exchange 2016 and the customer wants to use OWA and AutoDiscover Service. The AutoDiscover Service is not working as expected.. so the user cannot authenticate with e-mail or domain\username. My Access Policy: Logon Page (Split Domain from full Username YES) -> AD Query (Cross Domain Support DISABLED) -> AD Auth (Cross Domain Support ENABLED) -> SSO Credential Mapping (default). I used the right Domains and Access Profiles. OWA is a logon possible with E-Mail, User and domain\User. But AutoDiscover is just User and domain\User. E-Mail is NOT working. Does anyone know, how the users could finally authenticate via E-Mail? They're claiming that they're not able to use AutoDiscover Thanks in Advance! Hank
Forward Compatibility with Irule BIG-IP APM with OWA 2016 and IE10 or Google Chrome
Morning All, Re: Which irule should be used to resolve the error "Access policy evaluation is already in progress" We are currently on BIG-IP 11.6.0 Build 6.0.442 Hotfix HF6 but I cannot guarantee that the device will not be patched to v11.6.1 HF1. Should we deploy the normal irule and will this be a issue in the device is upgraded to v11.6.1 HF1? Is there any issues deploying the irule for v11.6.1 HF1 instead? when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } or Code when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } }
Exchange 2016 does not work through F5, manually configured.
Hello Guys, I am searching since last 5 days a way to implement Exchange 2016 through F5 without iApp. I strictly followed deployment guide but I have 50% success. OWA is working for Exchange 2016 users but Outlook still stays disconnected. I am not using ASM or APM. Even MAPI health check monitor stays down. Syntax of monitor is absolutely the same as OWA, Autodiscovery, Activesync, Outlook Anywhere, EWS but still same result - not working for Outlook 2016. Interesting is that without going through F5 it works perfect.
Exchange 2016 iApp LTM on newer versions (v14.1 and above)
Hi all, I recently upgraded a existing F5 LTM cluster running 12.1.5.x towards version 15.1.x On the cluster there where several Exchange 2016 iApps (f5.microsoft_exchange_2016.v1.0.2) with all pool monitoring features enabled (IMAPS inbox check). After the upgrade the IMAPS inbox health check with the external monitor "imap_adv_eav" failed. There were several logs regarding authentication errors. After investigation we saw a different behaviour of cURL which is executed withn the external monitor script. This is due to a new version of cURL (7.47.1 instead of 7.25 on 12.1.5). This newer version is in place in all images from 14.1.x till 16.0.x (this is what i tested). SOLUTION: If you want the external monitor to work again, you need to skip the newly added GSSAPI (Kerberos v5) which is build into the newer cURL version. This can be archived by adding the parameter --login-options "AUTH=NTLM" to the curl command in the external script. This will force the system to use NTLM auth like in previous versions and therefor will work as expected again. Greets Markus
Upgrade Exchange 2010 to 2016 iApp
I know an iApp can be upgraded to another version of the same iApp. But can I upgrade the Exchange 2010_2013 iApp to the Exchange 2016 iApp. Note: the customer says they are going to use the same features in 2016 that they did in 2010. The current OS is Exchange 2010 and they are migrating to 2016.
Recommended Exchange 2016 ciphers settings?
After setting up our Exchange 2016 environment behind the F5 using the iApp, the SSL scan through Qualys SSL Labs gave us a big red F. Started a case with F5, to get the recommended cipher settings for Exchange 2016, but Support is telling me they don't know, and can only recommend different general settings to try to get rid of insecure ciphers. So first thing I'm recommended to try is: DEFAULT:!RSA I'm really surprised over this poor support, and hoping someone else out there has an Exchange 2016 server tightened down, without tighten it too much, to still be able to use Outlook Anywhere/OWA/ActiveSync etc. If you would be willing to share your ciphers settings, it would be much appreciated!FROM: TMG Exchange 2010 -> TO: F5 Exch 2010+2016 Coexistence - Poor Performance
Hey DevCentral, we just made the change from Exchange 2010 which was running on old Microsoft Forefront TMG to F5 iApp Exchange 2010 + 2016 with Load Balancing and Access Policy and everything else. It is still kind of "default" configured. I just have extended the Access Policy to make sure all customers from different WAN Locations and different domains can access to OWA etc. Internal everything does work really fine. But external sources (like a Kindergarten want to Access OWA via the Town Hall infrastructure) are running reaaally slow. How can that be? I tried to research the problems. We have: AP OWA: Deployed Exchange 2016 iApp AP Server 1: 2010 LB with 2 Nodes, 2016 LB with 2 Nodes AP Server 2: Virtual Server "Exchange redirect" with SNAT Auto Map (Is necessary for reaching the right network) What I tried: TCP Profile: Disable Nagle Algorithm, Disabled "Delayed Acks", Disabled "Slow Start" SSO: Method is configured as HTTP basic on both side (Exchange + F5). Double checked if domains/ip's are configured correctly (should be 100% fine, because it is running, but slow from external) Would be thankful for any idea! (Screenshots below: TCP Profile AP OWA, LB Virtual Servers AP Server 1)OWA Exchange 2016 - Problems with Autodiscover from external access
Hey F5 Community! At the Exchange-Server of the customers, the Login-Syntax from the Outlook-Autodiscovery, like its usually pre-configured from Microsoft, does not work. The customers have an outlook.customer.com OWA Access, and also an autodiscover.customer.com URL. They login with "domain\SamAccountName" or "UserPrincipalName". The Login possibilities at the F5 should have the same Login-Syntax like OWA for AutoDiscover. On the testconnectivity.microsoft.com site belongs to the SamAccountName also the intern domain, which should not be missing. Because without it will not work. At the moment the the Autodiscovery works only with the SamAccountName, without entering the local "domain\" infront of the username. This leads to conflicts with other internal structures at the Outlook-Autodiscovery. I work in public services, this is the case: There are problems with Outlook-Autodiscovery for the "public utility" but with the "townhall" it works fine. Independent from the Windowsdomain, the Exchange-Server have to find the intern domain or? Exchange Server is placed in the Townhall. Public Utility used the old OWA 2013 via TMG from the Townhall. Now Autodiscover does not work for Public Utility but works fine in the Townhall. The Access Policy is pretty basic: Logon Page -> AD Query (with Cross Domain enabled) -> AD Auth (with Cross Domain enabled) -> SSOCredentialMapping (with custom mcget {session.logon.last.logonname}) -nothing else changed Published on F5 BigIP v13.1.1 with Exchange 2016 template.
