Setting up ASM policy to protect Outlook Web Access (OWA)
I have used the iApp to create a the setup for some Exchange 2016 backend servers. Users from outside are supposed to use Outlook Web App (OWA), and I thought it should be possible to protect the virtual server using ASM and only allowing access to specific URLs. However, if I want to create a new policy in Security -> Application Security -> Security Policies -> Create... I am not able to select the virtual server. The information text next to the input field states: "Select an Existing Virtual Server if you already configured one (An existing Virtual Server is displayed only if it has an HTTP Profile assigned to it and it is not using any Local Traffic Policy controlling ASM)..." The iApp created a virtual server and assigned an HTTP profile to it. I verified that the parent profile is "http". So which important bit might I be missing? I have seen there is a specific template for just OWA and ASM (https://devcentral.f5.com/articles/new-asm-outlook-web-access-owa-2016-template-for-bigip-v13-29413), but is it possible to combine the two somehow?
Recommended Exchange 2016 ciphers settings?
After setting up our Exchange 2016 environment behind the F5 using the iApp, the SSL scan through Qualys SSL Labs gave us a big red F. Started a case with F5, to get the recommended cipher settings for Exchange 2016, but Support is telling me they don't know, and can only recommend different general settings to try to get rid of insecure ciphers. So first thing I'm recommended to try is: DEFAULT:!RSA I'm really surprised over this poor support, and hoping someone else out there has an Exchange 2016 server tightened down, without tighten it too much, to still be able to use Outlook Anywhere/OWA/ActiveSync etc. If you would be willing to share your ciphers settings, it would be much appreciated!
Exchange 2016 does not work through F5, manually configured.
Hello Guys, I am searching since last 5 days a way to implement Exchange 2016 through F5 without iApp. I strictly followed deployment guide but I have 50% success. OWA is working for Exchange 2016 users but Outlook still stays disconnected. I am not using ASM or APM. Even MAPI health check monitor stays down. Syntax of monitor is absolutely the same as OWA, Autodiscovery, Activesync, Outlook Anywhere, EWS but still same result - not working for Outlook 2016. Interesting is that without going through F5 it works perfect.
OWA Exchange 2016 - Problems with Autodiscover from external access
Hey F5 Community! At the Exchange-Server of the customers, the Login-Syntax from the Outlook-Autodiscovery, like its usually pre-configured from Microsoft, does not work. The customers have an outlook.customer.com OWA Access, and also an autodiscover.customer.com URL. They login with "domain\SamAccountName" or "UserPrincipalName". The Login possibilities at the F5 should have the same Login-Syntax like OWA for AutoDiscover. On the testconnectivity.microsoft.com site belongs to the SamAccountName also the intern domain, which should not be missing. Because without it will not work. At the moment the the Autodiscovery works only with the SamAccountName, without entering the local "domain\" infront of the username. This leads to conflicts with other internal structures at the Outlook-Autodiscovery. I work in public services, this is the case: There are problems with Outlook-Autodiscovery for the "public utility" but with the "townhall" it works fine. Independent from the Windowsdomain, the Exchange-Server have to find the intern domain or? Exchange Server is placed in the Townhall. Public Utility used the old OWA 2013 via TMG from the Townhall. Now Autodiscover does not work for Public Utility but works fine in the Townhall. The Access Policy is pretty basic: Logon Page -> AD Query (with Cross Domain enabled) -> AD Auth (with Cross Domain enabled) -> SSOCredentialMapping (with custom mcget {session.logon.last.logonname}) -nothing else changed Published on F5 BigIP v13.1.1 with Exchange 2016 template.How to bypass APM profile if uri is "/rpc/rpcproxy.dll" ?
I was trying to bypass APM part for Outlook Anywhere by adding an iRule. But "ACCESS::disable" is not helping. my intention is to disable APM authentication part and do only Loadbalancing or just forward the traffic to Pool if the uri is /rpc/rpcproxy.dll. I have used iAPP for exchange 2016 configuration. when HTTP_REQUEST { if { ([HTTP::path] eq "/rpc/rpcproxy.dll") and \ (([HTTP::method] equals "RPC_IN_DATA") or ([HTTP::method] equals "RPC_OUT_DATA"))}{ ACCESS::disable pool OA_pool log local0. "APM disabled." } else { ACCESS::enable log local0. "APM enabled." } }
Office Online Server 2016 iapp via Office Web Apps
Hi Guys, We are deploying our new Exchange 2016 farm with an Office Online Server Farm. I have noted that the Office Web Apps iapp supports 2013 without any mention of the 2016 Office Online Server. Is there any issue using the Office Web Apps iApp for the 2016 Office Online Servers? From what I can see the load balancing requirements office online server and the Office Web Apps are the same.Forward Compatibility with Irule BIG-IP APM with OWA 2016 and IE10 or Google Chrome
Morning All, Re: Which irule should be used to resolve the error "Access policy evaluation is already in progress" We are currently on BIG-IP 11.6.0 Build 6.0.442 Hotfix HF6 but I cannot guarantee that the device will not be patched to v11.6.1 HF1. Should we deploy the normal irule and will this be a issue in the device is upgraded to v11.6.1 HF1? Is there any issues deploying the irule for v11.6.1 HF1 instead? when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } or Code when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } }FROM: TMG Exchange 2010 -> TO: F5 Exch 2010+2016 Coexistence - Poor Performance
Hey DevCentral, we just made the change from Exchange 2010 which was running on old Microsoft Forefront TMG to F5 iApp Exchange 2010 + 2016 with Load Balancing and Access Policy and everything else. It is still kind of "default" configured. I just have extended the Access Policy to make sure all customers from different WAN Locations and different domains can access to OWA etc. Internal everything does work really fine. But external sources (like a Kindergarten want to Access OWA via the Town Hall infrastructure) are running reaaally slow. How can that be? I tried to research the problems. We have: AP OWA: Deployed Exchange 2016 iApp AP Server 1: 2010 LB with 2 Nodes, 2016 LB with 2 Nodes AP Server 2: Virtual Server "Exchange redirect" with SNAT Auto Map (Is necessary for reaching the right network) What I tried: TCP Profile: Disable Nagle Algorithm, Disabled "Delayed Acks", Disabled "Slow Start" SSO: Method is configured as HTTP basic on both side (Exchange + F5). Double checked if domains/ip's are configured correctly (should be 100% fine, because it is running, but slow from external) Would be thankful for any idea! (Screenshots below: TCP Profile AP OWA, LB Virtual Servers AP Server 1)
Upgrade Exchange 2010 to 2016 iApp
I know an iApp can be upgraded to another version of the same iApp. But can I upgrade the Exchange 2010_2013 iApp to the Exchange 2016 iApp. Note: the customer says they are going to use the same features in 2016 that they did in 2010. The current OS is Exchange 2010 and they are migrating to 2016.Exchange 2016 iApp Template v1.0.2 and the current RC
I'm trying to use the Exchange 2016 iApp when I try to create the Application Service it throws the following error: Error parsing template:can't eval proc: "script::run" script does not exist while executing "tmsh::run_proc avr" (procedure "script::run" line 1) invoked from within "script::run" line:1 ! I'm a newb with BIG-IP, but all the other templates in the iapps 1.0.0.492.0 download work fine.
