Exchange Hybrid SMTP Through F5 (using TLS)
Troubleshooting an Exchange Hybrid mail flow issue where inbound mail is failing to route through the F5 appliance. The overall network setup is Exchange Online <-> Palo Alto NGFW <-> F5 LTM <-> Exchange Pool. By default, Exchange Online will attempt to secure the connection over TCP 25 using TLS 1.2, and it seems this is where the issue is taking place. The F5 virtual server configuration is very straightforward, and I'm attempting to configure it to support SSL Passthrough (not Bridging or Offload). The VS is listening on TCP 25 and is performing a single forward to a backend pool, which I've limited to a known good working Exchange Server. No Client/Server SSL profiles have been configured (i.e., Passthrough) on the virtual server. A traffic capture on the virtual server does not show any STARTTLS negotiation taking place, which supports the TLS error we're receiving on the Exchange Online side. As a test, I've moved the flow of traffic around the F5 to allow direct communication between Exchange Online <-> Palo Alto NGFW <-> Exchange Server, and this is operational, and I can see the TLS negotiation taking place. I've referenced the SMTP deployment guide particularly for the Passthrough configuration option, and everything (other than the port 587 not 25) is correct. Both Exchange Online and the Exchange Server will require TLS, but configuring the F5 in bridging mode will not work as we do not have the private key of Exchange Online. https://www.f5.com/pdf/deployment-guides/f5-smtp-dg.pdf Has anyone run into a similar issue where it appears the TLS negotiation is not taking place? BIG-IP Version: 14.1.2.6 BIG-IP Platform: i7800 Exchange Version: 2016 CU16
iRule to Redirect autodiscover traffic
Dear all, the SSL certificate in my current virtual server points to autodiscover.abc.com and not autodiscover.abccommodities.com I would like F5 to redirect from autodiscover.abccommodities.com to autodiscover.abc.com in hopes to eliminating the SSL security warning popup from Outlook clients as seen below. Is that possible? I tried this iRule but it wasn't working, still prompts warning. I believe Outlook client is using HTTPS traffic to contact the mail server? when HTTP_REQUEST { if { [string tolower [HTTP::host]] ends_with ".abccommodities.com" } { HTTP::redirect "https://autodiscover.abc.com" } }
deviceid for exchange activesync
We have APM set up for exchange activesync - we are also using the deviceid parameter as an added security measure. This is giving me a lot of grief, as this ID is relevant to the email client being used by the device and not to the device itself. With most phones the built in client identifier can be located when you set up the server details, but it's not so with the LG3 built-in client. I need to check the logs for a blocked user in order to locate this ID and it is proving impossible with the LG3. (using other non-built-in clients is possible but the users are not happy with their experience). I am wondering if instead of the email client ID, I could use the actual device ID of the phone (IMEI or UUID). If so, how can this be done? Thanks, Vered
F5 webmail exchange 2016 - "Access policy evaluation is already in progress for your current session."
We recently moved over to outlook 2016. Users that are on 2010 connect fine and never have an issue. the new users that have moved over to 2016 mailboxes get the error message above in the title. When they connect, they get the following addons to their URL: ?bO=1 sessiondata.ashxappcacheclient=1&acver=15.1.1591.8&crr=1 I have tried irules from the following devcentral questions and answers with no success: Access policy evaluation is already in progress for your current session How to avoid "Access policy evaluation is already in progress" - (irules from matt, Misty Spillers & Stanislan Piron tested and didn't help) If i have users open a browser in "InPrivate Browsing" or "Incognito" mode, they don't get the error. I have also tried the windows_10_anniversary_fix as well as all the irules on page 76 of the iapp deployment guide for exchange 2016. Deployment guide stuff i tested and doesn't work: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } and tried this: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } } I have a ticket open with F5 but they are saying oh just check the guide. not helpful. Hoping someone from the community can help me. thanks in advance!
Access Policy Already Being Evaluated - Exchange OWA Service
Hi, We recently setup APM for our OWA service to the internet. Pretty simple, checks AD group, and SSO to exchange. Works flawlessly except we are seeing abnormal behavior regarding time out and keeping sessions active. Many times due to inactive browsing, closing the tab, ect users will navigate to the main page again. They receive a "access policy already being evaluated message." Even closing the web browser at time doesn't seem to resolve the issue. What we found does resolve it: Desktops, launch private browsing windows iPhones, delete background processes or private windows. Neither of these solutions are ideal. How do I force these "limbo" sessions to expire and allow users to re-authenticate properly.Open port range on Exchange Cas array object to enable Outlook Anywhere
Hi Using Exchange 2010 SP3 and LTM 11.6.0 Outlook Anywhere is currently not working externally. The reason is it tries to proxy connections to the Excahnge CAS array object on port 6001-6004. The cas array is load balanced virtual server, part of an application service on LTM, and these ports are never configured and will be rejected. Changed some Exchange configuration, the EXPR Outlook provider, to use a internal server and it now works internally only. I wonder if something is configured wrong since i cant find many with the same issue. Found some but they never figured out what caused the issue and the solution was to not use HLB for RPC/MAPI. So, I want to: 1. either open the port range. 2. somehow make Outlook anywhere connections proxy directly to CAS servers Explanation; make this: mail.hostname.com/rpc/rpcproxy.dll?CASARRAY:6002 Into something like this: mail.hostname.com/rpc/rpcproxy.dll?Exchangesrv:6002 3. help with finding my miss-configuration :) Used fiddler to verify this is the issue.
Forward Compatibility with Irule BIG-IP APM with OWA 2016 and IE10 or Google Chrome
Morning All, Re: Which irule should be used to resolve the error "Access policy evaluation is already in progress" We are currently on BIG-IP 11.6.0 Build 6.0.442 Hotfix HF6 but I cannot guarantee that the device will not be patched to v11.6.1 HF1. Should we deploy the normal irule and will this be a issue in the device is upgraded to v11.6.1 HF1? Is there any issues deploying the irule for v11.6.1 HF1 instead? when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } or Code when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } }
F5 APM AD Query is failing for users having long username
Hi I have a running setup of LTM+APM+ASM in order load balance and secure the various application including Microsoft Exchange 2013. I have configured Two factor authentication for all the application access with Active Directory followed by OTP (SMS Gateway is using to deliver OTP) Now I found a strange issue on F5 that users having a long username (let say more than 20 Character) failing to do AD Query. in APM Logs it shows AD Auth is successful where as AD Query is failing as shown in below. Feb 2 18:19:47 bigip notice apd[6329]: 01490010:5: 6f817c66: Username 'abc12345678901234567890' Feb 2 18:19:47 bigip info apd[6329]: 01490004:6: 6f817c66: Executed agent '/Common/AMM_AD_1_act_logon_page_ag', return value 0 Feb 2 18:19:47 bigip info apd[6329]: 01490006:6: 6f817c66: Following rule 'fallback' from item 'Logon Page' to item 'AD Auth' Feb 2 18:19:47 bigip info apd[6329]: 01490017:6: 6f817c66: AD agent: Auth (logon attempt:0): authenticate with 'abc12345678901234567890' successful Feb 2 18:19:47 bigip info apd[6329]: 01490004:6: 6f817c66: Executed agent '/Common/AMM_AD_1_act_active_directory_auth_ag', return value 0 Feb 2 18:19:47 bigip info apd[6329]: 01490006:6: 6f817c66: Following rule 'Successful' from item 'AD Auth' to item 'AD Query' Feb 2 18:19:48 bigip err apd[6329]: 01490107:3: 6f817c66: AD module: query with 'sAMAccountName=abc12345678901234567890' failed: no matching user found with filter sAMAccountName=abc12345678901234567890 (-1) Feb 2 18:19:48 bigip info apd[6329]: 01490019:6: 6f817c66: AD agent: Query: query with 'sAMAccountName=abc12345678901234567890' failed Feb 2 18:19:48 bigip info apd[6329]: 01490004:6: 6f817c66: Executed agent '/Common/AMM_AD_1_act_active_directory_query_ag', return value 0 Feb 2 18:19:48 bigip notice apd[6329]: 01490005:5: 6f817c66: Following rule 'fallback' from item 'AD Query' to ending 'Deny' What I noticed that Users having a username with with up-to 20 charterer is able to login and access the application without any problem and if the username is more than 20 Character its failing. We have a multiple users having a long username, if any one can help to resolve/Advice on this that would be highly appreciated.
