iRule to Redirect autodiscover traffic
Dear all, the SSL certificate in my current virtual server points to autodiscover.abc.com and not autodiscover.abccommodities.com I would like F5 to redirect from autodiscover.abccommodities.com to autodiscover.abc.com in hopes to eliminating the SSL security warning popup from Outlook clients as seen below. Is that possible? I tried this iRule but it wasn't working, still prompts warning. I believe Outlook client is using HTTPS traffic to contact the mail server? when HTTP_REQUEST { if { [string tolower [HTTP::host]] ends_with ".abccommodities.com" } { HTTP::redirect "https://autodiscover.abc.com" } }
F5 webmail exchange 2016 - "Access policy evaluation is already in progress for your current session."
We recently moved over to outlook 2016. Users that are on 2010 connect fine and never have an issue. the new users that have moved over to 2016 mailboxes get the error message above in the title. When they connect, they get the following addons to their URL: ?bO=1 sessiondata.ashxappcacheclient=1&acver=15.1.1591.8&crr=1 I have tried irules from the following devcentral questions and answers with no success: Access policy evaluation is already in progress for your current session How to avoid "Access policy evaluation is already in progress" - (irules from matt, Misty Spillers & Stanislan Piron tested and didn't help) If i have users open a browser in "InPrivate Browsing" or "Incognito" mode, they don't get the error. I have also tried the windows_10_anniversary_fix as well as all the irules on page 76 of the iapp deployment guide for exchange 2016. Deployment guide stuff i tested and doesn't work: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } and tried this: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } } I have a ticket open with F5 but they are saying oh just check the guide. not helpful. Hoping someone from the community can help me. thanks in advance!
Exchange 2010 iRule problem. Help!
BigIP 1600 LTM 10.2.4 I created Exchange 2010 on the F5 using the template on the device. I configured it for OWA/OA/AD/AS/IMAP/POP3 on a single IP address. I followed the deployment guide here https://www.f5.com/pdf/deployment-guides/f5-exchange-2010-dg.pdf and page 24 told me that I needed to download this zip http://www.f5.com/solution-center/deployment-guides/files/exchange-persist.zip and make changes to the persistence iRule. Now here is my issue: the iRule has this at the end... when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable this command disables NTLM conn pool for connections where OneConnect has been disabled NTLM::disable } this command rechunks encoded responses if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } The above script kills Autodiscover completely (Test Email AutoConfiguration on the Outlook client fails, testconnectivity.microsoft.com does not work and going to https://mail.domain.com/Autodiscover/Autodiscover.xml results in a "webpage is not available" error) Commenting out NTLM::disable results with Autodiscover working again. What gives? Is this an incorrect iRule? Do I have an issue with the F5 or is something wrong in Exchange?
iRule in Exchange VS throwing error
Hi, I asm receiving an error every second for the same iRule over the last few days, and understand where it is being triggered, but not seeing a solution. I would appreciate any type of direction or ideas to help stop this error. Thanks in advance.....Ray Error: TCL error: /Common/Exchange_CAS.app/Exchange_CAS_apm_combined_pool_irule7 - attempt to use empty persistence key (line 2) invoked from within "persist uie $sessionid 7200" ("/owa" arm line 4) invoked from within "switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { pool Exchange_CAS_as_pool7 persist u..." iRule: when ACCESS_ACL_ALLOWED { set sessionid [ACCESS::session data get "session.user.sessionid"] switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { pool Exchange_CAS_as_pool7 persist uie $sessionid 7200 COMPRESS::disable CACHE::disable return } "/owa" { pool Exchange_CAS_owa_pool7 persist uie $sessionid 7200 return } "/ews*" { pool Exchange_CAS_oa_pool7 persist uie $sessionid 7200 COMPRESS::disable CACHE::disable return } "/ecp*" { pool Exchange_CAS_owa_pool7 persist uie $sessionid 7200 return } "/oab*" { pool Exchange_CAS_oa_pool7 persist none return } "/rpc/rpcproxy.dll*" { pool Exchange_CAS_oa_pool7 COMPRESS::disable CACHE::disable persist uie $sessionid 7200 return } "/autodiscover*" { pool Exchange_CAS_ad_pool7 persist none return } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App pool Exchange_CAS_owa_pool7 persist uie $sessionid 7200 } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } }
Forward Compatibility with Irule BIG-IP APM with OWA 2016 and IE10 or Google Chrome
Morning All, Re: Which irule should be used to resolve the error "Access policy evaluation is already in progress" We are currently on BIG-IP 11.6.0 Build 6.0.442 Hotfix HF6 but I cannot guarantee that the device will not be patched to v11.6.1 HF1. Should we deploy the normal irule and will this be a issue in the device is upgraded to v11.6.1 HF1? Is there any issues deploying the irule for v11.6.1 HF1 instead? when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } or Code when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } }APM Activesync iRule and PROFILE_RESTRICT_SINGLE_IP variable
Hi, When configuring APM to authenticate Activesync connections, there are 2 solutions: enable irule _sys_APM_ExchangeSupport_main or _sys_APM_ExchangeSupport_main configure exchange profile which enable one of these irule (or another one...) In these irule, there is the following code: if { ! [ info exists PROFILE_POLICY_TIMEOUT ] } { set PROFILE_POLICY_TIMEOUT [PROFILE::access access_policy_timeout] } if { ! [ info exists PROFILE_MAX_SESS_TIMEOUT ] } { set PROFILE_MAX_SESS_TIMEOUT [PROFILE::access max_session_timeout] } if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } { set PROFILE_RESTRICT_SINGLE_IP 1 } Why the irule does not retrieve PROFILE_RESTRICT_SINGLE_IP from [PROFILE::access restrict_to_single_client_ip] instead of setting it to 1 which create lots of active sync sessions from several different IPs? to set the variable before , I created the following irule: when HTTP_REQUEST priority 1 { if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } { set PROFILE_RESTRICT_SINGLE_IP [PROFILE::access restrict_to_single_client_ip] } } Is there best solution?
Exchange Hybrid SMTP Through F5 (using TLS)
Troubleshooting an Exchange Hybrid mail flow issue where inbound mail is failing to route through the F5 appliance. The overall network setup is Exchange Online <-> Palo Alto NGFW <-> F5 LTM <-> Exchange Pool. By default, Exchange Online will attempt to secure the connection over TCP 25 using TLS 1.2, and it seems this is where the issue is taking place. The F5 virtual server configuration is very straightforward, and I'm attempting to configure it to support SSL Passthrough (not Bridging or Offload). The VS is listening on TCP 25 and is performing a single forward to a backend pool, which I've limited to a known good working Exchange Server. No Client/Server SSL profiles have been configured (i.e., Passthrough) on the virtual server. A traffic capture on the virtual server does not show any STARTTLS negotiation taking place, which supports the TLS error we're receiving on the Exchange Online side. As a test, I've moved the flow of traffic around the F5 to allow direct communication between Exchange Online <-> Palo Alto NGFW <-> Exchange Server, and this is operational, and I can see the TLS negotiation taking place. I've referenced the SMTP deployment guide particularly for the Passthrough configuration option, and everything (other than the port 587 not 25) is correct. Both Exchange Online and the Exchange Server will require TLS, but configuring the F5 in bridging mode will not work as we do not have the private key of Exchange Online. https://www.f5.com/pdf/deployment-guides/f5-smtp-dg.pdf Has anyone run into a similar issue where it appears the TLS negotiation is not taking place? BIG-IP Version: 14.1.2.6 BIG-IP Platform: i7800 Exchange Version: 2016 CU16
Kerberos client auth and Exchange profile
I'd like to do Kerberos auth of clients (where possible) and SSO to Exchange CAS servers. Today it's set up using Basic+NTLM auth. It works, but I would like to swap NTLM for Kerberos while we're setting up new CAS servers. I don't fully understand the purpose of the Exchange profile, what it exactly does and when. Looking though its settings, there is only Basic and NTLM to choose from for various URIs. For OWA as an example, I'd like to do client kerberos auth by creating an AP with a 401 basic+negotiate agent and following negotiate a Kerberos Auth agent. Would I set the owa options in the Exchange profile to "basic" and then the magic of the exchange profile kicks in when APM does a 401 Basic auth with the client, which hopefully never happens? SSO is Kerberos and already set up and works.
