Exchange Hybrid SMTP Through F5 (using TLS)
Troubleshooting an Exchange Hybrid mail flow issue where inbound mail is failing to route through the F5 appliance. The overall network setup is Exchange Online <-> Palo Alto NGFW <-> F5 LTM <-> Exchange Pool. By default, Exchange Online will attempt to secure the connection over TCP 25 using TLS 1.2, and it seems this is where the issue is taking place. The F5 virtual server configuration is very straightforward, and I'm attempting to configure it to support SSL Passthrough (not Bridging or Offload). The VS is listening on TCP 25 and is performing a single forward to a backend pool, which I've limited to a known good working Exchange Server. No Client/Server SSL profiles have been configured (i.e., Passthrough) on the virtual server. A traffic capture on the virtual server does not show any STARTTLS negotiation taking place, which supports the TLS error we're receiving on the Exchange Online side. As a test, I've moved the flow of traffic around the F5 to allow direct communication between Exchange Online <-> Palo Alto NGFW <-> Exchange Server, and this is operational, and I can see the TLS negotiation taking place. I've referenced the SMTP deployment guide particularly for the Passthrough configuration option, and everything (other than the port 587 not 25) is correct. Both Exchange Online and the Exchange Server will require TLS, but configuring the F5 in bridging mode will not work as we do not have the private key of Exchange Online. https://www.f5.com/pdf/deployment-guides/f5-smtp-dg.pdf Has anyone run into a similar issue where it appears the TLS negotiation is not taking place? BIG-IP Version: 14.1.2.6 BIG-IP Platform: i7800 Exchange Version: 2016 CU161.8KViews1like1CommentiRule to Redirect autodiscover traffic
Dear all, the SSL certificate in my current virtual server points to autodiscover.abc.com and not autodiscover.abccommodities.com I would like F5 to redirect from autodiscover.abccommodities.com to autodiscover.abc.com in hopes to eliminating the SSL security warning popup from Outlook clients as seen below. Is that possible? I tried this iRule but it wasn't working, still prompts warning. I believe Outlook client is using HTTPS traffic to contact the mail server? when HTTP_REQUEST { if { [string tolower [HTTP::host]] ends_with ".abccommodities.com" } { HTTP::redirect "https://autodiscover.abc.com" } }Solved1.3KViews0likes6Commentsdeviceid for exchange activesync
We have APM set up for exchange activesync - we are also using the deviceid parameter as an added security measure. This is giving me a lot of grief, as this ID is relevant to the email client being used by the device and not to the device itself. With most phones the built in client identifier can be located when you set up the server details, but it's not so with the LG3 built-in client. I need to check the logs for a blocked user in order to locate this ID and it is proving impossible with the LG3. (using other non-built-in clients is possible but the users are not happy with their experience). I am wondering if instead of the email client ID, I could use the actual device ID of the phone (IMEI or UUID). If so, how can this be done? Thanks, Vered1.2KViews0likes2CommentsF5 webmail exchange 2016 - "Access policy evaluation is already in progress for your current session."
We recently moved over to outlook 2016. Users that are on 2010 connect fine and never have an issue. the new users that have moved over to 2016 mailboxes get the error message above in the title. When they connect, they get the following addons to their URL: ?bO=1 sessiondata.ashxappcacheclient=1&acver=15.1.1591.8&crr=1 I have tried irules from the following devcentral questions and answers with no success: Access policy evaluation is already in progress for your current session How to avoid "Access policy evaluation is already in progress" - (irules from matt, Misty Spillers & Stanislan Piron tested and didn't help) If i have users open a browser in "InPrivate Browsing" or "Incognito" mode, they don't get the error. I have also tried the windows_10_anniversary_fix as well as all the irules on page 76 of the iapp deployment guide for exchange 2016. Deployment guide stuff i tested and doesn't work: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } and tried this: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } } I have a ticket open with F5 but they are saying oh just check the guide. not helpful. Hoping someone from the community can help me. thanks in advance!999Views0likes1CommentExchange 2013 iApp - Block Activesync except from one IP
Have only used the iApp templates with their defaults in the past but now I'm needing to allow only one IP to ActiveSync to it. We are using MobileIron for mobile devices and I want to only allow MobileIron to talk to the F5 for ActiveSync traffic. I believe they will be pointing their MobileIron server to the F5 VIP. Any easy way to do this? I've seen one post with code for an iRule to 'block' all activesync traffic but not allow only one IP. This is what I was referring to: when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" { drop } } }Solved705Views0likes16CommentsAccess Policy Already Being Evaluated - Exchange OWA Service
Hi, We recently setup APM for our OWA service to the internet. Pretty simple, checks AD group, and SSO to exchange. Works flawlessly except we are seeing abnormal behavior regarding time out and keeping sessions active. Many times due to inactive browsing, closing the tab, ect users will navigate to the main page again. They receive a "access policy already being evaluated message." Even closing the web browser at time doesn't seem to resolve the issue. What we found does resolve it: Desktops, launch private browsing windows iPhones, delete background processes or private windows. Neither of these solutions are ideal. How do I force these "limbo" sessions to expire and allow users to re-authenticate properly.674Views0likes9CommentsOpen port range on Exchange Cas array object to enable Outlook Anywhere
Hi Using Exchange 2010 SP3 and LTM 11.6.0 Outlook Anywhere is currently not working externally. The reason is it tries to proxy connections to the Excahnge CAS array object on port 6001-6004. The cas array is load balanced virtual server, part of an application service on LTM, and these ports are never configured and will be rejected. Changed some Exchange configuration, the EXPR Outlook provider, to use a internal server and it now works internally only. I wonder if something is configured wrong since i cant find many with the same issue. Found some but they never figured out what caused the issue and the solution was to not use HLB for RPC/MAPI. So, I want to: 1. either open the port range. 2. somehow make Outlook anywhere connections proxy directly to CAS servers Explanation; make this: mail.hostname.com/rpc/rpcproxy.dll?CASARRAY:6002 Into something like this: mail.hostname.com/rpc/rpcproxy.dll?Exchangesrv:6002 3. help with finding my miss-configuration :) Used fiddler to verify this is the issue.643Views0likes6CommentsF5 11.6.1/Exchange iApp 1.5.2rc2 and ActiveSync
I was having problems after upgrading our F5 and iApp to the latest code. Everything was working fine except ActiveSync kept showing down. I noticed in the manual that it said if we were on v12.0 or later and iApp 1.5.1 or earlier we may have issues with the advanced health monitors. We don't meet those criteria but the solution does seem to fix it. Is this still an issue in the latest code (1.5.2rc2)? Solution from manual: Experiencing ActiveSync health monitor issues using BIG-IP v12.0 and later If you are using BIG-IP v12.0 or later and iApp version 1.5.1 or earlier, you may experience the ActiveSync health monitor consistently failing despite the fact the service is available. You can check for the availability of new templates at https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13497.html or https://devcentral.f5.com/codeshare/tag/iapps?s=exchange To solve this issue, you must either upgrade to a later version of the iApp template, or make the following change to the health monitor to remove a extraneous backslash. 1. If you have not already disabled Strict Updates, see Step 2. Disable the Strict Updates feature: on page 58. 2. On the Main tab, click Local Traffic > Monitors. 3. Click the name of the ActiveSync health monitor created by the template. This starts with the name you gave the iApp, followed by _as_http_adv_monitor. 4. In the User Name field, between the FQDN and the user name, remove one of the two backslashes. 5. Click Update.Solved521Views0likes3CommentsForward Compatibility with Irule BIG-IP APM with OWA 2016 and IE10 or Google Chrome
Morning All, Re: Which irule should be used to resolve the error "Access policy evaluation is already in progress" We are currently on BIG-IP 11.6.0 Build 6.0.442 Hotfix HF6 but I cannot guarantee that the device will not be patched to v11.6.1 HF1. Should we deploy the normal irule and will this be a issue in the device is upgraded to v11.6.1 HF1? Is there any issues deploying the irule for v11.6.1 HF1 instead? when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } or Code when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } }520Views0likes4CommentsOffice365 Exchange protocols with APM and SAML
Hi all, We'd like to know which of the Office365 Exchange protocols are supported with SAML. We've got extensive experience with deploying on premises Exchange with APM, and know that SAML will work for the browser based functionality like OWA and ECP, but what about the other protocols like Activesync, EWS, OAB and Office Anywhere? Regards, MiLK_MaN492Views0likes9Comments