Hybrid Exchange traffic and Starttls
we need to forward traffic from Exchange Online to the Exchange on premise server. direct connexion thru the firewall is working. We wanted to use the F5 to loadbalance the trafic on the 2 on premise exchange server. It seem that is a speciality with the starttls smtp trafic to do on the tcp port 25 😃. Thanks for your help Daniel50Views0likes1CommentiRule to Redirect autodiscover traffic
Dear all, the SSL certificate in my current virtual server points to autodiscover.abc.com and not autodiscover.abccommodities.com I would like F5 to redirect from autodiscover.abccommodities.com to autodiscover.abc.com in hopes to eliminating the SSL security warning popup from Outlook clients as seen below. Is that possible? I tried this iRule but it wasn't working, still prompts warning. I believe Outlook client is using HTTPS traffic to contact the mail server? when HTTP_REQUEST { if { [string tolower [HTTP::host]] ends_with ".abccommodities.com" } { HTTP::redirect "https://autodiscover.abc.com" } }Solved1.3KViews0likes6CommentsF5 webmail exchange 2016 - "Access policy evaluation is already in progress for your current session."
We recently moved over to outlook 2016. Users that are on 2010 connect fine and never have an issue. the new users that have moved over to 2016 mailboxes get the error message above in the title. When they connect, they get the following addons to their URL: ?bO=1 sessiondata.ashxappcacheclient=1&acver=15.1.1591.8&crr=1 I have tried irules from the following devcentral questions and answers with no success: Access policy evaluation is already in progress for your current session How to avoid "Access policy evaluation is already in progress" - (irules from matt, Misty Spillers & Stanislan Piron tested and didn't help) If i have users open a browser in "InPrivate Browsing" or "Incognito" mode, they don't get the error. I have also tried the windows_10_anniversary_fix as well as all the irules on page 76 of the iapp deployment guide for exchange 2016. Deployment guide stuff i tested and doesn't work: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } and tried this: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } } I have a ticket open with F5 but they are saying oh just check the guide. not helpful. Hoping someone from the community can help me. thanks in advance!1KViews0likes1CommentExchange iApp and app service name with dots
Hi! I deployed Exchange iApp v1.5.1 and used our FQDN as App service name, and ran into an issue with the generated snatpool irule. When connecting to the VIP this error message is logged TCL error: /Exchange/mail.domain.com_Internal.app/mail.domain.com_Internal_snatpool_irule3 - can't read "static::snat_ips_domain": no such variable while executing "snat $static::snat_ips_mail.domain.com_Internal([expr {[crc32 [IP::client_addr]] % [array size static::snat_ips_mail.domain.com_Internal]}])" The generated iRule looks like this when RULE_INIT { Use a local array to configure SNAT addresses. These addresses do not need to be defined in a SNAT pool or elsewhere. set static::snat_ips_mail.domain.com_Internal(0) 10.10.1.151 set static::snat_ips_mail.domain.com_Internal(1) 10.10.1.152 set static::snat_ips_mail.domain.com_Internal(2) 10.10.1.153 } when CLIENT_ACCEPTED { Calculate the crc32 checksum of the client IP Use the modulo of the checksum and number of SNAT IPs to pick a SNAT IP snat $static::snat_ips_mail.domain.com_Internal([expr {[crc32 [IP::client_addr]] % [array size static::snat_ips_mail.domain.com_Internal]}]) } Just from reading the error it looks like the reference to $static::snat_ips_mail.domain.com_Internal "breaks" after the first dot. I've tried enclosing the array name in curly braces in different ways but that only produces various syntax errors. TCL and arrays are not quite what I do every day 🙂 Is there any way to modify the snat statement so that it can reference static::snat_ips_mail.domain.com_Internal? Thanks /AndreasSolved412Views0likes3CommentsExchange 2010 iRule problem. Help!
BigIP 1600 LTM 10.2.4 I created Exchange 2010 on the F5 using the template on the device. I configured it for OWA/OA/AD/AS/IMAP/POP3 on a single IP address. I followed the deployment guide here https://www.f5.com/pdf/deployment-guides/f5-exchange-2010-dg.pdf and page 24 told me that I needed to download this zip http://www.f5.com/solution-center/deployment-guides/files/exchange-persist.zip and make changes to the persistence iRule. Now here is my issue: the iRule has this at the end... when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable this command disables NTLM conn pool for connections where OneConnect has been disabled NTLM::disable } this command rechunks encoded responses if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } The above script kills Autodiscover completely (Test Email AutoConfiguration on the Outlook client fails, testconnectivity.microsoft.com does not work and going to https://mail.domain.com/Autodiscover/Autodiscover.xml results in a "webpage is not available" error) Commenting out NTLM::disable results with Autodiscover working again. What gives? Is this an incorrect iRule? Do I have an issue with the F5 or is something wrong in Exchange?284Views0likes1CommentiRule in Exchange VS throwing error
Hi, I asm receiving an error every second for the same iRule over the last few days, and understand where it is being triggered, but not seeing a solution. I would appreciate any type of direction or ideas to help stop this error. Thanks in advance.....Ray Error: TCL error: /Common/Exchange_CAS.app/Exchange_CAS_apm_combined_pool_irule7 - attempt to use empty persistence key (line 2) invoked from within "persist uie $sessionid 7200" ("/owa" arm line 4) invoked from within "switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { pool Exchange_CAS_as_pool7 persist u..." iRule: when ACCESS_ACL_ALLOWED { set sessionid [ACCESS::session data get "session.user.sessionid"] switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { pool Exchange_CAS_as_pool7 persist uie $sessionid 7200 COMPRESS::disable CACHE::disable return } "/owa" { pool Exchange_CAS_owa_pool7 persist uie $sessionid 7200 return } "/ews*" { pool Exchange_CAS_oa_pool7 persist uie $sessionid 7200 COMPRESS::disable CACHE::disable return } "/ecp*" { pool Exchange_CAS_owa_pool7 persist uie $sessionid 7200 return } "/oab*" { pool Exchange_CAS_oa_pool7 persist none return } "/rpc/rpcproxy.dll*" { pool Exchange_CAS_oa_pool7 COMPRESS::disable CACHE::disable persist uie $sessionid 7200 return } "/autodiscover*" { pool Exchange_CAS_ad_pool7 persist none return } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App pool Exchange_CAS_owa_pool7 persist uie $sessionid 7200 } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } }352Views0likes2CommentsForward Compatibility with Irule BIG-IP APM with OWA 2016 and IE10 or Google Chrome
Morning All, Re: Which irule should be used to resolve the error "Access policy evaluation is already in progress" We are currently on BIG-IP 11.6.0 Build 6.0.442 Hotfix HF6 but I cannot guarantee that the device will not be patched to v11.6.1 HF1. Should we deploy the normal irule and will this be a issue in the device is upgraded to v11.6.1 HF1? Is there any issues deploying the irule for v11.6.1 HF1 instead? when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } or Code when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } }529Views0likes4CommentsAPM Activesync iRule and PROFILE_RESTRICT_SINGLE_IP variable
Hi, When configuring APM to authenticate Activesync connections, there are 2 solutions: enable irule _sys_APM_ExchangeSupport_main or _sys_APM_ExchangeSupport_main configure exchange profile which enable one of these irule (or another one...) In these irule, there is the following code: if { ! [ info exists PROFILE_POLICY_TIMEOUT ] } { set PROFILE_POLICY_TIMEOUT [PROFILE::access access_policy_timeout] } if { ! [ info exists PROFILE_MAX_SESS_TIMEOUT ] } { set PROFILE_MAX_SESS_TIMEOUT [PROFILE::access max_session_timeout] } if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } { set PROFILE_RESTRICT_SINGLE_IP 1 } Why the irule does not retrieve PROFILE_RESTRICT_SINGLE_IP from [PROFILE::access restrict_to_single_client_ip] instead of setting it to 1 which create lots of active sync sessions from several different IPs? to set the variable before , I created the following irule: when HTTP_REQUEST priority 1 { if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } { set PROFILE_RESTRICT_SINGLE_IP [PROFILE::access restrict_to_single_client_ip] } } Is there best solution?308Views0likes1CommentExchange 2013 iApp - Block Activesync except from one IP
Have only used the iApp templates with their defaults in the past but now I'm needing to allow only one IP to ActiveSync to it. We are using MobileIron for mobile devices and I want to only allow MobileIron to talk to the F5 for ActiveSync traffic. I believe they will be pointing their MobileIron server to the F5 VIP. Any easy way to do this? I've seen one post with code for an iRule to 'block' all activesync traffic but not allow only one IP. This is what I was referring to: when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" { drop } } }Solved726Views0likes16CommentsExchange Hybrid SMTP Through F5 (using TLS)
Troubleshooting an Exchange Hybrid mail flow issue where inbound mail is failing to route through the F5 appliance. The overall network setup is Exchange Online <-> Palo Alto NGFW <-> F5 LTM <-> Exchange Pool. By default, Exchange Online will attempt to secure the connection over TCP 25 using TLS 1.2, and it seems this is where the issue is taking place. The F5 virtual server configuration is very straightforward, and I'm attempting to configure it to support SSL Passthrough (not Bridging or Offload). The VS is listening on TCP 25 and is performing a single forward to a backend pool, which I've limited to a known good working Exchange Server. No Client/Server SSL profiles have been configured (i.e., Passthrough) on the virtual server. A traffic capture on the virtual server does not show any STARTTLS negotiation taking place, which supports the TLS error we're receiving on the Exchange Online side. As a test, I've moved the flow of traffic around the F5 to allow direct communication between Exchange Online <-> Palo Alto NGFW <-> Exchange Server, and this is operational, and I can see the TLS negotiation taking place. I've referenced the SMTP deployment guide particularly for the Passthrough configuration option, and everything (other than the port 587 not 25) is correct. Both Exchange Online and the Exchange Server will require TLS, but configuring the F5 in bridging mode will not work as we do not have the private key of Exchange Online. https://www.f5.com/pdf/deployment-guides/f5-smtp-dg.pdf Has anyone run into a similar issue where it appears the TLS negotiation is not taking place? BIG-IP Version: 14.1.2.6 BIG-IP Platform: i7800 Exchange Version: 2016 CU161.8KViews1like1Comment