SSO breaking OWA font icons
I am investigating an issue where font-based icons are not rendering in OWA 2013 when accessed in Internet Explorer through APM using SSO. IE11: Everywhere else: We originally configured load balancing for CAS / OWA through LTM using the iApp without APM, and later added a portal access link to OWA on a separate APM webtop portal. This link goes through the APM session in order to use form-based SSO, and was configured manually & completely separately from the iApp-based VIP hosting CAS / OWA. The page renders as expected in any browser when accessed directly without APM, or through APM when SSO is disabled (or fails). The page also renders normally when accessed with SSO in any browser except IE11. We have performed a wide range of tests on the app and SSO profile with limited success. Under certain circumstances, IE11 will render the icons; but only when requests are routed through an external proxy (i.e. Fiddler) and even then only under specific SSO settings. We have verified that the fonts are being received intact, and can even get the icons to render if we install them locally and modify the page (through the IE developer console) to load the local copy. We have also applied the client-initiated SSO profile that is created by the exchange 2013 iApp template with the same results. I am now out of ideas and open to any potential explanations or solutions the community has to share. Thank you in advance. apm resource portal-access /Common/OWA { acl-order 8 application-uri https://owa.domain.com/owa/auth/logon.aspx\?replaceCurrent=1 customization-group /Common/OWA_resource_web_app_customization items { item { host owa.domain.com order 1 paths /* port 443 scheme https sso /Common/exchange_2013_sso subnet 0.0.0.0/0 } } path-match-case false publish-on-webtop true scheme-patching true } apm sso form-based /Common/exchange_2013_sso { form-action /owa/auth.owa form-field "destination https://owa.domain.com/owa/ flags 4 forcedownlevel 0 isUtf8 1 trusted 0" form-password password form-username username start-uri /owa/auth/logon.aspx\?replaceCurrent=1 success-match-value path username-source session.qualifiedlogin }
OWA 2013 SSO - Client initiated form Logout
Hi! I currently have SSO working to log into OWA 2013 via a client-initiated form. I am having an issue with the logout functionality though. Currently when a user presses logout from OWA it loops back into itself and never logs the user out (browser close required to logout). I've used the "Deploying F5 with Microsoft Exchange 2013..." guide to set up the login part. This guide describes the following iRule to terminate inactive APM sessions (which also seems to include a logout feature). when RULE_INIT { set static::cookie_sessionid [format "sessionid=null; path=/; Expires=Thur, 01-Jan-1970 00:00:00 GMT;"] set static::cookie_cadata [format "cadata=null; path=/; Expires=Thur, 01-Jan-1970 00:00:00 GMT;"] set static::cookie_usercontext [format "UserContext=null; path=/; Expires=Thur, 01-Jan-1970 00:00:00 GMT;"] } when ACCESS_SESSION_STARTED { if { [string tolower [HTTP::uri]] contains "ua=0" } { ACCESS::session remove } } when ACCESS_ACL_ALLOWED { set apm_mrhsession [HTTP::cookie value "MRHSession"] if { [table lookup $apm_mrhsession] == "EXCHANGE_LOGOUT" } { ACCESS::session remove table delete $apm_mrhsession } } when HTTP_REQUEST { set isset 0 if {[string tolower [HTTP::uri]] starts_with "/owa" } { if {[string tolower [HTTP::uri]] contains "logoff" } { ACCESS::session remove HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie" $static::cookie_cadata "Set-Cookie" $static::cookie_usercontext } else { if { [string tolower [HTTP::uri]] contains "ua=0" } { set mrhsession [HTTP::cookie value "MRHSession"] set isset 1 } } } } when HTTP_RESPONSE { if { $isset == 1 } { if { $mrhsession != "" && [HTTP::status] == 440 } { table set $apm_mrhsession "EXCHANGE_LOGOUT" return } } } Currently when a user logs out I see it hit: Which then loops directly back into: What am I missing here? Any tips would be great! Thanks
APM OWA Login Confirmation Box
Hello, First forgive my ignorance if this has been addressed but I am fairly new to configuring APM policies. Our security department has asked that on our OWA landing page that when a user enters their AD credentials and hits login, that a confirmation box pops up w/ a security warning (company specific text). If the user does not agree they will click something like no and it will return them to the login page, but if they click yes, it will process their login. I am at a loss on how to do this. Any help is greatly appreciated. ThanksPortal Access to OWA Requires Refresh
Hello, I currently have Portal Access setup to our OWA (Exchange 2013) site and have configured an Client Intiated Forms based SSO profile. For all intensive purposes it works, however on first connection OWA spins it wheels endlessly unless it hit F5 or refresh then OWA opens instantly and as expected. Anyone else experience this behavior before or and hny suggestions of how to resolve this issue? I followed the instructions in this article: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-2-0/3.htmlunique_1316790788 However these instructions are for OWA 2010 but was told they should work for OWA 2013 as well.
F5 APM access for OWA and web site access
I have promised a client that I would deliver them a web page on a APM which will allow access to OWA and few other internal web site(https://leavesportal.domain.com) of their environment. I started working on the Big-IP 4200 with licenses for LTM + APM. I used the Exchange2010-2013 template and created a application service with the deployment scenario 'Which scenario describes how you will use the BIG-IP system?'- "BIG-IP APM will provide secure remote access to CAS" and provided rest other details. I could get the login page, but then after entering the credentials, nothing happens. I'm very new to this APM module, I know the basics.. Could someone help me out with the this please.
ASM application ready templates for OWA 2013
Hi, We are currently using 11.4.0 software version and the currently available application ready security templates for OWA is for 2010 and we want to use ASM for Microsoft OWA 2013, I have checked the documentation for 11.5 and couldn't find templates for OWA 2013, may I know if these templates can be imported separately ? or I have to wait for the next release ? Regards, Akhtar
