Forum Discussion

Vincent_Z_17509's avatar
Vincent_Z_17509
Icon for Nimbostratus rankNimbostratus
Oct 24, 2014
Solved

Exchange 2010, O365, APM and iRule

Hello,   I'm trying to deploy BIG IP with Exchange 2010 in hybrid mode. It involves that there is only authentication for OWA and ActiveSync and no authentication for the EWS and autodiscover. It ...
application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
microsoft
security
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Oct 27, 2014

    For EWS and Autodiscover, you should be able to add an iRule (or disable strictness on the iApp deployment and edit the existing pool assignment iRule) to disable APM for that traffic. For example:

    when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
    "/ews*" {
        ACCESS::disable
    }
    "/autodiscover*" {
        ACCESS::disable
    }
}

    For OWA, you'll need to remove the logon page from the Access Policy and modify the sso_select iRule to choose the NTLM SSO instead of forms:

    when ACCESS_ACL_ALLOWED {
    set req_uri [string tolower [HTTP::uri]]
    if { $req_uri contains "/owa"  } {
        WEBSSO::select [set foo /Common/exchange_2010.app/exch_ntlm_sso]
    }
    unset req_uri
}
mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account

For EWS and Autodiscover, you should be able to add an iRule (or disable strictness on the iApp deployment and edit the existing pool assignment iRule) to disable APM for that traffic. For example:

when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
    "/ews*" {
        ACCESS::disable
    }
    "/autodiscover*" {
        ACCESS::disable
    }
}

For OWA, you'll need to remove the logon page from the Access Policy and modify the sso_select iRule to choose the NTLM SSO instead of forms:

when ACCESS_ACL_ALLOWED {
    set req_uri [string tolower [HTTP::uri]]
    if { $req_uri contains "/owa"  } {
        WEBSSO::select [set foo /Common/exchange_2010.app/exch_ntlm_sso]
    }
    unset req_uri
}
AndreiPatergin_'s avatar
AndreiPatergin_
Icon for Nimbostratus rankNimbostratus
Jan 14, 2015
Hi, I'm trying to get the same results. I'm using version 11.6 with f5.microsoft_exchange_2010_2013_cas.v1.4.0. The goal is to modify an auto created irule via the iapp to have no authentication for EWS and autodiscover. (Lync 2013 does not support basic authentication when it tries to use EWS and autosiscover.) Do I simply remove the configs under the irule for EWS and autodiscover and add "ACCESS disable". Current configurations: "/ews*" { () Exchange Web Services. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source address_addr } pool /Common/Exchange_2013.app/Exchange_2013_oa_pool7 COMPRESS::disable CACHE::disable return } ===================================================== "/autodiscover*" { () Autodiscovery. No Persistence. pool /Common/Exchange_2013.app/Exchange_2013_ad_pool7 persist none return } ============================================================== Please advise!