Forum Discussion

Misty_Spillers_'s avatar
Misty_Spillers_
Icon for Nimbostratus rankNimbostratus
Feb 14, 2013
Solved

Exchange iapp for multiple Exchange servers (different customers)

I'm on version 11.2.1 and using f5.microsoft_exchange_2010_cas.2012_06_08.

 

 

I created an "APM will provided secure remote access" iapp for one of our customers and it worked for the most part ( where you define the AD server, it does not respect routing domains, but not getting into that now as I can work around it)

 

 

I decided to create another one for a completely different customer and when I did it messed up the redirection on the first customer even though I shared no configuration. I can provide a lot more details but wanted to see if this is a known issue before I do as I really need to break the production customer and trace to page.

 

Steps taken:

 

1. Create first exchange iApp (working)

 

2. Create second Exchange iApp (First one now does not auto-login and I am dumped at the logon page for OWA)

 

3. Delete second Exchange iApp (First one now gets a "page cannot be display" with clearly an incorrect redirect)

 

4. Create a duplicate of the first Exchange iApp (even though this is a different VS, now the first iApp is working properly)

 

Now I did this just to confirm the issue.

 

5. Delete duplicate Exchange iApp (back to "Page cannot be displayed" on the original iApp)

 

6. Recreate the duplicate iApp. (Original working fine and this is where I sit today)

 

 

Activesync was fine throughout all of this, seems like purely a redirection/sso issue. I have no idea if the second iApp ever worked.

 

 

Any ideas,

 

 

Thanks in advance,

 

 

Misty

 

automation
devops
iApps
management
TMSH
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Jun 19, 2013
    Misty,

     

    This morning I successfully tested deploying two separate Exchange environments behind a single BIG-IP running APM. I can think of at least two features required by this solution that are only available in BIG-IP v11.3 and above, which are the AAA server pool and client-initiated forms SSO.

     

     

    You will also want to use the latest version of the iApp, RC3, which we expect to release in the next day or so. Can you send me a private message on DevCentral with your email contact info? I can let you know as soon as that RC has been declared.

     

    Mike

20 Replies

Sort By
Show More
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jun 18, 2013
    I believe it should work with some post-configuration steps depending on the what you are doing with APM, but it will take me a bit of time to investigate that.

     

     

    One issue I know of off the top of my head is the DNS server settings in the System menu. You can put multiple DNS servers in the list, but APM will only check the first one and if no information is found at that server for the requested domain, it considers that a successful response and doesn't check any further down the list.

     

     

    So, if your APM policies use objects that need to do DNS lookups and you have multiple policies doing lookups against multiple DNS servers that don't know about each other, you are going to have problems with the policy that uses the 2nd DNS server on the list. An example of this is the AAA server object in v11.2 and earlier, which allows you to configure just an FQDN for the AAA server, which of course means that BIG-IP has to go look that IP up using DNS. In 11.3, the AAA server pool requires that you put in both a domain controller FQDN and IP address, so it doesn't need to rely on DNS anymore. It's a simlar story for the Kerberos SSO, which relies on reverse DNS lookups to build a Kerberos ticket request. This can also be worked around in BIG-IP.

     

     

    I'll do a bit of work here and let you know how it goes. It may require an upgrade to v11.3; looks like you are on v11.2?

     

    Mike

     

  • Misty_Spillers's avatar
    Misty_Spillers
    Icon for Nimbostratus rankNimbostratus
    Jun 19, 2013

    I am on 11.2.1 HF5. An upgrade to 11.3 is planned soon.

     

     

    Our DNS is good, though it is different agencies, DNS is central and under our control. I have confirmed this through packet captures and remember *only* the SSO on Outlook web access is broken. Active-sync continued to run flawlessly.

     

     

    It looks like when you add the second iApp that it garbles the uri of the first iApp SSO. In fact, if you happen to know the correct uri and paste it in once you log in, webmail come right up. Its really specific. I think you were on to something with your first posts but I'm am not knowledgeable enough to fix it once the damage has been done. (other than deleting and recreating)

     

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jun 19, 2013
    Misty,

     

    This morning I successfully tested deploying two separate Exchange environments behind a single BIG-IP running APM. I can think of at least two features required by this solution that are only available in BIG-IP v11.3 and above, which are the AAA server pool and client-initiated forms SSO.

     

     

    You will also want to use the latest version of the iApp, RC3, which we expect to release in the next day or so. Can you send me a private message on DevCentral with your email contact info? I can let you know as soon as that RC has been declared.

     

    Mike
  • speedbird_86757's avatar
    speedbird_86757
    Icon for Nimbostratus rankNimbostratus
    Jul 24, 2013

    We're running LTM 11.2.0 HF7 and see a similar issue, except that we do not use APM. The client connections terminate directly on the LTM's virtual server.

     

    We have 2 sets of Exchange 2010 CAS servers in two separate RDs. One pair of CAS servers were deployed last year with the iApp f5.microsoft_exchange_2010_cas.2012_06_08 and had been working fine.

     

    Yesterday, we added a new instance to operate against a new pair of CAS servers in a different RD. The moment its added, the older iApp stops working (ActiveSync, Outlook Anywhere and OWA). Each iApp uses one FQDN for all Exchange services, but they are different for each iApp instance.

     

    During the problem, it looks like the SNAT pool was not being currently chosen and/or the RDs were not being honored. The older iApp's CAS servers (RD X) were seeing inbound connections from IPs belonging to the newer iApp's SNAT pool (RD Y)

     

    We've opened a case with F5 support.

     

    Mike - is there an updated iApp template you mentioned?

     

    Thanks.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jul 24, 2013
    speedbird,

     

    There is a new version of the iApp here: https://devcentral.f5.com/wiki/iApp.Microsoft-Exchange-2010-and-2013-iApp-Template.ashx

     

     

    However, I don't know that it will help with your issue. I'll do some searching as well, but Support should be able to tell you if this is a known issue. Please keep us posted.

     

    Mike
  • speedbird_86757's avatar
    speedbird_86757
    Icon for Nimbostratus rankNimbostratus
    Jul 31, 2013
    Mike,

     

     

    As suspected, our issue was the SNAT pool configuration. The iApp creates an iRule with the $Name chosen by us, but within the iRule, the array name still needs to be unique across the different iApps.

     

     

    For example:

     

    **********

     

    when RULE_INIT {

     

    set static::iAppFoo_snat_ips(0) 1.1.1.1%816

     

    set static::iAppFoo_snat_ips(1) 1.1.1.2%816

     

    }

     

    when CLIENT_ACCEPTED {

     

    snat $static::iAppFoo_snat_ips([expr {[crc32 [IP::client_addr]] % [array size static::iAppFoo_snat_ips]}])

     

    }

     

     

    **********

     

    Maybe this could be enhanced in the next iApp version? For now, we've worked around the problem by manually renaming the values within the iRule.

     

     

    Thanks for your help.
  • Misty_Spillers's avatar
    Misty_Spillers
    Icon for Nimbostratus rankNimbostratus
    Aug 23, 2013

    I noticed that there were new iApp templates to download off askf5.com (1.0.0.61.0.zip) and in it was f5.microsoft_exchange_2010_2013_cas.v1.2.0.tmpl. I also noticed that there is an rc4 posted here https://devcentral.f5.com/wiki/iApp.Microsoft-Exchange-2010-and-2013-iApp-Template.ashx

     

    Which is the better/newer one to use?

     

    Thanks for all you help, still using rc3 and it has fixed my issues.