Forum Discussion

rich1977_120837's avatar
rich1977_120837
Icon for Nimbostratus rankNimbostratus
Oct 02, 2013

Issues with Exchange 2013 owa

I've got the Big IP F5 virtual load balancer set up in my exchange 2013 lab getting ready for our migration in a few months and am having an issue. I've got an exchange 2007 environment set up to mimic what we have in production with multiple cas servers behind a VIP. Everything works fine. I've also got our exchange 2013 lab environment set up to run in coexistence with multiple CAS servers behind another VIP. If I log in a test account into exchange 2013 owa (through the VIP) that is an exchange 2007 mailbox, it redirects to the legacy owa (not using APM but letting exchange handle the redirection)and they can log in and get to their legacy mailbox. If I move that same users mailbox to exchange 2013 and then have them log in to owa it does nothing. Just acts like its about to load something then takes you right back to logon screen. If I open the account in outlook its fine. If I bypass the F5 and go to owa directly off one of the CAS servers then its fine, logs them right into owa mail. I've got the latest Exch 2013 template and have re-done it multiple times with different settings but nothing seems to change. My cert is valid but even not using ssl still the same thing. I'm kind of stuck here and I dont have a solid background with F5 BigIP so any help in troubleshooting this is greatly appreciated. Thank you.

 

BIG-IP Access Policy Manager (APM)
deployment
design
devops
iApps
microsoft
security

25 Replies

Sort By
Show More
  • Perry_70844's avatar
    Perry_70844
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2015

    I would like to 2nd Hygor's solution of enabling SSL persistence. It seems to have worked in my environment as well to resolve the symptom of OWA re-prompting users when there is more than one member in the server pool.

     

  • ErikM's avatar
    ErikM
    Icon for Altocumulus rankAltocumulus
    Oct 02, 2015

    Hi Perry, good to hear it's working. But the fact is that for Exchange 2013 it should be working fine without any persistence:

    (Source: Technet)

    Load Balancing

    Unlike previous versions of Exchange, Exchange 2013 no longer requires session affinity at the load balancing layer.

    To understand this statement better, and see how this impacts your designs, we need to look at how CAS2013 functions. From a protocol perspective, the following will happen:

    1. A client resolves the namespace to a load balanced virtual IP address.
2. The load balancer assigns the session to a CAS member in the load balanced pool.
3. CAS authenticates the request and performs a service discovery by accessing Active Directory to retrieve the following information:
    Mailbox version (for this discussion, we will assume an Exchange 2013 mailbox)
    Mailbox location information (e.g., database information, ExternalURL values, etc.)
4. CAS makes a decision on whether to proxy the request or redirect the request to another CAS infrastructure (within the same forest).
5. CAS queries an Active Manager instance that is responsible for the database to determine which Mailbox server is hosting the active copy.
6. CAS proxies the request to the Mailbox server hosting the active copy.

    Another handy article about this is on Kemp's website: https://kemptechnologies.com/white-papers/what-know-about-exchange-2013-and-Load-Balancing/

    That is why we changed from different per-CAS-server self-signed certificates (like in Exchange 2010) to one and the same SAN certificate on all CAS servers, containing the names of all CAS servers and the used URLs. This makes changing to another CAS server possible, and it solved our problem with rebuilding connections between LTM and CAS, and thus producing re-appearing logon screens.

  • Perry_70844's avatar
    Perry_70844
    Icon for Nimbostratus rankNimbostratus
    Oct 02, 2015

    Erik:

     

    Thanks for the response. I'm glad there is no need to enable persistence once the correct certificates are reissued.

     

  • Perry_70844's avatar
    Perry_70844
    Icon for Nimbostratus rankNimbostratus
    Nov 10, 2015

    Erik:

     

    To follow up, the solution of putting the same cert on all CAS members worked. I no longer have to use persistence.

     

    The only question I have is whether it's necessary to put the DNS name of each individual CAS server in the Cert SAN name list?

     

    What would happen if you just used the exchange service names:

     

    DNS Name=webmail.xyz.nl DNS Name=autodiscover.xyz.nl DNS Name=imap.xyz.nl DNS Name=pop.xyz.nl

     

    And leave off all of these?:

     

    DNS Name=CAS-server1.xyz.nl DNS Name=CAS-server2.xyz.nl DNS Name=CAS-server3.xyz.nl DNS Name=CAS-server4.xyz.nl DNS Name=CAS-server5.xyz.nl DNS Name=CAS-server6.xyz.nl DNS Name=CAS-server7.xyz.nl DNS Name=CAS-server8.xyz.nl DNS Name=CAS-server9.xyz.nl

     

    When does Exchange reference the CAS server name directly instead of the typical URLS that a user references when connecting to Exchange? After reviewing documentation, I'm not certain that it's required but I would like to hear feedback from Erik and anyone else who might be reading this.

     

    thanks,

     

    Perry