Microsoft Exchange 2010 and 2013 iApp Template

Problem this snippet solves:

Use the Exchange 2010/2013 template to provide additional security, performance, and availability for Exchange Server 2010 and Exchange Server 2013 Client Access Servers. When configured with the iApp template, the BIG-IP system will perform as a reverse proxy for Exchange CAS servers, and can also perform functions such as load balancing, compression, encryption, caching, and pre-authentication. You can now use BIG-IP Advanced Firewall Manager (AFM) for an additional layer of security.

If you are using Exchange 2016, see the Exchange 2016 page

v1.5.1: fully supported

This version of this iApp template is found on downloads.f5.com in the iApp templates package, and contains the features and fixes found in 1.5.0rc1 and rc2. Use the following link to access the associated Exchange 2010/2013 deployment guide, which includes detailed information on finding and downloading the new iApp template. There were no new features added in this maintenance release.

Issues resolved

  • The caching and compression profiles and iRule are no longer incorrectly assigned in the separate virtual server deployment scenario.
  • Corrected an issue where the default TCP profile idle timeout could reduce battery life in mobile devices that use the ActiveSync protocol
  • The iApp now correctly suppress output in external monitors. Previously an unavailable service could have been marked available by the BIG-IP system.

Known Issues:

  • If upgrading to this version of the iApp template from an iApp version prior tov1.2.0, you must carefully review all settings before submitting the template.

    For example, if you had configured the original template for SSL bridging, afterupgrading this setting defaults back to SSL offload, and you must change it.

v1.5.0: fully supported

This version of this iApp template is now found on downloads.f5.com in the iApp templates package, and contains the features and fixes found in 1.5.0rc1 and rc2. Use the following link to access the associated Exchange 2010/2013 deployment guide, which includes detailed information on finding and downloading the new iApp template.

v1.5.0rc2

F5 Networks has released v1.5.0rc2 of the Exchange template. Version 1.5.0rc2 contains the following changes to version 1.5.0rc1:

  • Fixed an issue with errors caused by special characters in the APM delegation account password.
  • Updated the persistence iRule(s) to check for the existence of the Authorization header prior to persisting on the header value.

v1.5.0rc1

F5 Networks has released v1.5.0rc1 of the Exchange template. Version 1.5.0rc1 contains the following changes to version 1.4.0:

  • Added support for the Advanced Firewall Manager (AFM) module.
  • Added support for changing account passwords from the OWA logon screen.
  • Removed the option to choose a pre-existing direct AAA server object.
  • Corrected an issue in the APM configuration where OWA logon options were not always honored.
  • Corrected an issue in the APM configuration where a required iRule was not created when deploying in APM-only mode.

v1.4.0rc3

F5 Networks has released v1.4.0rc3 of the Exchange template. Version 1.4.0rc3 contains the following changes to version 1.4.0rc2:

  • Corrected an issue in the LDAP health monitor user name field if you chose to use BIG-IP APM and chose to create a new LDAP monitor. The correct user name is now included.
  • Corrected an issue for Exchange 2013 in the BIG-IP APM forms-based SSO Configuration object, which was trying to use the sessionid cookie. This cookie is present in 2010, but not in 2013. The correct SSO Configuration is now created.

v1.4.0rc2

F5 Networks has released v1.4.0rc2 of the Exchange template. Version 1.4.0rc2 contains the following changes to version 1.4.0rc1:

  • The option/question for restricting EAC access by IP address or network with BIG-IP LTM is no longer available in 1.4.0rc2, as it did not function reliably. The option to have BIG-IP APM restrict EAC access to members of the Exchange Organization Management Security Group is still available.
  • The iApp now contains the configuration for using Exchange 2010 and RPC Client Access. Previously this was a manual workaround in the deployment guide.
  • Added support for BIG-IP version 11.6.

v1.4.0rc1

F5 Networks has released v1.4.0rc1 of the Exchange template. Introduced in version 1.4.0rc1 are the following features:

  • The iApp now includes support for smart card authentication for OWA
  • Added the option to recreate the OWA public/private computer and light version choices on the BIG-IP APM logon page Issues Resolved:
  • Modified the persistence profile and combined persistence iRule to prevent connection clumping* Disabled Nagle's algorithm on template-created WAN profiles

How to use this snippet:

If the latest release of this iApp template is on downloads.f5.com, use the link below for instructions on how to download and use the template. If the latest release is a release candidate, you can download it directly and import it onto the BIG-IP system.

Code :

https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13497.html
Published Mar 10, 2015
Version 1.0

Was this article helpful?

6 Comments

  • Also want to ask same question as "Sebastian Maniak": "where can i download rc2? it's not on the downloads.f5 site" ? Thanks.
  • Sorry for the confusion, the fully supported version of 1.5.0 is on downloads.f5.com. This contains the latest updates, and replaces both release candidates: 1.5.0rc1 and 1.5.0.rc2.
  • Sorry but the one from downloads.f5.com only has rc1 Version: f5.microsoft_exchange_2010_2013_cas.v1.5.0rc1 Last modified: April 2015 iApp requires: BIG-IP version 11.3 - 11.6 " there are some issues with the persistence
  • Appreciate the iapp very much! But would like to see a little more flexibility so it can be used in more situation.

     

    • Separate out the services. Instead of only 2 options, 1 to use the same IP for all services the other using a separate for each service, provide options for each service to IP. There are likely many people that would like to separate out ActiveSync but keep the other Exchange services all on one IP.

       

    • For the Outlook forms, again separate it out for each. Allow an option to use the Public/Private form a separate option to use the Light version form.

       

    I realize this is more to maintain for F5, but since you strong recommendation is to use the iApp this will allow more to follow that.

     

  • Fred - nicely done here.

     

    Need to pick your brain on this please kind sir!

     

    We use this on our system for 6K mailboxes with 4 Exch2010 nodes in the backend. Strange problem came up the other day and below is the workaround I've found but do need a solution if you can explain what I'm missing please?

     

    Symptom

     

    Outlook (any version) is randomly prompting a few arbitrary users for Windows credentials.

     

    Reproduction of issue & workaround

     

    • Outlook user using Outlook Anywhere is disconnected [for whatever reason, e.g. Hibernate, no network, etc].

       

    • Next time they connect, Outlook prompts for credentials; not every time though - happens randomly.

       

    • Searching APM logs for the user's AD username shows '...username@domainsuffix...WRONG PASSWORD...'

       

    • We know the password is valid because said user can then login on another machine (i.e. not their usual machine) and authenticate just fine through Outlook.

       

    • Any other user can log in to Windows on the affected user's usual machine and authenticate just fine through Outlook.

       

    • Delete the affected user's Windows profile on their usual machine and then create a new Windows profile on it.

       

    • Affected user can now login and authenticate just fine through Outlook.

       

    Sledgehammer I know, but it works.

     

    Questions

     

    1. Why does it work?

       

    2. What file can I delete to prevent having to delete the whole Windows profile?

       

    3. What's gone pearshaped with APM that's causing this?

       

    Bit of historical context for you sir...

     

    The last time this happened, we bounced the passive BIG-IP, then switched over to it - all good, and then bounced the active, then switched back - all good. F5 support had no explanation for why that resolved the symptoms.