Exchange and APM

which version of BIGIP are you running? Are you using an iApp for the Exchange configuration? if yes, which version of the iApp template?

11.6 HF4 and yes, we used the template at first, but so much has been changed that it doesn't even matter anymore...

If this was working OK for a year, what changed to make things stop working? Was there a BIG-IP upgrade, Exchange CU, APM policy change, etc? The iApp is designed around the most basic, common use cases, but implementing the necessary customizations shouldn't be that problematic.

Again, nothing had changed. Nobody had even logged into the F5 in over a week when it decided to stop doing any authentications a couple of months ago. Putting the OneConnect profile back fixed that issue. Since then we've had the random disconnects and unable to login.

I haven't observed these problems with APM and Exchange 2013 personally, but here are some questions that might help us help you: 1. How many Windows domains are you dealing with? Just one, or more than one? 2. On your policy, if you look in the Visual Policy editor, can you check the logon page settings for your OWA branch? Within the logon page object, there is a "split username from domain" option near the top. I find that that should generally be set to true, but if it isn't that can cause issues where "username" behaves differently than "domain\username", which I think you said was one of your issues. 3. With regards to OneConnect/NTLM, I'm really surprised that was recommended to fix your issue. That's generally a performance boosting feature, not one that should ever fix things. Not using those is typically the simpler, albeit less performant, configuration so not having them is usually more realiable (unless you are possibly using an iRule that turns oneconnect on and off, which some F5 provided iRules may do; and in that case you would certainly want a profile so that the iRule works). All that aside, when it comes to random disconnects, how long of a time period are you seeing? Are people leaving OWA open for hours or days and then it disconnects? 4. You mentioned you sometimes have to kill a user's APM session. What are the symptoms you see when you have to do that? 5. What changes have been done recently to your device or your environment? There must have been some, because you stated that you are on 11.6 HF4, and that only been out since March, so you must have done at least some upgrades in the last year and a half, and I'd be curious when they happened and if they correspond to your issues. Also, external changes to AD servers could also cause issues. Most people only enter in one or two into their AAA Active Directory server object that they authenticate against, so if one of them is changed or having a problem it can cause these kinds of issues. 6. 11.6 HF4 itself may be part of the issue. In my experience it's still a pretty buggy branch of code that is very bleeding edge. 11.5.3 is the most recent truly stable branch at this point. So it is possible you may be hitting a bug in the software as well, but it would be impossible to say for sure at this point.