Exchange 2013 iApp v1.3.0 - No response to CAS when accessing Autodiscovery VS
We have recently deployed Exchange 2013 using the 1.3.0 iApp. Initial testing indicated all was functioning as expected until the Exchange admins attempted to create/access a new mailbox via OWA. The initial authentication/connection to OWA functions as expected, but it appears when the CAS attempts to connect to the Autodiscovery VS no reply is received. No similar issue is observed with connections directly from devices on the "client" side of the LTM to the Autodiscovery VS.
A few basic details which might bypass the usual first round of questions:
vCMP running BIG-IP v11.4.1 (Build 608.0) with the following Resource Provisioning:
- MGMT - Small
- CGNAT - Disabled (Unlicensed)
- LTM - Nominal
- All Others - None
As such, APM should be uninvolved.
The iApp was deployed in a multi-VS mode for OWA, OA/EWS/OAB, ActiveSync, Autodisover and POP3 to load-balance and optimize CAS traffic with the following basic details:
- SSL Bridging - No issues have arisen indicating certificate problems. The same certs are installed on each CAS and the LTM.
- Different subnet for BIG-IP virtual servers and Client Access Servers
- Client Access Servers use the BIG-IP as their default gateway
- Use different IP addresses for the different services
- Each service will be handled by a unique set of Client Access Servers (even though it is actually the same set of 16 servers providing all services)
- Using Simple monitors
With the exception of POP3 (which has not yet been turned up), all monitors appear to be functioning as expected - all related nodes and pool members report a green "Available" status.
My initial suspicion is SNAT will be needed (which rather obfuscates the desire to maintain accurate client connection logs) in a "VIP Bounceback" (yes, I have been supporting BIG-IPs since the v4.x days) type of configuration (since the "client" for the secondary/back-end connection is on the same "side" of the LTM as the "server"), but I hesitate to just start changing such things without a level of confidence it will resolve the issue (and not significantly disrupt production traffic).
Thanks in advance for any suggested next-steps.