Forum Discussion

Mark_II's avatar
Mark_II
Icon for Nimbostratus rankNimbostratus
Feb 09, 2015

Enterprise Vault with Exchange 2007 LTM+APM

Hi,

 

We are currently implementing Exchange 2007 with Symantec Enterprise Vault. I've managed to get everything working except.

 

Enterprise Vault Via Outlook Plugin without having to re-enter the username and password again on the OWA page which is displayed inside the plugin.

 

Just to elaborate on the irules.

 

To redirect the traffic to the enterprise vault we have added this in the irule

 

"/enterprisevault*" { pool /Common/EV_POOL return COMPRESS::disable CACHE::disable }

 

To disable the APM session under evaluation (MRHsession). We use the below iRule.

 

when HTTP_REQUEST { if { ( [HTTP::cookie exists MRHSession] ) and not ( [ACCESS::session exists -state_allow [HTTP::cookie value MRHSession]] ) } { if { ( [HTTP::uri] ne [ACCESS::session data get session.server.landinguri] ) and not ( [ACCESS::session data get session.server.landinguri] eq "" ) } { HTTP::redirect [ACCESS::session data get session.server.landinguri] }

 

} }

 

When a user is within an OWA session in a web browser does change the URI to /enterprisevault there are no problems.The user gets redirected the EV_Pool and Enterprise vault also works well with the web browser.

 

With the outlook client. When a user types in his username and password for outlook anywhere everything works. Only when the user clicks on the Enterprise Vault Plugin. The user used to get an error message " APM Session Currently under Evaluation" To get rid of this error we used the MRH irule. However now there is a OWA page displayed within the plugin where the user has to re-enter the username and password to access Enterprise Vault.

 

This is a TMG replacement project. It works without reauthentication on TMG. Can we get this working without having to re-authenticate?

 

P.S: OWA page is customized on APM

 

Has anyone got the Enterprise Vault working via APM all devcentral articles are with LTM

 

APM
application delivery
deployment
devops
iRules
LTM
microsoft
security

6 Replies

Sort By
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Feb 09, 2015

    Hi Mark, to disable APM you'd want to use ACCESS::disable in your iRule. However, it sounds like you want to use SSO for requests from Outlook to Enterprise Vault instead, correct? That would avoid poking a hole in your APM deployment.

    You may be able to get away with simply invoking the forms SSO for those requests. For example, try modifying the "_select_sso" iRule to include that URI. It's possible you may need to adjust the forms SSO object a bit as well to make this work (I've no way to test it here):

    when ACCESS_ACL_ALLOWED {
    set req_uri [string tolower [HTTP::uri]]
    if { $req_uri contains "/owa/auth" || $req_uri contains "/enterprisevault" } {
        WEBSSO::select [set foo /Common/exchange.app/exch_form_basedv2_sso]
    }
    unset req_uri
}
  • Mark_II's avatar
    Mark_II
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2015

    Hi Mikes,

    After adding this to the SSO iRule. We keep getting this NTLM Popups and every email under archive we click we get the NTLM Popup.

    Below is a sample screenshot.

    All iRules Assigned

    1) MS_Exchange_2007_owa_redirect_irule7

    when HTTP_REQUEST { if { ([HTTP::uri] == "/") } { HTTP::redirect https://[HTTP::host]/owa/ } }

    1. MS_Exchange_2007_login_timeout

    when RULE_INIT { set static::cookie_sessionid [format "sessionid=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"] set static::cookie_cadata [format "cadata=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"] }

    when ACCESS_SESSION_STARTED { if { [string tolower [HTTP::uri]] contains "ua=0" } { ACCESS::session remove } }

    when ACCESS_ACL_ALLOWED { set apm_mrhsession [HTTP::cookie value "MRHSession"] if { [table lookup $apm_mrhsession] == "EXCHANGE_LOGOUT" } { ACCESS::session remove table delete $apm_mrhsession } }

    when HTTP_REQUEST { set isset 0 if {[string tolower [HTTP::uri]] starts_with "/owa" } { if {[string tolower [HTTP::uri]] contains "logoff" } { ACCESS::session remove HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie" $static::cookie_cadata } else { if { [string tolower [HTTP::uri]] contains "ua=0" } { set mrhsession [HTTP::cookie value "MRHSession"] set isset 1 } } } } when HTTP_RESPONSE { if { $isset == 1 } { if { $mrhsession != "" && [HTTP::status] == 440 } { table set $apm_mrhsession "EXCHANGE_LOGOUT" return } } }

    3) MS_Exchange_2007_apm_combined_pool_irule7 when ACCESS_ACL_ALLOWED { set sessionid [ACCESS::session data get "session.user.sessionid"] switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { pool /Common/MS_Exchange_2007.app/MS_Exchange_2007_as_pool7 persist uie $sessionid 7200 COMPRESS::disable CACHE::disable return } "/owa" {

            pool /Common/MS_Exchange_2007.app/MS_Exchange_2007_owa_pool7
        persist uie $sessionid 7200
        return
    }
    "/ews*" {
        pool /Common/MS_Exchange_2007.app/MS_Exchange_2007_oa_pool7
        persist uie $sessionid 7200
        COMPRESS::disable
        CACHE::disable
        return
    }
    "/ecp*" {

        pool /Common/MS_Exchange_2007.app/MS_Exchange_2007_owa_pool7
        persist uie $sessionid 7200
        return
    }
    "/oab*" {
        pool /Common/MS_Exchange_2007.app/MS_Exchange_2007_oa_pool7
        persist none
        return
    }
    "/rpc/rpcproxy.dll*" {
        pool /Common/MS_Exchange_2007.app/MS_Exchange_2007_oa_pool7
        COMPRESS::disable
        CACHE::disable
        persist uie $sessionid 7200
        return
    }
    "/autodiscover*" {
        pool /Common/MS_Exchange_2007.app/MS_Exchange_2007_ad_pool7
        persist none
        return
    }
    "/enterprisevault*" {
      pool /Common/EV_POOL
     return
     COMPRESS::disable
     CACHE::disable
    }
    default {
         This final section takes all traffic that has not otherwise
         been accounted for and sends it to the pool for Outlook Web
         App
        pool /Common/MS_Exchange_2007.app/MS_Exchange_2007_owa_pool7
        persist uie $sessionid 7200
    }
}

    } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } }

    1. MS_Exchange_2007_select_sso_irule7

    when ACCESS_ACL_ALLOWED { set req_uri [string tolower [HTTP::uri]] if { $req_uri contains "/owa/auth" } { WEBSSO::select [set foo /Common/MS_Exchange_2007.app/exch_form_basedv2_sso] } unset req_uri }

    5: MRHSession when HTTP_REQUEST { if { ( [HTTP::cookie exists MRHSession] ) and not ( [ACCESS::session exists -state_allow [HTTP::cookie value MRHSession]] ) } { if { ( [HTTP::uri] ne [ACCESS::session data get session.server.landinguri] ) and not ( [ACCESS::session data get session.server.landinguri] eq "" ) } { HTTP::redirect [ACCESS::session data get session.server.landinguri] }

    } }

  • Mark_II's avatar
    Mark_II
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2015

    When a user types in https://webmail.xyz.com/enterprisevault ( via f5 or TMG) the owa page appears and then enterprisevault.

    I was going through the APM session and thought would give the below irule a shot

    We got it working using the below on Outlook 2010 clients few delayed reconnection issues. However on Outlook 2013 we get page not found.

    when HTTP_REQUEST {

    switch -glob [HTTP::uri] { 

      "/enterprisevault*" { 

     if { not [string tolower [HTTP::header "User-Agent"]]

      contains "enterprisevault"} { 

        pool EV_POOL 
     }

    } } }

    Is there a possible way where we could get this irule into the MS_Exchange_2007_apm_combined_pool_irule7 ?

    Also when users connect via outlook client an NTLM authentication popup appears (which is normal) after the user enters the username and password.

    a) We can see a session on APM as connected with the userid.

    however the user has to repeat this by closing and re-opening the outlook client 2-3 times to get connected to exchange.

    1) On the ASM logs which is currently in transparent I can only the RPC Uri / rpc.dll being requested

    2) On APM Session details the User Agent was MSRPC.

    Also did notice when the user was connecting via outlook 2013 we got the below header under APM session details

    2015-02-10 15:42:27Received User-Agent header: Microsoft%20BITS%2f7.7.

    Can we modify the iRule also to redirect based on User Agent ? Do you think this would help ? Do we have an integration guide with Symantec Enterprise Vault with F5 (LTM/APM/ASM) ?

    Also please note we are using an iapp of exchange 2010 on exchange 2007 with modifications on APM.

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Feb 10, 2015

    First, ASM is incompatible with Outlook, so you should remove that policy from the virtual server, or deploy separate virtual servers for each service if you want to protect OWA and ActiveSync with ASM.

     

    Including EV in the existing iRule would involve asking addtional questions that would lengthen both the iApp and deployment guide, which is something nobody wants. :-) I recommend using the iRule attacher in the iApp to get this done for now.

     

    We don't have a guide for EV and I don't expect us to do one, unfortunately. You may want to consider involving F5's Professional Services here, especially since our Exchange solution is targeted at 2010 and 2013 only and you have a lot going on here with APM and ASM.

     

  • Mark_II's avatar
    Mark_II
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2015

    Hi Mike,

     

    ASM in transparent is only to see the logs will be on separate VS at a later stage.

     

    The main show stopper is to get the EV working on outlook 2013 clients with APM.

     

    Am sure missing something small in the iRule