Outlook password promt when CAS Exchange failover

Question

Hello!&nbsp;
We have two Exchange 2010 CAS servers which is load balanced via F5. F5 has been configured with iApp exchange2010_Cas2012_06_08 without any changes and all working fine except outlook in case CAS failovers. 
If we shutdown one of our CAS we get password prompt on clients that has been connected to shutdowned CAS and it's not affected by guest OS. &nbsp;
Before F5 we used NLB between CAS's and we never got password prompt even if one of CAS was offline.&nbsp;
Because all has been built on F5 deployment guide and without any changes except we added virtual server for SMTP i assume that everything should work fine but it's not.&nbsp;
Could someone help us to find a way for fix this issue?&nbsp;

mikeshimkus_111 · Accepted Answer

Hi scorpa, this is a known issue and there's no way to completely solve it, other than to migrate your users to Outlook Anywhere.  We recommend that in general since RPC Client Access has been deprecated for Exchange 2013.  &nbsp;
If you have Outlook clients that are left open, those clients will send keep alives that will prevent the TCP idle timeout setting from tearing down the connections.  When you reboot the CAS they are connected to, or take it down for maintenance, they will be prompted for authentication.&nbsp;
You can drain-stop the pool member by disabing it and waiting until the TCP idle timeout period has passed (by default it's 2 hours), but your clients will still need to authenticate when they connect to the other CAS.&nbsp;
thanks&nbsp;
Mike&nbsp;

mike_61719 · Answer

http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=324E8B562D498923353213626E308928?externalId=KB26490&amp;sliceId=2&amp;cmd=displayKC&amp;docType=kc&amp;noCount=true&amp;ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl&nbsp;
?&nbsp;

scorpa_121336 · Answer

Thank you Mike for your reply!

But we have deployed Outlook anywhere already and as i understood we can't use it inside our local network, can it ?
And what about scheme with NLB, because with NLB there isn't any authentication prompts in case of CAS failover.
What will be if we tune TCP idle timeout on server side TCP connections below Outlook dead timers?

mikeshimkus_111 · Answer

You can absolutely use Outlook Anywhere in your local network.  Another benefit of OA from an F5 perspective is that the iApp uses an EAV monitor to log into the mailbox, instead of a simple TCP monitor (which is all we have for RPC).

BTW, I recommend going to downloads.f5.com and downloading the f5.microsoft_exchange_2010_2013_cas.v1.2.0.tmpl template.  It includes many fixes and new features over the 06_08 version.

I did some reading up on NLB, and Microsoft's documentation on NLB states:

"When its client affinity parameter setting is enabled, Network Load Balancing directs all TCP connections from one client IP address to the same cluster host. This allows session state to be maintained in host memory. However, should a server or network failure occur during a client session, a new logon may be required to re-authenticate the client and re-establish session state."

I'd read that to mean that you should be getting prompted when using NLB, or at least that the mechanism to prevent it is not built into NLB. But I'm not very familiar with it, either.

You can change the idle timeout setting, but when the connections time out, those clients will still need to reauthenticate.

olusola_ayoade_ · Answer

Hi Mike,&nbsp;
I use f5.microsoft_exchange_2010_2013_cas.v1.4.0.tmpl template and i use firmware 11.6, i am trying to loadbalance exchange 2013, OWA is effectively loadbalanced, but outlook prompts for password and does not connect, it seems f5 is not handling the certificate properly, what could be the challenge , kindly assist, i am on site.i used the import type PKCS 12 (IIS) while importing certificate to F5 box&nbsp;

mikeshimkus_111 · Answer

Does your certificate contain the correct domain names for Outlook Anywhere, EWS, and OAB?

I would try taking a packet capture on both sides of the BIG-IP to see what's happening.  If you are getting immediate resets during the ssl handshake, then it sounds like a cert issue.  If you are seeing 401s from Exchange, that is something else.

Forum Discussion

Outlook password promt when CAS Exchange failover

8 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Automate scp transfers using password

Password Safety & Security: Passwords vs. Passphrases

Configuring AWS HA Failover Across AZs Without EIPs Using F5 Cloud Failover Extension (CFE)

Ansible module to update BIG-IP root/admin passwords

Cisco ACI Endpoint Learning with a BIG-IP HA Failover