Redirect to pool to bypass SSL offloading for Exchange Hybrid setup - syntax issue(s)

Question

Hello DevCentral Community,
We recently configured a hybrid setup between Exchange2010 and O365 but we're running into issues migrating mailboxes between the two environments. After some googling and testing various 'solutions' we've narrowed down the cause. The on-prem Exchange2010 environment is behind the F5 and was setup via iApp (working great!) - when migrating a mailbox O365 connects to on-prem via the CAS MRSProxy in EWS: the issue with this is that this particular connection cannot (per MS documentation) be SSL offloaded and must make a connection directly to one of the CAS servers.
I am trying to modify the current OWA redirect iRule to looks for traffic that's trying to hit the mrsproxy.svc and directs it directly to the CAS pool but I'm running into syntax issues:
Error:
line 1: [wrong  args] [when HTTP_REQUEST
when HTTP_REQUEST {
   if {switch -glob [string tolower [HTTP::uri]]} {
    "/ews/mrsproxy.svc"
    SSL::enable serverside
    pool exchange2010_cas_pool
    CACHE::disable
    return
    }

}   elseif { ([HTTP::uri] == "/") } {
        HTTP::redirect https://[HTTP::host]/owa/

}

This is my first attempt at creating an iRule and I'm not having much luck with the syntax (and possibly other things). Could someone take a look and offer advice on how to fix this - essentially the goal is anything hitting the /ews/mrsproxy.svc goes to CAS pool directly and all other traffic follows the standard iApp behaviour to redirect (the elseif statement).
Thanks!

mikeshimkus_111 · Answer

Hi, are you deploying all of your Exchange services on one virtual server?  If so, you should be editing the combined iRule, not the redirect iRule.  I would also think that since you deployed SSL offload, you don't have a server SSL profile assigned to your VIP so SSL::enable won't work.  If you want to offload SSL, what you'll probably need to do is: 
Deploy the iApp using SSL bridgingDisable strictnessCreate a new pool on port 443 for MRS proxyModify your existing pools to use port 80Edit your combined pool iRule to look like the rule below.
Another option might be to point Office 365 to a different FQDN for migration, and do a separate, SSL bridging deployment at that IP address.
when HTTP_REQUEST {
 switch -glob -- [string tolower [HTTP::path]] {
      "/microsoft-server-activesync*" {
           TCP::idletime 1800
           SSL::disable
           pool /Common/exchange_2013.app/exchange_2013_as_pool3            
           CACHE::disable
           return
      }
      "/owa*" {
           if { [HTTP::header exists "Accept-Encoding"] } {
                HTTP::header remove "Accept-Encoding"
           }
           SSL::disable
           pool /Common/exchange_2013.app/exchange_2013_owa_pool3           
           return
      }
      "/ews/mrsproxy.svc"
      pool my_mrs_pool
      CACHE::disable
      return
 }
 "/ews*" {
      SSL::disable
      pool /Common/exchange_2013.app/exchange_2013_oa_pool3            
      CACHE::disable
      return
 }
 "/ecp*" {
      SSL::disable
      if { [HTTP::header exists "Accept-Encoding"] } {
           HTTP::header remove "Accept-Encoding"
      }
      pool /Common/exchange_2013.app/exchange_2013_owa_pool3            
      return
 }
 "/oab*" {
      SSL::disable
      pool /Common/exchange_2013.app/exchange_2013_oa_pool3
      persist none
      return
 }
 "/rpc/rpcproxy.dll*" {
      SSL::disable
      pool /Common/exchange_2013.app/exchange_2013_oa_pool3            
      CACHE::disable            
      return
 }
 "/autodiscover*" {
      SSL::disable
      pool /Common/exchange_2013.app/exchange_2013_ad_pool3
      persist none
      return
 }
 default {
       This final section takes all traffic that has not otherwise
       been accounted for and sends it to the pool for Outlook Web
       App
      SSL::disable
      pool /Common/exchange_2013.app/exchange_2013_owa_pool3

}

}
}

tankovich_14368 · Answer

Thank you for your reply mikeshimkus!
You are correct about the iRule: it should be combined iRule.
Could I just insert this into the current combined iRule without reconfiguring the iApp?
      }
      "/ews/mrsproxy.svc"
      pool my_mrs_pool
      CACHE::disable
      return
 }

As you predicted the iApp currently is setup to 'SSL Offload' but looking at the clients CAS servers it's not enabled for EWS.

mikeshimkus_111 · Answer

I don't understand-SSL offload is not enabled for EWS?&nbsp;
You can't simply add those lines to the iRule.  The virtual server and pool members must be correctly configured to do server-side SSL.&nbsp;

sam_hall · Answer

Just wanted to add that it's possible to use a mixture of SSL Bridging and SSL Offloading using two Exchange iApps and an iRule with the "virtual" command. Maintain your original SSL Offload Exchange iApp and create a second iApp with a dummy VIP that does the reverse (converts exchange SSL 443 services to unencrypted port 80). Amazingly, the Exchange iApp supports this unusual "Reverse SSL Offloading" setup by allowing you to select "Unencrypted" and then "SSL-Bridging" deployment options. For Hybrid Exchange, you only need EWS and Autodiscover services exposed to port 80 on a dummy (unreachable) IP address. Now add an iRule to the original iApp that diverts all requests for "/EWS/mrsproxy.svc" to the virtual server created by the "Reverse SSL Offloading" iApp. This also allows you to easily configure a separate pool of servers for mailbox migration tasks. This was the simplest and most efficient technique I could find to support Hybrid Exchange.

mark_60861 · Answer

This only becomes an issue for SSL Offload not SSL Bridging. We need to tell the F5 to use SSL on the backend between the F5 &amp; cas servers for /ews/mrsproxy.svc. First create a pool that contains all the cas servers on port 443. Next modify the existing exchange https vip to include a server-ssl profile. Finally, modify the combined/pool selector rule as follows:&nbsp;Code
when HTTP_REQUEST {
    SSL::disable serverside
    switch -glob -- [string tolower [HTTP::path]] {
        "/ews/mrsproxy.svc" {
             Exchange Web Services ==&gt; use 443 cas server pool and enable server ssl for o365 mailbox moves.
            if { [HTTP::header exists "APM_session"] } {
                persist uie [HTTP::header "APM_session"] 7200
            } else {
                persist source_addr
            }
            pool /Common/Exch2010_ssl_pool
            SSL::enable serverside
        COMPRESS::disable
            CACHE::disable
            return
}This iRule disables serverside SSL for all http requests, then selectively enables serverside SSL for requests to the URI: "/ews/mrsproxy.svc". It then selects the new ssl/443 pool created earlier.&nbsp;Note: there will be some outage/impact for new connections between adding the serverside ssl profile &amp; modifying the iRule to disable serverside ssl on all other connections.&nbsp;

Forum Discussion

Redirect to pool to bypass SSL offloading for Exchange Hybrid setup - syntax issue(s)

6 Replies

Recent Discussions

ASM Policy in "Blocking" Mode switch to "Transparent" for some IP's

F5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs

redirect not working

When F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost

HIRE ADRIAN LAMO HACKER TO RECLAIM LOST CRYPTOCURRENCY

Related Content

Anchor Link Redirect

Exchange 2016

SSL Offload with HTTP/2.0

HTTPS offload rewriting

MS Exchange ProxyNotShell block implemented via iRules