Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Issues with Exchange 2013 owa

I've got the Big IP F5 virtual load balancer set up in my exchange 2013 lab getting ready for our migration in a few months and am having an issue. I've got an exchange 2007 environment set up to mimic what we have in production with multiple cas servers behind a VIP. Everything works fine. I've also got our exchange 2013 lab environment set up to run in coexistence with multiple CAS servers behind another VIP. If I log in a test account into exchange 2013 owa (through the VIP) that is an exchange 2007 mailbox, it redirects to the legacy owa (not using APM but letting exchange handle the redirection)and they can log in and get to their legacy mailbox. If I move that same users mailbox to exchange 2013 and then have them log in to owa it does nothing. Just acts like its about to load something then takes you right back to logon screen. If I open the account in outlook its fine. If I bypass the F5 and go to owa directly off one of the CAS servers then its fine, logs them right into owa mail. I've got the latest Exch 2013 template and have re-done it multiple times with different settings but nothing seems to change. My cert is valid but even not using ssl still the same thing. I'm kind of stuck here and I dont have a solid background with F5 BigIP so any help in troubleshooting this is greatly appreciated. Thank you.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Does it happen only with the migrated accounts? Or does OWA 2013 not work even with the mailbox that was originally created on Exchange 2013? Do you have analytics profile enabled in your deployment by any chance? If yes, I suggest disabling it.

If "native" Exchange 2013 mailbox works with OWA and migrated does not, I suggest opening a support case and providing HTTPwatch dumps of working and non-working logs so that they can be compared in the troubleshooting effort.

0
Comments on this Answer
Comment made 03-Oct-2013 by rich1977 8
neither works, migrated or newly created accounts if I go through the F5, also, unless it is enabled by default I have not enabled any analytics profile
0
Comment made 03-Oct-2013 by Michael Koyfman 2088
Ok, how did you setup Exchange? Did you leverage the deployment guide and iApp from here? https://devcentral.f5.com/wiki/iapp.Microsoft-Exchange-2010-and-2013-iApp-Template.ashx I assume you did not try to setup SSL offload, as Exchange 2013 does not support it by default. I am guessing that there could be an issue happening with the SSL re-encryption. If you did not use an iApp, I suggest you set it up using the link provided. If you did set it up with an iApp, then I suggest trying to remove advanced profiles from the OWA Virtual server one by one to see at which point it starts working. By advanced profiles I mean NTLM, OneConnect, HTTP Compression, Web Acceleration, HTTP, and finally SSL. Once you find out which profile is causing the issue, it'll be easier to find a resolution. You should also feel free to open a support case to troubleshoot this.
0
Comment made 04-Oct-2013 by rich1977 8
Well, turns out the virtual server for owa was never assigned the owa pool that was created by the iapp. That shouldnt be the case correct? If I deploy an iapp it should assign the pool to the virtual server that it created for it right? Once I assigned the virtual server to the owa pool (my cas servers) everything of course works fine. Thanks for your input michael but I am curious if I will need to assign the pool to the virtual server everytime I create a deployment using an iapp because none of my virtual servers created for exch13 had a pool assign to them.
0
Comment made 27-Jul-2014 by Ryan 860
I believe the pool selection when using the configuration generated by the Exchange 2013 iApp is performed in the iRules applied to the virtual server. Depending on what options you chose during the initial configuration will determine if you require separate pools for separate exchange services (eg. ActiveSync, OWA, etc). Have you by any chance tried applying a persistence profile?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have the same issues when I keep only one CAS on the pool it works fine but if connect a second CAS server on owa pool, owa session are being disconnected after 10s.

Does Anyone solve this?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Makengo,

Do yo have an update on this issue?

Thank you,

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Nothing has changed. Still having the same issue.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Makengo,

Did you add persistence to see if it solved the issue? Second, did you open a case and get any feedback?

Finally, is your CAS server also the mail server (DAG)? I'm just researching the few cases (as in mine) where persistence resolves this issue or similar issues.

Thank you,

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi

Is this issue resolved? I'm having the same issue. As far as i know there should be no default persistence profile on the load balancer because Exchange deals with the matter, perhaps through some kind of server side CAS synchronization? Correct me if i'm wrong.

Choosing a default persistence profile however does solve the issue.

Erik

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Has this issue been resolved. I am have similar issue for internal user Iapp that I setup. However I repeated the Iapp for external users and they can login on first try. All settings are the same as far as I can tell, but it works external users and fails for internal users. Walt

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In our Exchange 2010 environment we use a SAN certificate for client side SSL and per-CAS-server self-signed certificates for server SSL. This works fine thanks to LTM persistence. Connections end up on one and the same server.

The SAN certificate for client SSL contains something like this:

  • DNS Name=webmail.xyz.nl
  • DNS Name=autodiscover.xyz.nl
  • DNS Name=imap.xyz.nl
  • DNS Name=pop.xyz.nl

The self signed certificate for server SSL contains only the name of the CAS server:

  • DNS Name=CAS-server0944
  • DNS Name=CAS-server0944.xyz.nl

In Exchange 2013, without LTM persistence, using the same certificate structure would not work. Connections tend to end up on different CAS servers. Using per CAS server self-signed certificates will screw up encryption consistency, resulting in rebuilding connections between LTM and CAS, and thus producing re-appearing logon screens.

Using one and the same SAN certificate on LTM for client SSL, and on all CAS servers solves this. In our situation, the SAN contains the following names:

  • DNS Name=webmail.xyz.nl
  • DNS Name=autodiscover.xyz.nl
  • DNS Name=imap.xyz.nl
  • DNS Name=pop.xyz.nl
  • DNS Name=CAS-server1.xyz.nl
  • DNS Name=CAS-server2.xyz.nl
  • DNS Name=CAS-server3.xyz.nl
  • DNS Name=CAS-server4.xyz.nl
  • DNS Name=CAS-server5.xyz.nl
  • DNS Name=CAS-server6.xyz.nl
  • DNS Name=CAS-server7.xyz.nl
  • DNS Name=CAS-server8.xyz.nl
  • DNS Name=CAS-server9.xyz.nl

Note that the server SSL profile on the LTM does (in our case) not contain the SAN certificate. Somehow LTM and CAS servers agree on using the SAN certificate for server side encryption.

Filed an F5 SR on this on 29-th oct but no answer yet.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I am having the same issues,

I add persistence, to the VIP and it solved it. But.. it caused another issues, sometimes i cannot click on Rely, rely app, or create new message using it.

Did anyone resolve this?

0
Comments on this Answer
Comment made 09-Sep-2015 by Hygor 70
Hi Sebastian, i'm using ssl as my default persistence, and everything is working fine. i'm using 11.5.1 HF 7. After that i was able to login at the owa page and create messages, reply, etc. Regards
0
Comment made 09-Sep-2015 by Sebastian Maniak 262
Yeah, i made the same change. Works good now. THanks
0
Comment made 09-Sep-2015 by Sebastian Maniak 262
Yeah, i made the same change. Works good now. THanks
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I would like to 2nd Hygor's solution of enabling SSL persistence. It seems to have worked in my environment as well to resolve the symptom of OWA re-prompting users when there is more than one member in the server pool.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Perry, good to hear it's working. But the fact is that for Exchange 2013 it should be working fine without any persistence:

(Source: Technet)

Load Balancing

Unlike previous versions of Exchange, Exchange 2013 no longer requires session affinity at the load balancing layer.

To understand this statement better, and see how this impacts your designs, we need to look at how CAS2013 functions. From a protocol perspective, the following will happen:

1. A client resolves the namespace to a load balanced virtual IP address.
2. The load balancer assigns the session to a CAS member in the load balanced pool.
3. CAS authenticates the request and performs a service discovery by accessing Active Directory to retrieve the following information:
    Mailbox version (for this discussion, we will assume an Exchange 2013 mailbox)
    Mailbox location information (e.g., database information, ExternalURL values, etc.)
4. CAS makes a decision on whether to proxy the request or redirect the request to another CAS infrastructure (within the same forest).
5. CAS queries an Active Manager instance that is responsible for the database to determine which Mailbox server is hosting the active copy.
6. CAS proxies the request to the Mailbox server hosting the active copy.

Another handy article about this is on Kemp's website: https://kemptechnologies.com/white-papers/what-know-about-exchange-2013-and-Load-Balancing/

That is why we changed from different per-CAS-server self-signed certificates (like in Exchange 2010) to one and the same SAN certificate on all CAS servers, containing the names of all CAS servers and the used URLs. This makes changing to another CAS server possible, and it solved our problem with rebuilding connections between LTM and CAS, and thus producing re-appearing logon screens.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Erik:

Thanks for the response. I'm glad there is no need to enable persistence once the correct certificates are reissued.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Erik:

To follow up, the solution of putting the same cert on all CAS members worked. I no longer have to use persistence.

The only question I have is whether it's necessary to put the DNS name of each individual CAS server in the Cert SAN name list?

What would happen if you just used the exchange service names:

DNS Name=webmail.xyz.nl DNS Name=autodiscover.xyz.nl DNS Name=imap.xyz.nl DNS Name=pop.xyz.nl

And leave off all of these?:

DNS Name=CAS-server1.xyz.nl DNS Name=CAS-server2.xyz.nl DNS Name=CAS-server3.xyz.nl DNS Name=CAS-server4.xyz.nl DNS Name=CAS-server5.xyz.nl DNS Name=CAS-server6.xyz.nl DNS Name=CAS-server7.xyz.nl DNS Name=CAS-server8.xyz.nl DNS Name=CAS-server9.xyz.nl

When does Exchange reference the CAS server name directly instead of the typical URLS that a user references when connecting to Exchange? After reviewing documentation, I'm not certain that it's required but I would like to hear feedback from Erik and anyone else who might be reading this.

thanks,

Perry

0