Which method for sso and basic auth

Question

Hi&nbsp;
New to F5, currently evaluating APM/LTM on virtual BIG IP&nbsp;
currently reading the implementation guide for exchange&nbsp;
our environment - single cas, owa,ews,ecp, activesync, autodiscover&nbsp;
plan, to deploy bip ip to provide proxy access to this server, for both single sign on from various applications for various exchnage services (Lync, outlook anywhere) and also support basic auth for the same services &nbsp;
what is the best implementation plan to follow in the exchange guide for a combined LTM/APM&nbsp;
currently i was thinking of going with option 1, LTM will load balance and optimize CAS traffic, however on exploring this further it seems I will be limited to forms based authentication, which is fine if it is restricted to the /owa iis folder.&nbsp;
is scenario 1 my best option given my LPM/ATM combination or would scenario 3 be better 3. BIG-IP Edge Gateway or APM will provide secure remote access to CAS, even though they are on the same box ?&nbsp;
just discussing at this stage and looking for input, whilst I kick the tyres. &nbsp;
Thanks&nbsp;
Andrew&nbsp;
 &nbsp;
 &nbsp;

mikeshimkus_111 · Answer

Hi Andrew, if you have a BIG-IP with both LTM and APM licensed, deploying scenario 1 with the APM option selected is probably your best bet.  That would allow you to add more CAS in the future, whereas with scenario 3 you are limited to forwarding that traffic to one CAS (or another BIG-IP).   
&nbsp; The authentication options should be the same for both scenarios. 
&nbsp; thanks 
&nbsp; Mike

andrews_128547 · Answer

thanks for the reply Mike, I am in the office today and will give it wizz and see how it progresses and post back here with the outcome.

andrews_128547 · Answer

Ok, so good news all seems to work, 
&nbsp; One thing i have spotted is the following in the exchange event log - i will research further but it might be an easy answer on here 
&nbsp;  
&nbsp; Exchange ActiveSync device requests for your users are being blocked. This problem frequently occurs when the HTTP OPTIONS method request isn't allowed by the firewall. Please check the firewall that filters requests in front of your Client Access server and the Microsoft-Server-ActiveSync virtual directory. 
&nbsp;  
&nbsp; any thoughts on that one ? 
&nbsp;  
&nbsp; thanks in advance,  
&nbsp; I am now going to do the following with a bit of luck 
&nbsp; configure a web portal 
&nbsp; configure radius authentication 
&nbsp; configure a revserse proxy to replace TMG role for Lync  
&nbsp;  
&nbsp; will post back here with updates

mgmontgomery_60 · Answer

We are seeing the exact same error as andrews. "Exchange ActiveSync device requests for your users are being blocked. This problem frequently occurs when the HTTP OPTIONS method request isn't allowed by the firewall. Please check the firewall that filters requests in front of your Client Access server and the Microsoft-Server-ActiveSync virtual directory." 
&nbsp;  
&nbsp; Does anyone know the resolution for this error? 
&nbsp;  
&nbsp; Thank you.

stig_88256 · Answer

Did you resolve this HTTP OPTIONS-"blocking"? We are observing the same behaviour now on 12.0HF2 using Exchange 2010/2013 iApp (v1.5.1) and Exchange 2013.

Forum Discussion

Which method for sso and basic auth

5 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Implementing basic OAuth with F5 BIG-IP APM

Basic OAuth concept and OAuth with F5 solutions

iRule - Authorization Bearer / Basic

Troubleshooting BIG-IP - The Basics

Basic findstr question