Outlook Anywhere RPC over HTTP

Martin,

OA certainly works with the BIG-IP - the question is whether there is a bug or an error in your configuration. I would suggest you setup your Exchange setup first using the Exchange iApp(https://devcentral.f5.com/wiki/iapp.Microsoft-Exchange-2010-and-2013-iApp-Template.ashx) and then make sure OA works based on its config - and then tweak that known good working config to add ASM into the mix for OWA and ActiveSync only.

Martin,

OA certainly works with the BIG-IP - the question is whether there is a bug or an error in your configuration. I would suggest you setup your Exchange setup first using the Exchange iApp(https://devcentral.f5.com/wiki/iapp.Microsoft-Exchange-2010-and-2013-iApp-Template.ashx) and then make sure OA works based on its config - and then tweak that known good working config to add ASM into the mix for OWA and ActiveSync only.

Tested 11.4.1 . There I can confirm the iapp template is not available because ltm is not enabled.

Also tested a Basic Auth OA / Basic Auth IIS with no success.

Thanks for your support glad to get so fast answers !

Martin

That is a little more challenging then. Are you not doing any load-balancing then? I would suggest a couple of things then - just create a Virtual server for Exchange on this instance and point it to a pool(of one Exchange server?). You don't need any persistence/advanced stuff - just standard virtual server and pool with HTTP profile enabled. Don't forget to turn on SNAT Automap on the Virtual. Then verify all modes of operation(OWA/ActiveSync/OA). It's probably highly unlikely that only one is going to be broken..... but if you can really isolate it to the OA only, then you would need to capture some traffic on the BIG-IP and perform SSLdump on it to see what is happening on the wire. Your goal is to successfully pass traffic through the BIG-IP first without having ASM enabled - and then turn it on on the selective traffic such as OWA/ActiveSync

Good idea for troubleshooting ! And so useful, we have a result.

Created a VS with a dedicated IP. Standard, http, automap, client/server ssl profiles, default pool to exchange. Everything else default, no policy, no irule, no asm. New public IP, firewall rule, I can reach the server from outside. Play with hosts file And... it is working ! Both MS connectivity test and outlook.

So what's so different with my previous VS ? Same settings on VS, only one is using ressources (policy and irules). I was quite confident in those and it seems I am right. There is one thing that is enabled there and not on my test VS: Analytics ! switching it on/off triggers the failure/resolution on both VS...

Concerning the fact not having LTM: yes we have a small deployment with some standard MS apps (Exchange and Lync) for a few users and mobile population. Then we have internally developed and hosted web applications, for mobile employees, b2b and b2c, quite tight to our business data on both Apache and IIS. All-in-all the traffic stays quite low so no need for huge clusters and LB. We want to secure what goes public, no internal trafic, bigip acts as a web application firewall (currently another product based on apache). As for HA, we rely on underlying VM and SAN infrastructure which is pretty solid and redundant, that's enough for us we can afford a downtime in case of disaster/hw failure.

I have enabled unlicensed LTM on my VE just to be able to start an iApp config, and yes it looks awesome. But I cannot save it since it is not licensed, it won't allow me to do that. I don't know if we're ready to pay just to get iApp but F5 was sold to us as "supporting enterprise apps easily with templates" and now we lack them...maybe we can export security policies for Exchange and lync modules from an existing iApp deployment. Deploying a simple ASM policy on IIS/XML signatures template still triggers lots of false positive on ASM for those.

Anyway thanks again for your support, one reason going to F5 was getting more support, user feedbacks and community, that's already proven.

AVR::DISABLE in addtion to ASM::DISABLE for RPC o/ HTTP trafic irule will solve the issue without changing VS configuration.