Replacing Microsoft TMG with F5 for Excahnge 2010

Question

All, I'm looking for best practice on replacing my TMG with a pair of F5's with LTM.  Currently the TMG has two listeners in our DMZ which is then NAT'ed out to the public via our Cisco ASA for both Client Access and Hub Transport.  The TMG provides both internal and external listeners for users to connect.  The problem I'm having is I know TMG performs as a firewall whereas my F5 will not, is there any concerns with connecting the F5 to both my LAN and DMZ?  Is it normal to provide a VIP for LAN side clients and a VIP in the DMZ that will then be NAT'ed to public IP via Cisco FW?&nbsp;
E.g. (Current)
Client Access Server 1 &amp; 2 192.168.1.10 &amp; 192.168.1.11 =&gt; TMG Listener Ext. 192.168.5.10 (DMZ) =&gt; Cisco ASA NAT 5.4.3.2 (Public IP)&nbsp;
Client Access Server 1 &amp; 2 192.168.1.10 &amp; 192.168.1.11 =&gt; TMG Listener Int. 192.168.1.15 (LAN)&nbsp;
So would I connect one interface of F5 to LAN side and assign appropriate VLAN's and another interface to the DMZ?&nbsp;
I'm using iApps for configuring CAS with template version CAS.v1.2.0&nbsp;
SMTP I'm referencing this article: http://clintboessen.blogspot.com/2011/11/load-balance-smtp-with-f5-big-ip.html&nbsp;
If you all have a more sound solution please let me know.&nbsp;
Any help greatly appreciated.&nbsp;
Thanks.&nbsp;

mikeshimkus_111 · Answer

Hi Steele6599, &nbsp;
Which version of BIG-IP are you running?  The AFM module and Secure Web Gateway feature will let you replace TMG completely (AFM is in v11.4, SWG is v11.5).&nbsp;
Publishing external and internal VIPs on different VLANs should be no problem.  You'll need to deploy the iApp service twice, once for internal and another for DMZ, and select the VLANs on which each one will listed from within the iApp config.&nbsp;
thanks&nbsp;
Mike&nbsp;

steele6599_8766 · Answer

Thanks, I was thinking up running the iapp again like you said.

Running version 11.5

steele6599_8766 · Answer

All, I have another issue, right now my TMG listens on 192.168.2.150 for both the client access server and Hub transport and then based on the protocol will route to appropriate server farm.  How do I go about doing this with the F5?

Will I need to re-IP so SMTP comes in on one ip and CAS services come in on another?

The new F5's I purchased are running 11.5 version with LTM:
GTM-DNS, Rate Limited, LO, BIG-IP (KJJVAWM-IOCJUUW) 
◦DNS Rate Fallback, 50
◦GTM Rate Fallback, 8
◦DNS Licensed Objects, 0
◦GTM Rate, 8
◦DNS Rate Limit, 50 QPS
◦GTM Licensed Objects, 0
•LTM, Base, 2000S (EALUIUO-PZZYAOO) 
◦Application Acceleration Manager, Core
◦IPV6 Gateway
◦Rate Shaping
◦Ram Cache
◦Anti-Virus Checks
◦Base Endpoint Security Checks
◦Firewall Checks
◦Network Access
◦Secure Virtual Keyboard
◦APM, Web Application
◦Machine Certificate Checks
◦Protected Workspace
◦Remote Desktop
◦App Tunnel

mikeshimkus_111 · Answer

You can create a new virtual server(s) at the same IP address, but listening on the hub tranport port(s).  Create a pool for the hub transport servers and make that the default for the new virtual server(s).

steele6599_8766 · Answer

Thanks, very good point

Forum Discussion

Replacing Microsoft TMG with F5 for Excahnge 2010

5 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Microsoft Powershell with iControl

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

ADFS Proxy Replacement on F5 BIG-IP

string first replacement procedure for ID999881

F5 APM as Service Provider (SP) and Microsoft AzureAD as Identity Provider (IDP)