Forum Discussion

Vincent_Z_17509's avatar
Vincent_Z_17509
Icon for Nimbostratus rankNimbostratus
Oct 24, 2014
Solved

Exchange 2010, O365, APM and iRule

Hello,

 

I'm trying to deploy BIG IP with Exchange 2010 in hybrid mode. It involves that there is only authentication for OWA and ActiveSync and no authentication for the EWS and autodiscover. It seems that the _sys_APM_ExchangeSupport_OA_NtlmAuth iRule could help me but I don't see how to disable authentication for the ews and autodiscover part.

 

Any idea ?

 

Vincent

 

APM
application delivery
devops
iRules
microsoft
security
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Oct 27, 2014

    For EWS and Autodiscover, you should be able to add an iRule (or disable strictness on the iApp deployment and edit the existing pool assignment iRule) to disable APM for that traffic. For example:

    when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
    "/ews*" {
        ACCESS::disable
    }
    "/autodiscover*" {
        ACCESS::disable
    }
}

    For OWA, you'll need to remove the logon page from the Access Policy and modify the sso_select iRule to choose the NTLM SSO instead of forms:

    when ACCESS_ACL_ALLOWED {
    set req_uri [string tolower [HTTP::uri]]
    if { $req_uri contains "/owa"  } {
        WEBSSO::select [set foo /Common/exchange_2010.app/exch_ntlm_sso]
    }
    unset req_uri
}

20 Replies

Sort By
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Oct 24, 2014

    Hi Vincent, which version of BIG-IP are you running? v11.4 and later have an APM Exchange profile that has superseded the APM iRules on the box. It allows you to configure authentication for each non-OWA service. Ideally, you'd use the iApp template and only select to deploy OWA and ActiveSync.

     

  • Vincent_Z_17509's avatar
    Vincent_Z_17509
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2014

    Hi MiKe, Thanks for your answer. Our BIG IP are running in V11.5 . In fact, I tried to use the last exchange template. But the EWS and Autodiscover "traffic" between Microsoft Office 365 networks and our internal network has to be established with an anonymous mode. So my need is to publish our CAS exchange servers with : OWA : basic or ntlm authentication ActiveSync : basic or ntlm authentication EWS : No authentication Autodiscover : No authentication In our old ISA servers, we have published 2 rules with the same listener : one with authentication and one without. And I don't see how to do the same thing on the big ip.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Oct 27, 2014

    For EWS and Autodiscover, you should be able to add an iRule (or disable strictness on the iApp deployment and edit the existing pool assignment iRule) to disable APM for that traffic. For example:

    when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
    "/ews*" {
        ACCESS::disable
    }
    "/autodiscover*" {
        ACCESS::disable
    }
}

    For OWA, you'll need to remove the logon page from the Access Policy and modify the sso_select iRule to choose the NTLM SSO instead of forms:

    when ACCESS_ACL_ALLOWED {
    set req_uri [string tolower [HTTP::uri]]
    if { $req_uri contains "/owa"  } {
        WEBSSO::select [set foo /Common/exchange_2010.app/exch_ntlm_sso]
    }
    unset req_uri
}
    • AndreiPatergin_'s avatar
      AndreiPatergin_
      Icon for Nimbostratus rankNimbostratus
      Jan 14, 2015
      Hi, I'm trying to get the same results. I'm using version 11.6 with f5.microsoft_exchange_2010_2013_cas.v1.4.0. The goal is to modify an auto created irule via the iapp to have no authentication for EWS and autodiscover. (Lync 2013 does not support basic authentication when it tries to use EWS and autosiscover.) Do I simply remove the configs under the irule for EWS and autodiscover and add "ACCESS disable". Current configurations: "/ews*" { () Exchange Web Services. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source address_addr } pool /Common/Exchange_2013.app/Exchange_2013_oa_pool7 COMPRESS::disable CACHE::disable return } ===================================================== "/autodiscover*" { () Autodiscovery. No Persistence. pool /Common/Exchange_2013.app/Exchange_2013_ad_pool7 persist none return } ============================================================== Please advise!
    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      Jan 14, 2015
      If you want to disable APM for just these anonymous requests from Lync client, you can create this iRule and then use Advanced mode in the iApp to assign it to the Autodiscover and EWS virtual servers, or the combined virtual server. You shouldn't need to modify the iRule created by the iApp: when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/autodiscover" || [string tolower [HTTP::uri]] contains "/ews" } { if { [string tolower [HTTP::header value "User-Agent"]] contains "microsoft lync" || [string tolower [HTTP::header value "User-Agent"]] contains "ms-webservices" } { ACCESS::disable } } }
    • AndreiPatergin_'s avatar
      AndreiPatergin_
      Icon for Nimbostratus rankNimbostratus
      Jan 15, 2015
      Hi Mike, thanks a lot for the quick reply. You gave me the best solution recommendation. I really appreciate it. I created an iRule with your coding and now when I want to assign it to the combined vip do I just attach it with the rest of the iRules. Does the order matter?