Forum Discussion

mbuenrostro_182's avatar
mbuenrostro_182
Icon for Nimbostratus rankNimbostratus
Jan 13, 2015

Exchange 2013 CAC authentication error

I built a node on an internal VLAN in my network that serves as my 2013 Exchange CAS. I created a Virtual server on the F5 (using the iapp.microsoft.exchange2013.v1.40) with an external IP whose pool includes the CAS node. When I access the outlook web app from an external network, I can access the email resources with a username and password just fine. When I input my cac pin I get "page cannot be displayed". When I do the same from inside my network, I can access the OWA using both login/CAC credentials. Is this an F5 routing/configuration issue or exchange 2013 configuration?

 

My goal is to access OWA from an outside network using CAC authentication on the exchange server. I am not trying to enable CAC authentication on the F5. I set that up with the LTM alone and all that does is request my cac info, I enter my pin and authenticate, then it sends me to the OWA login/CAC request-which then fails after I enter my pin.

 

Is it incorrect to put the virtual server on the DMZ external vlan and expect the F5 to be able to send traffic to a node on an internal vlan?

 

10 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    Hi, when you say that CAC works from inside the network, do you mean bypassing the BIG-IP and accessing the CAS directly? Or are there internal and external BIG-IPs, each with Exchange deployed, and CAC only works on internal?

     

    And you do not have APM involved, only LTM, correct?

     

  • I'm sorry, I am not bypassing the F5 internally. I connect to the virtual server by typing the virtual server IP xxx.xxx.xxx.xxx/owa, the f5 virtual server then gives me access to the node (owa node) who then requests my credentials. I gain access when I type my username and password or type my cac pin. I can also access the OWA by bypassing the LTM but I am not trying to do that. I am not using APM but do have the license. Thanks.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    If you connect using the OWA external URL, instead of the virtual server IP address, do you still have the problem? You will need to point to that URL FQDN to the virtual server using DNS or a host file entry to test.

     

    Also, do you have only one virtual server, or two?

     

  • The OWA is located in our internal network so it does not give access to outside users. The firewall does allow 443 traffic from the f5 to the OWA. The virtual Server is located in the DMZ. The OWA is a node on the F5 on the internal vlan. Just one virtual server. Thanks.

     

    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      OK, please let me know how it goes connecting to the FQDN instead of the IP address. I'm wondering if your CAC auth is failing because the IP of the virtual server isn't present in your cert as a SAN.
  • We have a forward zone where the FQDN of the virtual server is tied to the Virtual Server IP. The FQDN of the OWA node is associated with our internal network DNS. The Virtual server sits on the F5's external vlan. The owa node sits on the F5's internal vlan. The owa can be accessed by external users if username/password is used. Once a CAC pin is used, I get "page cannot get displayed". If I use my CAC authentication from our internal network, and by reaching the virtual server, I do have access to the OWA. I just read a disa white paper on header insertion where the virtual server has an irule inserted in the header "The BIG-IP proxy utilizes a custom HTTP header to insert the CAC certificate info"

     

    Do you think that might be it the issue?

     

    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      I have never heard of that iRule. You may want to get a case open with F5 support on this. They can help you upload your config to iHealth and get traffic captures which we can check out.
    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      If you don't mind posting that ticket number here or in a PM to me, I can track it.