Forum Discussion

Joshua_Bines_12's avatar
Oct 04, 2016

Exchange 2016 iApp - APM Configuration

Hi There,

 

I have been having issues with our external APM config for our new Exchange 2016 solution via the Iapp. We are running TMOS version 11.4 (Already resolved the "No tls 1.2" issue)

 

Owa and ECP is working but autodiscover, ews, oab, and outlook anywhere is failing with ERR_CONNECTION_RESET.

 

  1. enabled debugging logging for websso and apm services
  2. confirmed port 88 is open and authenticating via adtest
  3. confirmed the forward and reverse dns is working correctly
  4. connection stats show connections are made to the virtual server but not to pools for each service

I assume that we have a problem in our kerberos SSO iapp config. I'm not seeing any websso logging which is odd. Any thoughts would be helpful.

 

/var/log/apm

 

Oct 4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: Matches Autodiscover

 

Oct 4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: method: GET

 

Oct 4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: Src IP: 10.230.1.44

 

Oct 4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 S

 

Oct 4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: HTTP uri: /autodiscover/autodiscover.xml

 

Oct 4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: HTTP len:

 

Oct 4 16:43:20 bigip1 debug tmm1[10674]: 01490000:7: Request Authorization: NTLM + Basic

 

Oct 4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: Matches Autodiscover

 

Oct 4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: method: GET

 

Oct 4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: Src IP: 10.230.1.44

 

Oct 4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Sa

 

Oct 4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: HTTP uri: /autodiscover/autodiscover.xml

 

Oct 4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: HTTP len:

 

Oct 4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: Recv'd HTTP NTLM Authentication

 

Oct 4 16:43:20 bigip1 debug tmm[10674]: 01490000:7: Enable ECA: select_ntlm:/Common/external.webmail.company.com.app/exch_ntlm_combined_https

 

Oct 4 16:43:20 bigip1 notice tmm[10674]: 01490506:5: de8aa909: Received User-Agent header: Mozilla%2f5.0%20(Windows%20NT%206.1)%20AppleWebKit%2f537.36%20(KH2f53.0.2785.116%20Safari%2f537.36.

 

Oct 4 16:43:20 bigip1 notice tmm[10674]: 01490544:5: de8aa909: Received client info - Type: Mozilla Version: 5 Platform: Win7 CPU: unknown UI Mode: Full Javrt: 0 Plugin Support: 1

 

Oct 4 16:43:20 bigip1 notice tmm[10674]: 01490500:5: de8aa909: New session from client IP 10.230.1.44 (ST=/CC=/C=) at VIP 10.228.1.119 Listener /Common/exte.au.app/external.webmail.company.com_combined_https (Reputation=Unknown)

 

/var/log/ltm

 

TCL error: /Common/_sys_APM_Exchange - can't read "user_key": no such variable while executing "ACCESS::session data set "$static::__APM_ACCESS_SESS_USER_UUID" $user_key"

 

7 Replies

    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account

      Can you take a look at your Exchange virtual server and tell me if you have the /Common/_sys_APM_Exchange rule assigned to it? 11.4 and later should use the Exchange APM profile, and should not have the iRule directly assigned.

       

    • Joshua_Bines_12's avatar
      Joshua_Bines_12
      Icon for Cirrus rankCirrus

      these irules are applied to the vs.

       

      external.mail.company.com_owa_redirect_irule7

       

      external.mail.company.com_login_timeout

       

      external.mail.company.com_select_sso_irule7

       

      external.mail.company.com_apm_combined_pool_irule7

       

      I found the machine account and name had hashs "-" so I removed them and recreated the iapp just in case but no luck.

       

      tcpdump from the f5 show kerberos ports are opening for owa but we get no kerberos connections for autodiscover etc.... really odd