We help IT Professionals succeed at work.

Using F5 rather than ISA server.

mylogo
mylogo used Ask the Experts™
on
We are moving OWA behind an F5. I was wondering if anyone has done this using F5 to Exchange CAS servers (Exchange 2007 load-balanced) without an ISA server (2006) in between?
Our certificates sit on the Exchange NLB servers and our current ISA Server 2006 points to these CAS servers. I thought I read someplace that with the newer version of IIS that the access control list could be done on the F5 and not need an ISA server at all. I know nothing of F5 so don't have any configuration insight. Am hoping someone here might have some suggestions on how to make this happen.
Would also like to hear of any concerns, suggestions, regarding moving OWA behind F5.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017
Commented:
Depending on your f5 licensing, you could have ssl terminated on the F5 with access to the backend exchange servers in unencrypted form taking the load off the exchange servers as well as allow for a possibly quicker switch should a server go down with active sessions.
The F5 is effectively replacing the NLB functionality rather than a replacement for the ISA.

Usually an IDS/IPS and firewall systems will be setup in front of the F5 to protect while letting it maximize its performance by letting it handle the loadbalancing of requests.
Keith AlabasterEnterprise Architect
Top Expert 2008
Commented:
The F5 complements the ISA, it does not replace it and it certainly cannot carry out the functions/offer the security that the ISA does.

Commented:
F5 offers specific fw & proxy features for OWA via its ASM module. What specifically is ISA doing to secure OWA other than the SSL bridging?  Are their app firewall features specific to OWA being handled by ISA?
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
No offence but might be worth reading the blurb on the products first to see the differences as they  are significant and muerous.

Although ISA is now end of line - and has been replaced by TMG - it is still far and away the best product on the market for what it provides.

As you state yourself, F5 offers 'specific' fw/proxy capability - as do most other systems that have bolted these on as an afterthought to meet market requirements.

ISA/TMG was built from the ground up as an EAL4+ firewall, a full proxy service and as an application gateway. With the addtion of the ISP-R TMG features for failover or load-balancing you don't get much better. TMG is cheaper as well.
Yes, TMG can take on the role of the Exchange Edge server, it can handle all of the antispam functionality that Exchange would handle natively, TMG presents the OWA logon script/change password scripts etc that OWA would normally front out and links it with SSO capabilities.

Where F5 far exceeds ISA or TMG is if you want the load-balancing performing outside of the environment i.e. before it has even hit the user site.

Commented:
thx for the quick reply.  Can you direct me to anything specific as to the OWA specific Security controls in TMG?  Thus far i have been only able to find some docs addressing HTTP Request Smuggling and Content Protection? I am not looking to compare ISA (TMG) vs F5 across the board I am really focused on understanding what they provide for protecting OWA from AppFW perspective.  Are there any OWA specific signatures avilable in TMG..?
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Really needs to be your own question rather than piggy-backing on someone else's question. However, a quick win would be reviewing TechNet and search for publishing OWA via TMG - the walkthrough guide covers the permutations and I don't have to break the site rules here.