Solved

Exchange 2010 with F5 load-balance

Posted on 2013-11-28
28
1,181 Views
Last Modified: 2013-12-18
Hi,

we are deploying Exchange 2010 SP3 behind F5 load-balancer.
The SSL is installed on the loadbalancer for ssl-offloading, but do I need to install it also on the hosts as well?
0
Comment
Question by:webox_suuport
  • 12
  • 10
  • 6
28 Comments
 
LVL 7

Expert Comment

by:GillesT
ID: 39682963
If the F5 load-balancer do the ssl-offloading, the incoming connexion to the F5 will be SSL encrypted, but the incoming connexion to Exchange will not be SSL (only HTTP). In that case, you don't need SSL on Exchange.
For testing, or if you have a bug problem with your F5 load-balancer, and you need to by-pass it, it can be a good idea to have Exchange understand SSL, and in that case, you need to install also certificate on Exchange
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39683055
You are not doing SSL-offloading if you have an SSL certificate installed on the Exchange server.
SSL-Offloading releaves the server off the burden of processing the encrypted traffic by giving that function to the load balancer.

Simply removing the certificate from IIS on the exchange server, unchecking the"Require SSL" check box, and putting it on the load balancer.  This is because Exchange by default is heavily reliant on SSL certificates, and will not fucntion properly without it.  This behaviour though can be changed though the registry.

Please follow the topic at following URL on how to do this

How to Configure SSL Offloading in Exchange 2010
http://social.technet.microsoft.com/wiki/contents/articles/1267.how-to-configure-ssl-offloading-in-exchange-2010.aspx
0
 

Author Comment

by:webox_suuport
ID: 39687800
Hi,
Thanks for the comments for the SSL.
Now when I'm trying to check OWA from outside the network the page won't open at all.
You can check it by going to https://mail.exchangegw.com/owa

The topology is simple, F5 is doing NAT and loadbalancing the CAS.

Spending hours on this but couldn't find what is wrong, if I'm checking the internal URL of the CAS, OWA is working.

Please advice.
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39688572
It is opening.
0
 
LVL 7

Expert Comment

by:GillesT
ID: 39689060
I confirm, it is also opening
0
 

Author Comment

by:webox_suuport
ID: 39723440
Yes, thanks for your comments.
The problem was that the SSL on the F5 was configured to use server-side certificate while the certificate wasn't installed on the hosts.
Once changed to client-side, everything worked on this area.

Now we're facing another issue, this time we're trying to configure TLS on the SMTP.
It works for port 587 but not on port 25.

[root@mn ~]# openssl s_client -connect smtpauth.exchangegw.com:25 -starttls smtp
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 313 bytes and written 298 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Any Advice?
0
 
LVL 7

Expert Comment

by:GillesT
ID: 39723797
If you are using SMTP on port 25, there is no security, no TLS !
You can try openssl
Instead try : telnet smtpauth.exchangegw.com 25
0
 

Author Comment

by:webox_suuport
ID: 39723833
Hi,
So when the security comes to action?
If I'm comparing the current configuration with F5, I can see some differences with other configuration with NLB.

For Example:
openssl s_client -connect smtpauth.cprovider.net:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 0796928verify return:1
depth=0 OU = Domain Control Validated, CN = exchange.cprovider.net
verify return:1
---

Also, checking telnet on 25 have differences in STARTTLS:
220 SMTPAUTH.EXCHANGEGW.COM Microsoft ESMTP MAIL Service ready at Tue, 17 Dec 2013 15:23:34 +0200
ehlo
250-SMTPAUTH.EXCHANGEGW.COM Hello [1.5.212.1]
250-SIZE 31457280
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
(No STARTTLS)

while with NLB:
220 smtpauth.cprovider.net Microsoft ESMTP MAIL Service ready at Tue, 17 Dec 2013 15:27:16 +0200
ehlo
250-smtpauth.cprovider.net Hello [79.181.16.187]
250-SIZE 52428800
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
0
 
LVL 7

Expert Comment

by:GillesT
ID: 39723857
in one case you connect to smtpauth.cprovider.net and in another case you connect to SMTPAUTH.EXCHANGEGW.COM.
I think that smtpauth is F5 and cprovider.net is NLB. Is it the case ?
If it is the case, you can see that that the backend SMTP isn't the same, in one case, you have a size accepted of 31457280 and in the other 52428800
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39723875
@GillesT, SMTP does support TLS through the use of the starttls command.  SMTP is able to perform plain text and TLS using the same port

Depends on whether you are doing TLS offloading or not.

If you are not using TLS encryption, all you have to do is to configure the SMTP service on the LB for passthrough i.e. no clientssl and no serverssl.

For TLS offloading, you will need to use an irule which you can find at
SMTPStartTLS

You will need to have registered to access the link.  Registration at DevCentral is free.
0
 

Author Comment

by:webox_suuport
ID: 39723891
Yes, you are correct:
smtpauth.cprovider.net - NLB
smtpauth.exchangegw.com - F5
It is not the same with the size accepted, but why would that effect the case of the security?
0
 

Author Comment

by:webox_suuport
ID: 39723907
@Nyaema, Thanks.
My question for the iRule, do I need to configure it for 587 or I can use this iRule for 25 as well?
0
 
LVL 7

Expert Comment

by:GillesT
ID: 39723911
It is just that with F5 and with NLB, the selected back end server isn't the same !
F5 selects the back end server according to availability of the SMTP services on the server (application level) and according to the server that is the most available
NLB only check the network availability on the server and then will always select the same server when the request comes from the same source IP address
If you want to accept 25 incoming connexion, you need also to configure the rule for 25
0
 

Author Comment

by:webox_suuport
ID: 39723922
Thanks, and on both VIP, I need to install the certificate for client-side?
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 7

Expert Comment

by:GillesT
ID: 39723930
Sorry, I don't undertsand why you have client-side certificate ! why don't you install server-side certificate ?
At the beginning of this thread, you spoke about OWA. I don't think that you will use client-side certificate for OWA !
0
 

Author Comment

by:webox_suuport
ID: 39723946
As far as I've been reading on SSL-Offloading, the certificate should be installed only on F5 and not on the servers themselves.
Actually, that was the problem with the OWA, it was configured server-side and looked for certificate from the servers but nothing was accepted.
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39723955
The irule will also work on port 25. configure it on 25

Also how have you configure port 587?
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39723981
Also, why do you say that starttls is not working.

From above output to load balancer, show that TLS is enabled.
I get the below output when I try, though do not email address to do the actual email test.

220 smtpauth.cprovider.net Microsoft ESMTP MAIL Service ready at Tue, 17 Dec 201
3 16:22:07 +0200
ehlo
250-smtpauth.cprovider.net Hello [197.237.13.8]
250-SIZE 52428800
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
starttls
220 2.0.0 SMTP server ready

the 250-STARTLS above shows that starttls is supported.  which error do you get?
0
 

Author Comment

by:webox_suuport
ID: 39723994
smtpauth.cprovider.net is not with F5, it is NLB.
I used it to compare between two installations.

How should I configure the certificate for this ports?
0
 
LVL 16

Accepted Solution

by:
Nyaema earned 500 total points
ID: 39724070
Use ClientSSL and assign the certificate for the FQDN to connect to connect to this virtual server.
Then create and use the irule I provided in a link above.
0
 

Author Closing Comment

by:webox_suuport
ID: 39724173
Working.
Thanks!
0
 

Author Comment

by:webox_suuport
ID: 39724213
Oh,
one last issue.

When I'm trying to configure imap\pop account in Outlook, the outgoing server is not accepting "user@domain.com", but only "user".
What can possibly be the reason for that?
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39724271
Is domain.com the LDAP domain or the email domain?
0
 

Author Comment

by:webox_suuport
ID: 39724307
email domain.
On the NLB installation it is working, btw.
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39724451
It needs to be the LDAP domain.  Username only, works because the SMTP real has already been sent to the LDAP domain and is used as the default.

If you want, but you would need to add re-write statements to the irule.  This is beyond my scope as the authentication is normally encoded e.g. using Digest-MD5.

You can post in DevCentral site for help on how to do this.
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39724455
BTW, thank you for the points.
0
 

Author Comment

by:webox_suuport
ID: 39724579
You're welcome.
Since this is going to be Hosted Exchange environment, it will be a problem using only the usernames instead email address.
There will be plenty of admin\info\sam\tom\office accounts.

I'm thinking, if I will disable the ssl-offloading from F5 on the SMTP and the certificates will be installed on the HUBS, will it work?

Otherwise, I'll need to consider switching to NLB
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39726008
SSL offloading is not the cause of the problem.

domain.com is not your LDAP domain.
i.e. domain.local is your LDAP domain.

Authentication is being against your LDAP domain or NetBIOS domain. meaning anything that is not user@domain.local or domain\user is going to fail authentication.  Setting the default realm for SMTP automatically adds domain\ or @domain.local when a user just enters their username. So user becomes domain\user or user@domain.local

NLB cannot solve this.  iRules on the other hand can, through a process called rewriting.
irules can rewrite a username entered as user@domain.com to user@domain.local or domain\user.

I could have helped you with writing the irule if usernames where in plain text.  But that is not the case usernames and passwords are in Base64.

i.e. user@domain.com in base64 is dXNlckBkb21haW4uY29t
and user@domain.local is dXNlckBkb21haW4ubG9jYWw=

now check this  username@domain.com is dXNlcm5hbWVAZG9tYWluLmxvY2Fs

So there is no simple way of rewriting a username domain combination in Base64.
DevCentral is the official F5 irule support site. And guys like NAT are amazing... magicians and could conjure up some irule to do exactly what you want.  Don't know, but they could have some Base64 encoder/decoder.

Base64 Encoder/Decoder
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now