Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1301
  • Last Modified:

Exchange 2010 with F5 load-balance

Hi,

we are deploying Exchange 2010 SP3 behind F5 load-balancer.
The SSL is installed on the loadbalancer for ssl-offloading, but do I need to install it also on the hosts as well?
0
webox_suuport
Asked:
webox_suuport
  • 12
  • 10
  • 6
1 Solution
 
GillesTCommented:
If the F5 load-balancer do the ssl-offloading, the incoming connexion to the F5 will be SSL encrypted, but the incoming connexion to Exchange will not be SSL (only HTTP). In that case, you don't need SSL on Exchange.
For testing, or if you have a bug problem with your F5 load-balancer, and you need to by-pass it, it can be a good idea to have Exchange understand SSL, and in that case, you need to install also certificate on Exchange
0
 
Joseph NyaemaIT ConsultantCommented:
You are not doing SSL-offloading if you have an SSL certificate installed on the Exchange server.
SSL-Offloading releaves the server off the burden of processing the encrypted traffic by giving that function to the load balancer.

Simply removing the certificate from IIS on the exchange server, unchecking the"Require SSL" check box, and putting it on the load balancer.  This is because Exchange by default is heavily reliant on SSL certificates, and will not fucntion properly without it.  This behaviour though can be changed though the registry.

Please follow the topic at following URL on how to do this

How to Configure SSL Offloading in Exchange 2010
http://social.technet.microsoft.com/wiki/contents/articles/1267.how-to-configure-ssl-offloading-in-exchange-2010.aspx
0
 
webox_suuportAuthor Commented:
Hi,
Thanks for the comments for the SSL.
Now when I'm trying to check OWA from outside the network the page won't open at all.
You can check it by going to https://mail.exchangegw.com/owa

The topology is simple, F5 is doing NAT and loadbalancing the CAS.

Spending hours on this but couldn't find what is wrong, if I'm checking the internal URL of the CAS, OWA is working.

Please advice.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Joseph NyaemaIT ConsultantCommented:
It is opening.
0
 
GillesTCommented:
I confirm, it is also opening
0
 
webox_suuportAuthor Commented:
Yes, thanks for your comments.
The problem was that the SSL on the F5 was configured to use server-side certificate while the certificate wasn't installed on the hosts.
Once changed to client-side, everything worked on this area.

Now we're facing another issue, this time we're trying to configure TLS on the SMTP.
It works for port 587 but not on port 25.

[root@mn ~]# openssl s_client -connect smtpauth.exchangegw.com:25 -starttls smtp
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 313 bytes and written 298 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Any Advice?
0
 
GillesTCommented:
If you are using SMTP on port 25, there is no security, no TLS !
You can try openssl
Instead try : telnet smtpauth.exchangegw.com 25
0
 
webox_suuportAuthor Commented:
Hi,
So when the security comes to action?
If I'm comparing the current configuration with F5, I can see some differences with other configuration with NLB.

For Example:
openssl s_client -connect smtpauth.cprovider.net:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 0796928verify return:1
depth=0 OU = Domain Control Validated, CN = exchange.cprovider.net
verify return:1
---

Also, checking telnet on 25 have differences in STARTTLS:
220 SMTPAUTH.EXCHANGEGW.COM Microsoft ESMTP MAIL Service ready at Tue, 17 Dec 2013 15:23:34 +0200
ehlo
250-SMTPAUTH.EXCHANGEGW.COM Hello [1.5.212.1]
250-SIZE 31457280
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
(No STARTTLS)

while with NLB:
220 smtpauth.cprovider.net Microsoft ESMTP MAIL Service ready at Tue, 17 Dec 2013 15:27:16 +0200
ehlo
250-smtpauth.cprovider.net Hello [79.181.16.187]
250-SIZE 52428800
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
0
 
GillesTCommented:
in one case you connect to smtpauth.cprovider.net and in another case you connect to SMTPAUTH.EXCHANGEGW.COM.
I think that smtpauth is F5 and cprovider.net is NLB. Is it the case ?
If it is the case, you can see that that the backend SMTP isn't the same, in one case, you have a size accepted of 31457280 and in the other 52428800
0
 
Joseph NyaemaIT ConsultantCommented:
@GillesT, SMTP does support TLS through the use of the starttls command.  SMTP is able to perform plain text and TLS using the same port

Depends on whether you are doing TLS offloading or not.

If you are not using TLS encryption, all you have to do is to configure the SMTP service on the LB for passthrough i.e. no clientssl and no serverssl.

For TLS offloading, you will need to use an irule which you can find at
SMTPStartTLS

You will need to have registered to access the link.  Registration at DevCentral is free.
0
 
webox_suuportAuthor Commented:
Yes, you are correct:
smtpauth.cprovider.net - NLB
smtpauth.exchangegw.com - F5
It is not the same with the size accepted, but why would that effect the case of the security?
0
 
webox_suuportAuthor Commented:
@Nyaema, Thanks.
My question for the iRule, do I need to configure it for 587 or I can use this iRule for 25 as well?
0
 
GillesTCommented:
It is just that with F5 and with NLB, the selected back end server isn't the same !
F5 selects the back end server according to availability of the SMTP services on the server (application level) and according to the server that is the most available
NLB only check the network availability on the server and then will always select the same server when the request comes from the same source IP address
If you want to accept 25 incoming connexion, you need also to configure the rule for 25
0
 
webox_suuportAuthor Commented:
Thanks, and on both VIP, I need to install the certificate for client-side?
0
 
GillesTCommented:
Sorry, I don't undertsand why you have client-side certificate ! why don't you install server-side certificate ?
At the beginning of this thread, you spoke about OWA. I don't think that you will use client-side certificate for OWA !
0
 
webox_suuportAuthor Commented:
As far as I've been reading on SSL-Offloading, the certificate should be installed only on F5 and not on the servers themselves.
Actually, that was the problem with the OWA, it was configured server-side and looked for certificate from the servers but nothing was accepted.
0
 
Joseph NyaemaIT ConsultantCommented:
The irule will also work on port 25. configure it on 25

Also how have you configure port 587?
0
 
Joseph NyaemaIT ConsultantCommented:
Also, why do you say that starttls is not working.

From above output to load balancer, show that TLS is enabled.
I get the below output when I try, though do not email address to do the actual email test.

220 smtpauth.cprovider.net Microsoft ESMTP MAIL Service ready at Tue, 17 Dec 201
3 16:22:07 +0200
ehlo
250-smtpauth.cprovider.net Hello [197.237.13.8]
250-SIZE 52428800
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
starttls
220 2.0.0 SMTP server ready

the 250-STARTLS above shows that starttls is supported.  which error do you get?
0
 
webox_suuportAuthor Commented:
smtpauth.cprovider.net is not with F5, it is NLB.
I used it to compare between two installations.

How should I configure the certificate for this ports?
0
 
Joseph NyaemaIT ConsultantCommented:
Use ClientSSL and assign the certificate for the FQDN to connect to connect to this virtual server.
Then create and use the irule I provided in a link above.
0
 
webox_suuportAuthor Commented:
Working.
Thanks!
0
 
webox_suuportAuthor Commented:
Oh,
one last issue.

When I'm trying to configure imap\pop account in Outlook, the outgoing server is not accepting "user@domain.com", but only "user".
What can possibly be the reason for that?
0
 
Joseph NyaemaIT ConsultantCommented:
Is domain.com the LDAP domain or the email domain?
0
 
webox_suuportAuthor Commented:
email domain.
On the NLB installation it is working, btw.
0
 
Joseph NyaemaIT ConsultantCommented:
It needs to be the LDAP domain.  Username only, works because the SMTP real has already been sent to the LDAP domain and is used as the default.

If you want, but you would need to add re-write statements to the irule.  This is beyond my scope as the authentication is normally encoded e.g. using Digest-MD5.

You can post in DevCentral site for help on how to do this.
0
 
Joseph NyaemaIT ConsultantCommented:
BTW, thank you for the points.
0
 
webox_suuportAuthor Commented:
You're welcome.
Since this is going to be Hosted Exchange environment, it will be a problem using only the usernames instead email address.
There will be plenty of admin\info\sam\tom\office accounts.

I'm thinking, if I will disable the ssl-offloading from F5 on the SMTP and the certificates will be installed on the HUBS, will it work?

Otherwise, I'll need to consider switching to NLB
0
 
Joseph NyaemaIT ConsultantCommented:
SSL offloading is not the cause of the problem.

domain.com is not your LDAP domain.
i.e. domain.local is your LDAP domain.

Authentication is being against your LDAP domain or NetBIOS domain. meaning anything that is not user@domain.local or domain\user is going to fail authentication.  Setting the default realm for SMTP automatically adds domain\ or @domain.local when a user just enters their username. So user becomes domain\user or user@domain.local

NLB cannot solve this.  iRules on the other hand can, through a process called rewriting.
irules can rewrite a username entered as user@domain.com to user@domain.local or domain\user.

I could have helped you with writing the irule if usernames where in plain text.  But that is not the case usernames and passwords are in Base64.

i.e. user@domain.com in base64 is dXNlckBkb21haW4uY29t
and user@domain.local is dXNlckBkb21haW4ubG9jYWw=

now check this  username@domain.com is dXNlcm5hbWVAZG9tYWluLmxvY2Fs

So there is no simple way of rewriting a username domain combination in Base64.
DevCentral is the official F5 irule support site. And guys like NAT are amazing... magicians and could conjure up some irule to do exactly what you want.  Don't know, but they could have some Base64 encoder/decoder.

Base64 Encoder/Decoder
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 12
  • 10
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now