NLB replaced by F5 exchange 2010
I replaced NLB with F5 big ip 1600
After changing outlook prompts for username and password.
When I put it back to NLB it works fine.
Anybody has idea why its prompting for username and password in F5?
Your help is appreciated
After changing outlook prompts for username and password.
When I put it back to NLB it works fine.
Anybody has idea why its prompting for username and password in F5?
Your help is appreciated
ASKER
@giltjr
Many thanks for your comment.
I m using exchange 2010 and outlook 2010
I noticed that it doesn't popup for username and password in outlook2013
This problem only for outlook 2010 users
Many thanks for your comment.
I m using exchange 2010 and outlook 2010
I noticed that it doesn't popup for username and password in outlook2013
This problem only for outlook 2010 users
We have not installed Outlook 2013 yet. I know they are mograting away from MAPI and only supporting RPC over HTTP with Exchange 2012, so maybe they added something to Outlook 2013. We are still on Exchange 2010 and Outlook 2010 and we always had the password prompt going through our F5.
ASKER
Do you think if I configure to pass NTLM traffic this password prompt will stop?
Ntlm will need to be configure. You may want to chwck out using f5 iapps for outlook and there is consideration for persistence profile for the outlook vip in LTM. There is a deployment guide from f5 titled. .Deploying F5 with Microsoft Exchange 2010 - F5 Networks..
See this also on persistency
https://devcentral.f5.com/questions/-drain-stopping-an-exchange-2010-cas-array-w-o-user-getting-prompts
See this also on persistency
https://devcentral.f5.com/questions/-drain-stopping-an-exchange-2010-cas-array-w-o-user-getting-prompts
If you have the APM module, you can configure the F5 to be proxy for NTLM and then configure Outlook to use NTLM as the authentication module.
Other than that I don't think you can get NTLM through. I'm running LTM v10 so something could have changed with v11.
Other than that I don't think you can get NTLM through. I'm running LTM v10 so something could have changed with v11.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is a NTLM profile, but I was under the impression it was for use only when you were doing SSO with APM. I'll have to re-read the F5 Exchange setup.
I also remember some issues with the NTLM profile when doing one connect and persistence.
I also remember some issues with the NTLM profile when doing one connect and persistence.
The link state the issue. Thks
ASKER
I upgraded to 11.0 and configured successfully.
Now the problem is it is connecting only through HTTPS not TCP/IP.
How to connect using TCP/IP inside network.
and It is prompting for passwords only on booting.
Is it possible to avoid that prompt
Now the problem is it is connecting only through HTTPS not TCP/IP.
How to connect using TCP/IP inside network.
and It is prompting for passwords only on booting.
Is it possible to avoid that prompt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ticked only below options and seems working fine in PCs but now Acticesync on Androids and Iphones not working. Seems like certificate issue in F5. Any idea?
"match across services"
"match across virtual servers".
"match across services"
"match across virtual servers".
My suggestion that you raised f5 support case so that it can be collectively addressed. Minimally we talking about the persistence of the services. Complexity is that ActiveSync uses the Basic auth header value, and Outlook Anywhere uses auth header or source IP. All of the other HTTP services do use cookie.
https://devcentral.f5.com/questions/exchange-2010-activesync-problem
https://devcentral.f5.com/questions/exchange-2010-activesync-problem
ASKER
I have a case opened in F5Support on the same day. But still no luck.
They are trying to find a solution.
Meanwhile I am doing my best to sort out the issue myself.
I request moderator to keep the question open as it is in a final stage to sort the issue.
I can add a solution to EE database
They are trying to find a solution.
Meanwhile I am doing my best to sort out the issue myself.
I request moderator to keep the question open as it is in a final stage to sort the issue.
I can add a solution to EE database
I need to get an older F5 out of storage to do some testing. When I re-read the LTM 10.2 to Exchange 2010 they talk about using an F5 edge server to be an NLTM proxy.
When I did this originally I assumed that LTM alone could not do the proxy function. Once I get the F5 out of storage and do some testing I see if it alone can handle doing this without prompting for the user-id/password. Hopefully next week.
When I did this originally I assumed that LTM alone could not do the proxy function. Once I get the F5 out of storage and do some testing I see if it alone can handle doing this without prompting for the user-id/password. Hopefully next week.
Ltm past version has stated it is ntlm proxy
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.html#rn_new
NTLM/NTLMv2 Authentication Support for HTTP/HTTPS Monitors
For an HTTP/HTTPS monitor to successfully use NTLM or NTLMv2 authentication, a monitor must meet the following configuration requirements:
The monitor must have a send string. Because it is necessary to use HTTP version 1.1, the send string must be, at minimum: "GET /<optional file name/path> HTTP/1.1\r\nHost: <host name of website>"
The monitor must have a receive string.
The monitor cannot be a reverse monitor.
The monitor must have a username. The user name may be either a simple username or it can be the domain/username. Both '\' and '/' are recognized.
The monitor must have a password.
Once this monitor is associated with a pool or pool member, it only enacts NTLM if the request with Basic Auth gets a 401 response with a WWW-Authenticate header set to NTLM. At this point the NTLM handshake should commence. Here is an example monitor:
ltm monitor http /Common/http_testauth { defaults-from /Common/http destination *:* interval 5 password default recv 200 OK send "GET / HTTP/1.1\\r\\nHost: portal.authtest.tc.request
Note that the domain, in this case AUTHTEST, must be capitalized for authentication to be successful.
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes_10_0_1_ltm.html
NTLM profile for optimized network performance
A new NT LAN Manager (NTLM) profile within BIG-IP Local Traffic Manager optimizes network performance when the system is processing NTLM HTTP traffic. When associated with a virtual server, the NTLM profile allows the local traffic management system to take advantage of server-side connection pooling for NTLM connections. The advantage of NTLM profiles over using a OneConnect™ profile by itself, is that a OneConnect profile alone can potentially allow idle NTLM-authenticated server connections to be reattached to unauthenticated clients
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.html#rn_new
NTLM/NTLMv2 Authentication Support for HTTP/HTTPS Monitors
For an HTTP/HTTPS monitor to successfully use NTLM or NTLMv2 authentication, a monitor must meet the following configuration requirements:
The monitor must have a send string. Because it is necessary to use HTTP version 1.1, the send string must be, at minimum: "GET /<optional file name/path> HTTP/1.1\r\nHost: <host name of website>"
The monitor must have a receive string.
The monitor cannot be a reverse monitor.
The monitor must have a username. The user name may be either a simple username or it can be the domain/username. Both '\' and '/' are recognized.
The monitor must have a password.
Once this monitor is associated with a pool or pool member, it only enacts NTLM if the request with Basic Auth gets a 401 response with a WWW-Authenticate header set to NTLM. At this point the NTLM handshake should commence. Here is an example monitor:
ltm monitor http /Common/http_testauth { defaults-from /Common/http destination *:* interval 5 password default recv 200 OK send "GET / HTTP/1.1\\r\\nHost: portal.authtest.tc.request
Note that the domain, in this case AUTHTEST, must be capitalized for authentication to be successful.
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes_10_0_1_ltm.html
NTLM profile for optimized network performance
A new NT LAN Manager (NTLM) profile within BIG-IP Local Traffic Manager optimizes network performance when the system is processing NTLM HTTP traffic. When associated with a virtual server, the NTLM profile allows the local traffic management system to take advantage of server-side connection pooling for NTLM connections. The advantage of NTLM profiles over using a OneConnect™ profile by itself, is that a OneConnect profile alone can potentially allow idle NTLM-authenticated server connections to be reattached to unauthenticated clients
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It is better you have support to advice instead since the issue is supposed to be outstanding for them to answer and also for long term maintenance purpose. You may want to see issues resolved in the iapps. The question is do you need owa redirect...good to get support to validate ...
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13497.html
There is unsupported version in devcentral too
https://devcentral.f5.com/d/microsoft-exchange-2010-and-2013-iapp-template
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13497.html
There is unsupported version in devcentral too
https://devcentral.f5.com/d/microsoft-exchange-2010-and-2013-iapp-template
ASKER
I want to redirect from load balancer only not from exchange.
how to accomplish that.
eg. when user type "http://mail.domain.com" it should redirect to https://mail.domain.com/owa
how to accomplish that.
eg. when user type "http://mail.domain.com" it should redirect to https://mail.domain.com/owa
Possibly then see this
https://devcentral.f5.com/questions/irule-redirect-owa-and-https
However it is mentioned that iapps already has this /owa irule in place. E.g. from the iRule "(iapp_name)_owa_append_iR
https://devcentral.f5.com/questions/issues-with-owa-redirect-on-exchange-2010
https://devcentral.f5.com/questions/irule-redirect-owa-and-https
However it is mentioned that iapps already has this /owa irule in place. E.g. from the iRule "(iapp_name)_owa_append_iR
https://devcentral.f5.com/questions/issues-with-owa-redirect-on-exchange-2010
ASKER
Thanks to all experts
http://support.microsoft.com/kb/820281
I am assuming the reason it worked with NLB is that NLB would allow any protocol through not just HTTPS. So NLTM would work when using NLB.