Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

NLB replaced by F5 exchange 2010

Posted on 2013-11-28
22
Medium Priority
?
1,715 Views
Last Modified: 2013-12-25
I replaced NLB with F5 big ip 1600
After changing outlook prompts for username and password.
When I put it back to NLB it works fine.

Anybody has idea why its prompting for username and password in F5?

Your help is appreciated
0
Comment
Question by:MAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
  • 5
22 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39684591
Although this is for Exchange 2003 and Outlook 2003 I don't think this has changed:

http://support.microsoft.com/kb/820281

I am assuming the reason it worked with NLB is that NLB would allow any protocol through not just HTTPS.  So NLTM would work when using NLB.
0
 
LVL 27

Author Comment

by:MAS
ID: 39684653
@giltjr
Many thanks for your comment.

I m using exchange 2010 and outlook 2010
I noticed that it doesn't popup for username and password in outlook2013

This problem only for outlook 2010 users
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39684660
We have not installed Outlook 2013 yet.  I know they are mograting away from MAPI and only supporting RPC over HTTP with Exchange 2012, so maybe they added something to Outlook 2013.  We are still on Exchange 2010 and Outlook 2010 and we always had the password prompt going through our F5.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 27

Author Comment

by:MAS
ID: 39684668
Do you think if I configure to pass NTLM traffic this password prompt will stop?
0
 
LVL 65

Expert Comment

by:btan
ID: 39684730
Ntlm will need to be configure. You may want to chwck out using f5 iapps for outlook and there is consideration for persistence profile for the outlook vip in LTM. There is a deployment guide from f5 titled. .Deploying F5 with Microsoft Exchange 2010 - F5 Networks..

 See this also on persistency
https://devcentral.f5.com/questions/-drain-stopping-an-exchange-2010-cas-array-w-o-user-getting-prompts
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39686009
If you have the APM module, you can configure the F5 to be proxy for NTLM and then configure Outlook to use NTLM as the authentication module.

Other than that I don't think you can get NTLM through.  I'm running LTM v10 so something could  have changed with v11.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39686315
Indeed apm will be good
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/4.html

I believe LTM had native NTLM profile but limited compared to APM including those SSO unless crafting iRule but that complicate matters

http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10477.html
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39686323
There is a NTLM profile, but I was under the impression it was for use only when you were doing SSO with APM.  I'll have to re-read the F5 Exchange setup.

I also remember some issues with the NTLM profile when doing one connect and persistence.
0
 
LVL 65

Expert Comment

by:btan
ID: 39686376
The link state the issue. Thks
0
 
LVL 27

Author Comment

by:MAS
ID: 39698388
I upgraded to 11.0 and configured successfully.

Now the problem is it is connecting only through HTTPS not TCP/IP.

How to connect using TCP/IP inside network.

and It is prompting for passwords only on booting.
Is it possible to avoid that prompt
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39698569
There is mention on

https://devcentral.f5.com/questions/f5-and-exchange-2010-outlook-2010-password-prompt

.... On the exchange http and https combined virtual server set the failback persistence profile to *appname*_source_address_persistence_profile. The latest downloadable iapp does this for you when you set it up.

Also under the Exchange source address persistence profile check both "match across services" and "match across virtual servers".

After doing the above steps and then deleted all existing persistence records for the virtual server the popups stopped

....Sounds like the fact that OA was trying to Negotiate instead of offering straight-up NTLM was tripping this up - but disabling OneConnect for those requests should've solved it. ..
0
 
LVL 27

Author Comment

by:MAS
ID: 39705482
I ticked only below options and seems working fine in PCs but now Acticesync on Androids and Iphones not working. Seems like certificate issue in F5. Any idea?

"match across services"
"match across virtual servers".
0
 
LVL 65

Expert Comment

by:btan
ID: 39705524
My suggestion that you raised f5 support case so that it can be collectively addressed. Minimally we talking about the persistence of the services. Complexity is that  ActiveSync uses the Basic auth header value, and Outlook Anywhere uses auth header or source IP. All of the other HTTP services do use cookie.
https://devcentral.f5.com/questions/exchange-2010-activesync-problem
0
 
LVL 27

Author Comment

by:MAS
ID: 39718605
I have a case opened in F5Support on the same day. But still no luck.
They are trying to find a solution.

Meanwhile I am doing my best to sort out the issue myself.

I request moderator to keep the question open as it is in a final stage to sort the issue.
I can add a solution to EE database
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39718773
I need to get an older F5 out of storage to do some testing.  When I re-read the LTM 10.2 to Exchange 2010 they talk about using an F5 edge server to be an NLTM proxy.  

When I did this originally I assumed that LTM alone could not do the proxy function.  Once I get the F5 out of storage and do some testing I see if it alone can handle doing this without prompting for the user-id/password.  Hopefully next week.
0
 
LVL 65

Expert Comment

by:btan
ID: 39719274
Ltm past version has stated it is ntlm proxy

http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.html#rn_new

NTLM/NTLMv2 Authentication Support for HTTP/HTTPS Monitors
For an HTTP/HTTPS monitor to successfully use NTLM or NTLMv2 authentication, a monitor must meet the following configuration requirements:
The monitor must have a send string. Because it is necessary to use HTTP version 1.1, the send string must be, at minimum: "GET /<optional file name/path> HTTP/1.1\r\nHost: <host name of website>"
The monitor must have a receive string.
The monitor cannot be a reverse monitor.
The monitor must have a username. The user name may be either a simple username or it can be the domain/username. Both '\' and '/' are recognized.
The monitor must have a password.
Once this monitor is associated with a pool or pool member, it only enacts NTLM if the request with Basic Auth gets a 401 response with a WWW-Authenticate header set to NTLM. At this point the NTLM handshake should commence. Here is an example monitor:
ltm monitor http /Common/http_testauth { defaults-from /Common/http destination *:* interval 5 password default recv 200 OK send "GET / HTTP/1.1\\r\\nHost: portal.authtest.tc.requestsite.com" time-until-up 0 timeout 16 username AUTHTEST/administrator }
Note that the domain, in this case AUTHTEST, must be capitalized for authentication to be successful.

https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes_10_0_1_ltm.html 

NTLM profile for optimized network performance
A new NT LAN Manager (NTLM) profile within BIG-IP Local Traffic Manager optimizes network performance when the system is processing NTLM HTTP traffic. When associated with a virtual server, the NTLM profile allows the local traffic management system to take advantage of server-side connection pooling for NTLM connections. The advantage of NTLM profiles over using a OneConnect™ profile by itself, is that a OneConnect profile alone can potentially allow idle NTLM-authenticated server connections to be reattached to unauthenticated clients
0
 
LVL 27

Accepted Solution

by:
MAS earned 0 total points
ID: 39719972
I have downloaded the latest iApps template (f5.microsoft_exchange_2010_2013_cas.v1.2.0) which is for both Exchange 2010 and Exchange 2013.There is a built-in exchange2010 template in version 11.0.

I configured using that and configuration was not complete.

Now with template "f5.microsoft_exchange_2010_2013_casxxx"  it is easily configured and now it is error free.

Your help is appreciated to create an iRule to configure OWA redirect in F5 as new template does not have owa redirect.
0
 
LVL 65

Expert Comment

by:btan
ID: 39720522
It is better you have support to advice instead since the issue is supposed to be outstanding for them to answer and also for long term maintenance purpose. You may want to see issues resolved in the iapps. The question is do you need owa redirect...good to get support to validate ...

http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13497.html

There is unsupported version in devcentral too

https://devcentral.f5.com/d/microsoft-exchange-2010-and-2013-iapp-template
0
 
LVL 27

Author Comment

by:MAS
ID: 39723431
I want to redirect from load balancer only not from exchange.

how to accomplish that.
eg. when user type "http://mail.domain.com" it should redirect to https://mail.domain.com/owa
0
 
LVL 65

Expert Comment

by:btan
ID: 39723730
Possibly then see this
https://devcentral.f5.com/questions/irule-redirect-owa-and-https

However it is mentioned that iapps already has this /owa irule in place. E.g. from the iRule "(iapp_name)_owa_append_iRule". See this

https://devcentral.f5.com/questions/issues-with-owa-redirect-on-exchange-2010
0
 
LVL 27

Author Closing Comment

by:MAS
ID: 39738978
Thanks to all experts
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question