Solved

NLB replaced by F5 exchange 2010

Posted on 2013-11-28
22
1,582 Views
Last Modified: 2013-12-25
I replaced NLB with F5 big ip 1600
After changing outlook prompts for username and password.
When I put it back to NLB it works fine.

Anybody has idea why its prompting for username and password in F5?

Your help is appreciated
0
Comment
Question by:-MAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
  • 5
22 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39684591
Although this is for Exchange 2003 and Outlook 2003 I don't think this has changed:

http://support.microsoft.com/kb/820281

I am assuming the reason it worked with NLB is that NLB would allow any protocol through not just HTTPS.  So NLTM would work when using NLB.
0
 
LVL 25

Author Comment

by:-MAS
ID: 39684653
@giltjr
Many thanks for your comment.

I m using exchange 2010 and outlook 2010
I noticed that it doesn't popup for username and password in outlook2013

This problem only for outlook 2010 users
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39684660
We have not installed Outlook 2013 yet.  I know they are mograting away from MAPI and only supporting RPC over HTTP with Exchange 2012, so maybe they added something to Outlook 2013.  We are still on Exchange 2010 and Outlook 2010 and we always had the password prompt going through our F5.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 25

Author Comment

by:-MAS
ID: 39684668
Do you think if I configure to pass NTLM traffic this password prompt will stop?
0
 
LVL 63

Expert Comment

by:btan
ID: 39684730
Ntlm will need to be configure. You may want to chwck out using f5 iapps for outlook and there is consideration for persistence profile for the outlook vip in LTM. There is a deployment guide from f5 titled. .Deploying F5 with Microsoft Exchange 2010 - F5 Networks..

 See this also on persistency
https://devcentral.f5.com/questions/-drain-stopping-an-exchange-2010-cas-array-w-o-user-getting-prompts
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39686009
If you have the APM module, you can configure the F5 to be proxy for NTLM and then configure Outlook to use NTLM as the authentication module.

Other than that I don't think you can get NTLM through.  I'm running LTM v10 so something could  have changed with v11.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39686315
Indeed apm will be good
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/4.html

I believe LTM had native NTLM profile but limited compared to APM including those SSO unless crafting iRule but that complicate matters

http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10477.html
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39686323
There is a NTLM profile, but I was under the impression it was for use only when you were doing SSO with APM.  I'll have to re-read the F5 Exchange setup.

I also remember some issues with the NTLM profile when doing one connect and persistence.
0
 
LVL 63

Expert Comment

by:btan
ID: 39686376
The link state the issue. Thks
0
 
LVL 25

Author Comment

by:-MAS
ID: 39698388
I upgraded to 11.0 and configured successfully.

Now the problem is it is connecting only through HTTPS not TCP/IP.

How to connect using TCP/IP inside network.

and It is prompting for passwords only on booting.
Is it possible to avoid that prompt
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39698569
There is mention on

https://devcentral.f5.com/questions/f5-and-exchange-2010-outlook-2010-password-prompt

.... On the exchange http and https combined virtual server set the failback persistence profile to *appname*_source_address_persistence_profile. The latest downloadable iapp does this for you when you set it up.

Also under the Exchange source address persistence profile check both "match across services" and "match across virtual servers".

After doing the above steps and then deleted all existing persistence records for the virtual server the popups stopped

....Sounds like the fact that OA was trying to Negotiate instead of offering straight-up NTLM was tripping this up - but disabling OneConnect for those requests should've solved it. ..
0
 
LVL 25

Author Comment

by:-MAS
ID: 39705482
I ticked only below options and seems working fine in PCs but now Acticesync on Androids and Iphones not working. Seems like certificate issue in F5. Any idea?

"match across services"
"match across virtual servers".
0
 
LVL 63

Expert Comment

by:btan
ID: 39705524
My suggestion that you raised f5 support case so that it can be collectively addressed. Minimally we talking about the persistence of the services. Complexity is that  ActiveSync uses the Basic auth header value, and Outlook Anywhere uses auth header or source IP. All of the other HTTP services do use cookie.
https://devcentral.f5.com/questions/exchange-2010-activesync-problem
0
 
LVL 25

Author Comment

by:-MAS
ID: 39718605
I have a case opened in F5Support on the same day. But still no luck.
They are trying to find a solution.

Meanwhile I am doing my best to sort out the issue myself.

I request moderator to keep the question open as it is in a final stage to sort the issue.
I can add a solution to EE database
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39718773
I need to get an older F5 out of storage to do some testing.  When I re-read the LTM 10.2 to Exchange 2010 they talk about using an F5 edge server to be an NLTM proxy.  

When I did this originally I assumed that LTM alone could not do the proxy function.  Once I get the F5 out of storage and do some testing I see if it alone can handle doing this without prompting for the user-id/password.  Hopefully next week.
0
 
LVL 63

Expert Comment

by:btan
ID: 39719274
Ltm past version has stated it is ntlm proxy

http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.html#rn_new

NTLM/NTLMv2 Authentication Support for HTTP/HTTPS Monitors
For an HTTP/HTTPS monitor to successfully use NTLM or NTLMv2 authentication, a monitor must meet the following configuration requirements:
The monitor must have a send string. Because it is necessary to use HTTP version 1.1, the send string must be, at minimum: "GET /<optional file name/path> HTTP/1.1\r\nHost: <host name of website>"
The monitor must have a receive string.
The monitor cannot be a reverse monitor.
The monitor must have a username. The user name may be either a simple username or it can be the domain/username. Both '\' and '/' are recognized.
The monitor must have a password.
Once this monitor is associated with a pool or pool member, it only enacts NTLM if the request with Basic Auth gets a 401 response with a WWW-Authenticate header set to NTLM. At this point the NTLM handshake should commence. Here is an example monitor:
ltm monitor http /Common/http_testauth { defaults-from /Common/http destination *:* interval 5 password default recv 200 OK send "GET / HTTP/1.1\\r\\nHost: portal.authtest.tc.requestsite.com" time-until-up 0 timeout 16 username AUTHTEST/administrator }
Note that the domain, in this case AUTHTEST, must be capitalized for authentication to be successful.

https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes_10_0_1_ltm.html 

NTLM profile for optimized network performance
A new NT LAN Manager (NTLM) profile within BIG-IP Local Traffic Manager optimizes network performance when the system is processing NTLM HTTP traffic. When associated with a virtual server, the NTLM profile allows the local traffic management system to take advantage of server-side connection pooling for NTLM connections. The advantage of NTLM profiles over using a OneConnect™ profile by itself, is that a OneConnect profile alone can potentially allow idle NTLM-authenticated server connections to be reattached to unauthenticated clients
0
 
LVL 25

Accepted Solution

by:
-MAS earned 0 total points
ID: 39719972
I have downloaded the latest iApps template (f5.microsoft_exchange_2010_2013_cas.v1.2.0) which is for both Exchange 2010 and Exchange 2013.There is a built-in exchange2010 template in version 11.0.

I configured using that and configuration was not complete.

Now with template "f5.microsoft_exchange_2010_2013_casxxx"  it is easily configured and now it is error free.

Your help is appreciated to create an iRule to configure OWA redirect in F5 as new template does not have owa redirect.
0
 
LVL 63

Expert Comment

by:btan
ID: 39720522
It is better you have support to advice instead since the issue is supposed to be outstanding for them to answer and also for long term maintenance purpose. You may want to see issues resolved in the iapps. The question is do you need owa redirect...good to get support to validate ...

http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13497.html

There is unsupported version in devcentral too

https://devcentral.f5.com/d/microsoft-exchange-2010-and-2013-iapp-template
0
 
LVL 25

Author Comment

by:-MAS
ID: 39723431
I want to redirect from load balancer only not from exchange.

how to accomplish that.
eg. when user type "http://mail.domain.com" it should redirect to https://mail.domain.com/owa
0
 
LVL 63

Expert Comment

by:btan
ID: 39723730
Possibly then see this
https://devcentral.f5.com/questions/irule-redirect-owa-and-https

However it is mentioned that iapps already has this /owa irule in place. E.g. from the iRule "(iapp_name)_owa_append_iRule". See this

https://devcentral.f5.com/questions/issues-with-owa-redirect-on-exchange-2010
0
 
LVL 25

Author Closing Comment

by:-MAS
ID: 39738978
Thanks to all experts
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question