Solved

NLB replaced by F5 exchange 2010

Posted on 2013-11-28
22
1,503 Views
Last Modified: 2013-12-25
I replaced NLB with F5 big ip 1600
After changing outlook prompts for username and password.
When I put it back to NLB it works fine.

Anybody has idea why its prompting for username and password in F5?

Your help is appreciated
0
Comment
Question by:-MAS
  • 8
  • 8
  • 5
22 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39684591
Although this is for Exchange 2003 and Outlook 2003 I don't think this has changed:

http://support.microsoft.com/kb/820281

I am assuming the reason it worked with NLB is that NLB would allow any protocol through not just HTTPS.  So NLTM would work when using NLB.
0
 
LVL 24

Author Comment

by:-MAS
ID: 39684653
@giltjr
Many thanks for your comment.

I m using exchange 2010 and outlook 2010
I noticed that it doesn't popup for username and password in outlook2013

This problem only for outlook 2010 users
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39684660
We have not installed Outlook 2013 yet.  I know they are mograting away from MAPI and only supporting RPC over HTTP with Exchange 2012, so maybe they added something to Outlook 2013.  We are still on Exchange 2010 and Outlook 2010 and we always had the password prompt going through our F5.
0
 
LVL 24

Author Comment

by:-MAS
ID: 39684668
Do you think if I configure to pass NTLM traffic this password prompt will stop?
0
 
LVL 61

Expert Comment

by:btan
ID: 39684730
Ntlm will need to be configure. You may want to chwck out using f5 iapps for outlook and there is consideration for persistence profile for the outlook vip in LTM. There is a deployment guide from f5 titled. .Deploying F5 with Microsoft Exchange 2010 - F5 Networks..

 See this also on persistency
https://devcentral.f5.com/questions/-drain-stopping-an-exchange-2010-cas-array-w-o-user-getting-prompts
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39686009
If you have the APM module, you can configure the F5 to be proxy for NTLM and then configure Outlook to use NTLM as the authentication module.

Other than that I don't think you can get NTLM through.  I'm running LTM v10 so something could  have changed with v11.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39686315
Indeed apm will be good
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/4.html

I believe LTM had native NTLM profile but limited compared to APM including those SSO unless crafting iRule but that complicate matters

http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10477.html
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39686323
There is a NTLM profile, but I was under the impression it was for use only when you were doing SSO with APM.  I'll have to re-read the F5 Exchange setup.

I also remember some issues with the NTLM profile when doing one connect and persistence.
0
 
LVL 61

Expert Comment

by:btan
ID: 39686376
The link state the issue. Thks
0
 
LVL 24

Author Comment

by:-MAS
ID: 39698388
I upgraded to 11.0 and configured successfully.

Now the problem is it is connecting only through HTTPS not TCP/IP.

How to connect using TCP/IP inside network.

and It is prompting for passwords only on booting.
Is it possible to avoid that prompt
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39698569
There is mention on

https://devcentral.f5.com/questions/f5-and-exchange-2010-outlook-2010-password-prompt

.... On the exchange http and https combined virtual server set the failback persistence profile to *appname*_source_address_persistence_profile. The latest downloadable iapp does this for you when you set it up.

Also under the Exchange source address persistence profile check both "match across services" and "match across virtual servers".

After doing the above steps and then deleted all existing persistence records for the virtual server the popups stopped

....Sounds like the fact that OA was trying to Negotiate instead of offering straight-up NTLM was tripping this up - but disabling OneConnect for those requests should've solved it. ..
0
 
LVL 24

Author Comment

by:-MAS
ID: 39705482
I ticked only below options and seems working fine in PCs but now Acticesync on Androids and Iphones not working. Seems like certificate issue in F5. Any idea?

"match across services"
"match across virtual servers".
0
 
LVL 61

Expert Comment

by:btan
ID: 39705524
My suggestion that you raised f5 support case so that it can be collectively addressed. Minimally we talking about the persistence of the services. Complexity is that  ActiveSync uses the Basic auth header value, and Outlook Anywhere uses auth header or source IP. All of the other HTTP services do use cookie.
https://devcentral.f5.com/questions/exchange-2010-activesync-problem
0
 
LVL 24

Author Comment

by:-MAS
ID: 39718605
I have a case opened in F5Support on the same day. But still no luck.
They are trying to find a solution.

Meanwhile I am doing my best to sort out the issue myself.

I request moderator to keep the question open as it is in a final stage to sort the issue.
I can add a solution to EE database
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39718773
I need to get an older F5 out of storage to do some testing.  When I re-read the LTM 10.2 to Exchange 2010 they talk about using an F5 edge server to be an NLTM proxy.  

When I did this originally I assumed that LTM alone could not do the proxy function.  Once I get the F5 out of storage and do some testing I see if it alone can handle doing this without prompting for the user-id/password.  Hopefully next week.
0
 
LVL 61

Expert Comment

by:btan
ID: 39719274
Ltm past version has stated it is ntlm proxy

http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.html#rn_new

NTLM/NTLMv2 Authentication Support for HTTP/HTTPS Monitors
For an HTTP/HTTPS monitor to successfully use NTLM or NTLMv2 authentication, a monitor must meet the following configuration requirements:
The monitor must have a send string. Because it is necessary to use HTTP version 1.1, the send string must be, at minimum: "GET /<optional file name/path> HTTP/1.1\r\nHost: <host name of website>"
The monitor must have a receive string.
The monitor cannot be a reverse monitor.
The monitor must have a username. The user name may be either a simple username or it can be the domain/username. Both '\' and '/' are recognized.
The monitor must have a password.
Once this monitor is associated with a pool or pool member, it only enacts NTLM if the request with Basic Auth gets a 401 response with a WWW-Authenticate header set to NTLM. At this point the NTLM handshake should commence. Here is an example monitor:
ltm monitor http /Common/http_testauth { defaults-from /Common/http destination *:* interval 5 password default recv 200 OK send "GET / HTTP/1.1\\r\\nHost: portal.authtest.tc.requestsite.com" time-until-up 0 timeout 16 username AUTHTEST/administrator }
Note that the domain, in this case AUTHTEST, must be capitalized for authentication to be successful.

https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes_10_0_1_ltm.html

NTLM profile for optimized network performance
A new NT LAN Manager (NTLM) profile within BIG-IP Local Traffic Manager optimizes network performance when the system is processing NTLM HTTP traffic. When associated with a virtual server, the NTLM profile allows the local traffic management system to take advantage of server-side connection pooling for NTLM connections. The advantage of NTLM profiles over using a OneConnect™ profile by itself, is that a OneConnect profile alone can potentially allow idle NTLM-authenticated server connections to be reattached to unauthenticated clients
0
 
LVL 24

Accepted Solution

by:
-MAS earned 0 total points
ID: 39719972
I have downloaded the latest iApps template (f5.microsoft_exchange_2010_2013_cas.v1.2.0) which is for both Exchange 2010 and Exchange 2013.There is a built-in exchange2010 template in version 11.0.

I configured using that and configuration was not complete.

Now with template "f5.microsoft_exchange_2010_2013_casxxx"  it is easily configured and now it is error free.

Your help is appreciated to create an iRule to configure OWA redirect in F5 as new template does not have owa redirect.
0
 
LVL 61

Expert Comment

by:btan
ID: 39720522
It is better you have support to advice instead since the issue is supposed to be outstanding for them to answer and also for long term maintenance purpose. You may want to see issues resolved in the iapps. The question is do you need owa redirect...good to get support to validate ...

http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13497.html

There is unsupported version in devcentral too

https://devcentral.f5.com/d/microsoft-exchange-2010-and-2013-iapp-template
0
 
LVL 24

Author Comment

by:-MAS
ID: 39723431
I want to redirect from load balancer only not from exchange.

how to accomplish that.
eg. when user type "http://mail.domain.com" it should redirect to https://mail.domain.com/owa
0
 
LVL 61

Expert Comment

by:btan
ID: 39723730
Possibly then see this
https://devcentral.f5.com/questions/irule-redirect-owa-and-https

However it is mentioned that iapps already has this /owa irule in place. E.g. from the iRule "(iapp_name)_owa_append_iRule". See this

https://devcentral.f5.com/questions/issues-with-owa-redirect-on-exchange-2010
0
 
LVL 24

Author Closing Comment

by:-MAS
ID: 39738978
Thanks to all experts
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now