Hello, 

We are in the process of deploying Exchange 2013 into our Exchange 2010 Org.  We are using an F5 to load balance all services. We are doing some initial testing and have not cut over autodiscover or other URLs yet to 2013.  We are using host files on the local testing machines to point the URLs to 2013.    OWA, Activesync, ecp work with no issue through the F5 VIP.   However, we are having issues with Outlook.  If our host file entries point to a single server, Outlook functions normally.  If the host file entries point to the F5 VIP, it keeps prompting for creds and will never connect.

Just wondering if anybody has run into this or has any guidance as far as OA and F5 deployment.

Thanks

Hi,

Please check your Load Balance configuration and make sure the namespace used for Load Balance has been included in the Exchange certificate. For example: mail.domain.com and autodiscover.domain.com.

If possible, please share your load balance configuration with us for further analysis. Here are some references about the Load Balance Scenario:

http://blogs.technet.com/b/exchange/archive/2014/03/05/load-balancing-in-exchange-2013.aspx

Regards,

Hi,

We are utilizing a wildcard cert on our Exchange servers and on the F5.  We modified the OutlookProvider so, we have the CertPrincipalName on EXPR set to msstd:*.ourcompany.com.  Both the EXCH and WEB entries are blank.

We are using one namespace, mail.ourcompany.com for all services. Right now the F5 config is just doing Layer 4 balancing with no session affinity.  We had tried Layer 7 first, but had the OA issues there so decided to try Layer 4 to see if that worked any better, but the same result.  According to our Network team, he has applied the standard template provided by F5 for Exchange 2013.

Thanks for the help.

We are using the F5 with Exchange 2013 in co-existence with 2010 just fine.  I too used host files for initial testing.  Are you doing SSL offloading or bridging from the F5 back to the 2013 servers?

We opted for SSL offloading (there are some things you have to do on the 2013 servers to enable this).  The cert you use on the F5, must also be on all the 2013 servers and assigned to the web services URL. 

Check your authentication on your virtual directories as well that they all match across all servers. 

For Outlook 2013 and MPAI over HTTP, there is additional adjustments you must make on the F5 to set that up (it's in their deployment guide).  Latest version of their iApp for Exchange 2013 is 1.4, and it works great.

I checked with our Network team to verify, and we are doing SSL bridging.  We have a matching wildcard cert on all servers and F5.   I checked all the /rpc VDirs and they are set the same on all servers:  Under Default Web Site, both Windows & Basic is enabled, and under Exchange Back End, just Windows Auth is enabled.

Other than for the adjustments you mentioned for MAPI over HTTP, do you recall if yours was implemented directly from the F5 guide or if you had to make any modifications?

Thanks for the help.

Hi,

If you are only using one namespace mail.ourcompany.com for all services, please make sure mail.ourdomain.com and autodiscover.ourdomain.com are configured to point at your VIP for load balencers.

Then change all other services URLs to use one namespace: mail.ourdomain.com. After saving the configuration, along with performing an iisreset /noforce against these servers, we should have a complete configuration. 

Re

Hi,

Any updates?

Regards,

Hi,

All of our name spaces and URLs are set as you described.  We've noticed in troubleshooting that if we are using the F5 VIP rather than a host file pointing directly to one server, connection attempts to /rpc/rpcproxy.dll don't seem to be making it to the CAS.  Our Network team is opening a ticket with F5 to investigate further.

If you do SSL bridging and have a new cert check your System Logs and validate you are not getting an error regarding the available cipher suites. I ended up just ditching the concept of using their iApps for the time being due to getting our SHA1 cert rekeyed. I may revist it in the future but I ended up just creating Virtual Servers that reference Pools with the Ex2013 servers and putting a priority on the preferred CAS. You can modify the available cipher suites in both the F5 and Windows, but I didnt go through the effort to determine what I needed as we were in an outage window.

Thanks for the suggestion, but I checked, and I'm not seeing any errors regarding the cipher suites.  Both the F5 and Exchange have a wildcard that we've had around for awhile.  From what I understand from my Network Engineer, he too was unable to use the iApps and created the virtual servers manually. We have a ticket with F5 but don't have an update on it yet.

Issue turned out being the version of our F5 OS didn't support NTLM.  We are waiting for them to upgrade to a newer version before proceeding.  

• Marked as answer by TracyLW 16 hours 56 minutes ago

Issue turned out being the version of our F5 OS didn't support NTLM.  We are waiting for them to upgrade to a newer version before proceeding.  

• Marked as answer by TracyLW Thursday, February 26, 2015 6:56 PM

Hi Tracy, 

May I ask, what version of the F5 OS were you using? And was there a recommended version to upgrade to? Additionally, which version of the iApp template did you use? Thanks

Jay