You can use this F5 supported iApp template to configure availability, optimizations, encryption, and remote access for the Client Access server role in the following Exchange Server versions:
- Exchange Server 2013 Service Pack 1 (SP1) including Cumulative Updates (CU) 1-6
- Exchange Server 2010, SP1, SP2 and SP3
This iApp template configures BIG-IP LTM for all HTTP-based Client Access services, as well as MAPI (RPC Client Access), IMAP4/IMAP4S, and POP3/POP3S.
When used with BIG-IP APM, this iApp template supports proxy authentication and secure remote access for all Client Access server HTTP-based protocols without requiring a VPN client. This iApp template supports running BIG-IP APM on the same BIG-IP system as the BIG-IP LTM, or using a BIG-IP Edge Gateway to forward traffic to BIG-IP LTM on a different system.
For information about BIG-IP releases that support the various versions of this iApp template, refer to the following table:
|iApp supported for BIG-IP versions
|iApp not supported for BIG-IP versions
||11.3.0 - 11.6.0
||11.0.0 - 11.2.1
||11.3.0 - 11.6.0
||11.0.0 - 11.2.1
||11.3.0 - 11.6.0
|11.0.0 - 11.2.1
||11.0.0 - 11.3.0
|11.4.0 and later
||11.0.0 - 11.1.0
||11.2.0 and later
||11.0.0 - 11.1.0
|11.2.0 and later
*The original iApp release is shipped with BIG-IP 11.0.0 through 11.4.1. F5 strongly recommends that you use the latest supported version of the iApp.
To download and install the iApp template, perform the following procedures:
Downloading the iApp template
Important: You must download the file; do not copy and paste the content.
- Go to the F5 Downloads site.
- From the Downloads Overview page, click Find a Download.
The Select a Product Line page displays.
- From the Product Line column, select BIG-IP v11.x / Virtual Edition.
The Select a Product Version and Container page displays.
- From the small drop-down menu, select the version of the product on which you want to install the iApp template. The system selects the most recent version of the software, by default.
The version-specific software updates and releases appear.
- In the Name column, click iApp-Templates.
A Software Terms and Conditions page appears.
- Read the End User Software License Agreement and either accept the license by clicking I Accept, or cancel the process by clicking Cancel.
If you accept the End User Software License Agreement, the Select a Download page appears, which shows a table with the file name, product description, and file size details.
Note: After you accept the End User Software License Agreement, the system will not present the agreement again for subsequent downloads that you perform during the same browser session.
- From the Filename column of the table, select the file named iapps-x.x.x.x.x.zip.
For example, the file for the October 2014 iApp release is named iapps-22.214.171.124.0.zip.
The Select a Download Method page appears.
- F5 supports the FTP, HTTP, and HTTPS protocols for downloading files from F5. Select one of the three supported protocols listed by clicking the down arrow button.
A pop-up window appears, prompting you to either open or save the file.
Note: Some browsers save the file to a default location. You can review your specific browser's documentation to change the default location of where you want to save files.
- Select the option to save the file.
Installing the iApp template
- Unzip the zip file to a location accessible from your BIG-IP system.
- Log in to the BIG-IP Configuration utility.
- From the iApp tab, select Templates.
- Click Import.
- Select the Overwrite Existing Templates box.
- Click Browse.
- Browse to the location where you saved the iApp file.
- Select the template file that corresponds to the iApp version you want to install. For example, the file for the October 2014 release of this iApp is named f5.microsoft.exchange_2010_2013_cas.v1.4.0.tmpl.
Note: Refer to the Support Matrix below to select the most current supported template for your BIG-IP software version.
- Click Upload.
When the upload completes, the iApp is available for use. For instructions about using this template and configuring your Exchange Server 2010 or Exchange Server 2013 Client Access server environment, refer to the Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers Deployment Guide.
- Support for BIG-IP v11.6.0.
- Support for smart card authentication for Outlook Web App.
- The option to recreate the Outlook Web App public/private computer and light version choices on the BIG-IP APM logon page.
- Removed the option for restricting EAC access by IP address or network, as it did not function reliably. Removed the associated section Creating the Data Group and iRule for securing EAC access if you are not using BIG-IP APM from this guide. The option to have BIG-IP APM restrict EAC access to members of the Exchange Organization Management Security Group is still available.
- Disabled Nagle's algorithm on template-created WAN profiles.
- Modified the persistence profile and combined persistence iRule to prevent connection clumping.
- Corrected the cookie used for logon detection in the Client-initiated forms-based SSOv2.
- BIG-IP APM LDAP monitor now correctly uses the common name in the user name field.
- Textual changes to indicate support for Exchange 2013 SP1 SSL Offload.
- The ability to use an existing AAA object.
- The ability to attach an existing BIG-IP APM profile to the virtual server.
- The ability to customize APM login text banner.
- The ability to use an existing SNAT pool.
- The BIG-IP APM OWA timeout iRule to the template. This was previously a manual process.
- External monitors (EAVs) for POP3S and IMAP4S.
- Corrected an incorrect Exchange APM profile for OA NTLM auth.
- The iApp template now assigns the correct NTLM auth config object in separate virtual server scenario.
- Updated the combined iRules to use wildcards consistently.
- Removed the Analytics profile from the POP/IMAP virtual servers.
- The iApp now obfuscates user credentials in the persistence iRule.
- Corrected an error when using a space in the monitor account password.
- Corrected an issue where the EAC datagroup/iRule were not created if BIG-IP APM was not deployed.
- The iApp template now uses the proper built in Exchange support iRule for ActiveSync.
- The iApp template now fully supports Exchange Server 2013 CU2, Exchange Server 2013 CU1, and Exchange Server 2013.
- The template no longer configures objects for MAPI (RPC Client Access) when Exchange Server 2013 is selected.
- The template does not apply persistence profiles for Exchange Server 2013 services.
- The template now supports accessing the Exchange Admin Center (EAC), and adds the ability to restrict access via group membership when using BIG-IP APM.
- Simple monitors now check healthcheck.htm.
- The ActiveSync monitor has been updated to accommodate a change in Exchange Server 2013 CU2.
- Users may show or hide inline Help.
- The HTML Help content has been removed in favor of inline configuration notes and Deployment Guide instructions.
- Users may specify priority groups when using customized pool settings.
- Added support for Exchange Web Services (EWS) when not deploying Outlook Anywhere.
- Added a new EWS-specific External Application Verification (EAV) monitor.
- BIG-IP APM-Specific New Features
- Users may specify a pool of Active Directory (AD) servers rather than just one when using BIG-IP APM on BIG-IP 11.2.0 or later.
- Added monitoring options for the AAA Active Directory pool.
- Client-side NTLM support is included for BIG-IP 11.3.0 and later.
- Converted BIG-IP APM Forms-based SSO objects to v2 (Forms - Client Initiated).
- Added support for the new F5 Exchange profile on BIG-IP 11.4.0 and later, substituting for system iRules.
- User input for monitor time-out is now applied to EAV monitors.
- Removed redirect iRule when unencrypted client connection is selected.
- owa/ URI modification field from template because it was not used.
- When selecting different IP addresses for each service, the Monitoring section now automatically provides a separate text field for each service's fully-qualified domain name (FQDN).
- Excluded uglobal.js and owa.ev from caching profiles, and removed Accept-Encoding header, to prevent client hanging.
- BIG-IP APM sessions are now terminated after a user logs out of Outlook Web Access (OWA).
- When switching from a specific certificate and key to a default certificate and key, the Client SSL profile now accepts the change.
- Pools are now configured to Reject as Action on Service Down (changed from None).
- SNAT pool arrays are now uniquely named, so they are not overwritten by subsequent iApp instances.
- Removed a trailing slash from the HTTP::uri command in OWA to append the iRule to force the Client Access server to send a redirect to /owa/; previously, users navigating back to or over HTTP would not get redirected correctly.
- Added the system ActiveSync APM iRule when a separate ActiveSync virtual server is configured.
- Fixed an incorrect combined iRule pool assignment for EWS and OAB traffic in BIG-IP LTM plus BIG-IP APM scenarios.
- Made corrections to Autodiscover EAV monitor scripts.
- Added IPv6 support to EAV monitor scripts.
- Added a fix for a session cookie persistence bug.
If customizing server pool settings, changing the load balancing method from the default to a node-based method (such as Ratio (node) or Least Connections (node)), and configuring a Ratio or Connection Limit value, you must manually add the Ratio or Connection Limit setting to each node after running the iApp. Refer to the Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers Deployment Guide for specific instructions.
- POP3 and IMAP4 monitors and pools now use the correct ports when SSL Offload is selected (ID 387421).
- POP and IMAP built-in monitors function as expected (ID 386958).
- Autodiscover EAV monitor in Exchange Server Client Access server iApp no longer incorrectly marks servers up (ID 385801).
- OneConnect profile source mask is now set to 255.255.255.255 in all cases (ID 386433).
- The oa_persist iRule is now associated with a separate Outlook Anywhere virtual server (ID 386447).
- Windows and Macintosh clients can now connect to Exchange Server Client Access server using EWS or other protocols without multiple login requests (ID 385297).
- The Advanced monitor for OWA now correctly supports NTLM authentication (ID 387670).
- Time-out set to zero seconds (session persistence) on cookie persistence profile applied to combined virtual server (ID 386218).
- Autodiscover EAV now honors the option to re-encrypt traffic on the server side (ID 385803).
- SSL profile configuration options are somewhat limited, requiring manual adjustment to the iApp template.
- If the advanced OWA monitor is used to monitor OWA on the Exchange Server, and Basic authentication is disabled on the server (forcing NTLM authentication), disable strictness and remove the trailing CR/LF from the OWA monitor send string. (ID 385451).
- Tested to work with Exchange Server 2010 SP2.
- Support added for BIG-IP APM, including BIG-IP Edge Gateway, with all HTTP-based Client Access services.
- Reorganized into a scenario-based approach for deployment.
- BIG-IP Edge Gateway forwarding traffic to a separate LTM
- LTM receiving traffic from an BIG-IP Edge Gateway
- LTM and APM on the same BIG-IP system
- LTM only
- Added a choice of monitor types:
- Simple monitors provide a lightweight way to check server health without requiring login credentials.
- Advanced monitors perform logins to mailbox accounts by sending specific queries to OWA, Outlook Anywhere, Autodiscover, and ActiveSync services to more accurately reflect the health of the end-to-end Client Access system.
- Optionally, a second advanced monitor can be configured to monitor a second mailbox for each service to mitigate the effect that a single locked or misconfigured user account would have on monitor status.
- Added an option to re-encrypt connections (SSL bridging) before forwarding from BIG-IP LTM to Client Access servers, or between BIG-IP Edge Gateway and BIG-IP LTM.
- Added customization options for many pool settings.
- Added the option for a different FQDN for each HTTP-based service.
- The default load-balancing method is now Least Connections (member) instead of Round Robin, which provides in more intelligent load balancing decisions.
- Added extensive inline documentation and notes.
- Added the ability to specify the type of certificate on the remote BIG-IP LTM to correctly set the Require Secure configuration option.
- Corrected iRule to test for the OutlookSession cookie, rather than a header of the same name, for Outlook Anywhere persistence.
- Disabled OneConnect for NTLM connections, which eliminates an extra user login prompt.
- A new iRule keeps connections from a single IP address tied to a single translated address when using a SNAT pool. This fixes issues with Blackberry Enterprise Server.
- The default TCP time-out value for RPC connections is now 7200 seconds (2 hours) rather than 300 seconds (5 minutes). This should prevent various MAPI time-out issues seen with the Outlook client and Blackberry Enterprise Server.
- Clarified SNAT scenarios in simpler terms.
- Corrected RPC pools to use all-ports ( * ) or user-defined values rather than port 135.
- Removed an extraneous RPC virtual server and pool along with associated question.
- Removed the Server SSL certificate and key questions because those were never used and are unneeded.
- Initial iApp for Exchange Server that ships with BIG-IP 11.0.0 and 11.1.0.
- NTLM Authentication must be disabled for traffic using the Negotiate authentication header.
- When using Autodiscover and supporting Macintosh clients, chunking must be configured in the HTTP profile.
- HTTP caching and compression should be enabled for only a few specific responses when OWA or Outlook Anywhere/OAB are used.