Applies To:

Show Versions Show Versions

sol13497: iApp: Microsoft Exchange Server 2010 and Exchange Server 2013 Client Access servers

Original Publication Date: 04/09/2012
Updated Date: 03/10/2016



You can use this F5 supported iApp template to configure availability, optimizations, encryption, and remote access for the Client Access server role in the following Exchange Server versions:

  • Exchange Server 2013 Service Pack 1 (SP1) including all Cumulative Updates (CU)
  • Exchange Server 2010, SP1, SP2 and SP3

This iApp template configures BIG-IP LTM for all HTTP-based Client Access services, as well as MAPI (RPC Client Access), IMAP4/IMAP4S, and POP3/POP3S.

When used with BIG-IP APM, this iApp template supports proxy authentication and secure remote access for all Client Access server HTTP-based protocols without requiring a VPN client. This iApp template supports running BIG-IP APM on the same BIG-IP system as the BIG-IP LTM, or using a BIG-IP APM to forward traffic to BIG-IP LTM on a different system.

Beginning with v1.5.0 of the iApp template, you have the option of using the BIG-IP Advanced Firewall Manager (AFM), F5's high-performance, stateful, full-proxy network firewall to help secure and protect your Exchange deployment.

Support Matrix

For information about BIG-IP releases that support the various versions of this iApp template, refer to the following table:

iApp version
iApp supported for BIG-IP versions
iApp not supported for BIG-IP versions 12.0.0
11.3.0 - 11.6.0
11.0.0 - 11.2.1 12.0.0
11.3.0 - 11.6.0
11.0.0 - 11.2.1 12.0.0
11.3.0 - 11.6.0
11.0.0 - 11.2.1 12.0.0
11.3.0 - 11.6.0
11.0.0 - 11.2.1 12.0.0
11.3.0 - 11.6.0
11.0.0 - 11.2.1 11.0.0 - 11.3.0
11.4.0 and later 11.0.0 - 11.1.0 11.2.0 and later* 11.0.0 - 11.1.0
11.2.0 and later

*The original iApp release is shipped with BIG-IP 11.0.0 through 11.6.0. F5 strongly recommends that you use the latest supported version of the iApp.

To download and install the iApp template, perform the following procedures:

Downloading the iApp template

Important: You must download the file; do not copy and paste the content.

  1. Go to the F5 Downloads site.
  2. From the Downloads Overview page, click Find a Download.

    The Select a Product Line page displays.

  3. From the Product Line column, select BIG-IP v11.x / Virtual Edition.

    The Select a Product Version and Container page displays.

  4. From the small drop-down menu, select the version of the product on which you want to install the iApp template. The system selects the most recent version of the software, by default.

    The version-specific software updates and releases appear.

  5. In the Name column, click iApp-Templates.

    A Software Terms and Conditions page appears.

  6. Read the End User Software License Agreement and either accept the license by clicking I Accept, or cancel the process by clicking Cancel.

    If you accept the End User Software License Agreement, the Select a Download page appears, which shows a table with the file name, product description, and file size details.

    Note: After you accept the End User Software License Agreement, the system will not present the agreement again for subsequent downloads that you perform during the same browser session.

  7. From the Filename column of the table, select the file named

    For example, the file for the September 2015 iApp release is named

    The Select a Download Method page appears.

  8. F5 supports the FTP, HTTP, and HTTPS protocols for downloading files from F5. Select one of the three supported protocols listed by clicking the down arrow button.

    A pop-up window appears, prompting you to either open or save the file.

    Note: Some browsers save the file to a default location. You can review your specific browser's documentation to change the default location of where you want to save files.

  9. Select the option to save the file.

Installing the iApp template

  1. Unzip the zip file to a location accessible from your BIG-IP system.
  2. Log in to the BIG-IP Configuration utility.
  3. From the iApp tab, select Templates.
  4. Click Import.
  5. Select the Overwrite Existing Templates box.
  6. Click Browse.
  7. Browse to the location where you saved the iApp file.
  8. Select the template file that corresponds to the iApp version you want to install. For example, the file for the September 2015 release of this iApp is named

    Note: Refer to the Support Matrix below to select the most current supported template for your BIG-IP software version.

  9. Click Upload.

When the upload completes, the iApp is available for use. For instructions about using this template and configuring your Exchange Server 2010 or Exchange Server 2013 Client Access server environment, refer to the Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers Deployment Guide.

Revision History

Features added

There were no features added in this maintenance release.

Issues resolved

  • The caching and compression profiles and iRule are no longer incorrectly assigned in separate virtual server deployment scenario.
  • Corrected an issue where the default TCP profile idle timeout could reduce battery life in mobile devices that use the ActiveSync protocol.
  • The iApp now correctly suppress output in external monitors. Previously an unavailable service could have been marked available by the BIG-IP system.

Features added

  • Added support for BIG-IP Advanced Firewall Manager.
  • Added the ability for password changes from the APM/OWA logon page.
  • Removed the option to choose a pre-existing direct AAA server object.

Issues resolved

  • The iApp no longer gives an error if using a special character in a password.
  • For Exchange 2010 deployments, modified two lines in the combined iRule for to check for the existence of a specific header before using it for persistence, as some clients such as Lync clients, send requests for some Exchange services that do not include an Authorization header.
  • Corrected a situation where the OWA logon options iRule was not created when deploying in the APM standalone scenario.

Known issues

  • If upgrading to this version of the iApp template from an iApp version prior to 1.2.0, you must carefully review all settings before submitting the template. For example, if you had configured the original template for SSL bridging, after upgrading this setting defaults back to SSL offload, and you must change it.

Features added

  • Support for BIG-IP 11.6.0.
  • Support for smart card authentication for Outlook Web App.
  • The option to recreate the Outlook Web App public/private computer and light version choices on the BIG-IP APM logon page.

Issues resolved

  • Removed the option for restricting EAC access by IP address or network, as it did not function reliably. Removed the associated section Creating the Data Group and iRule for securing EAC access if you are not using BIG-IP APM from this guide. The option to have BIG-IP APM restrict EAC access to members of the Exchange Organization Management Security Group is still available.
  • Disabled Nagle's algorithm on template-created WAN profiles.
  • Modified the persistence profile and combined persistence iRule to prevent connection clumping.
  • Corrected the cookie used for logon detection in the Client-initiated forms-based SSOv2.
  • BIG-IP APM LDAP monitor now correctly uses the common name in the user name field.

Known issues

  • If upgrading to this version of the iApp template from an iApp version prior to 1.2.0, you must carefully review all settings before submitting the template. For example, if you had configured the original template for SSL bridging, after upgrading this setting defaults back to SSL offload, and you must change it.

Features added

  • Textual changes to indicate support for Exchange 2013 SP1 SSL Offload.
  • The ability to use an existing AAA object.
  • The ability to attach an existing BIG-IP APM profile to the virtual server.
  • The ability to customize APM login text banner.
  • The ability to use an existing SNAT pool.
  • The BIG-IP APM OWA timeout iRule to the template. This was previously a manual process.
  • External monitors (EAVs) for POP3S and IMAP4S.

Issues resolved

  • Corrected an incorrect Exchange APM profile for OA NTLM auth.
  • The iApp template now assigns the correct NTLM auth config object in separate virtual server scenario.
  • Updated the combined iRules to use wildcards consistently.
  • Removed the Analytics profile from the POP/IMAP virtual servers.
  • The iApp now obfuscates user credentials in the persistence iRule.
  • Corrected an error when using a space in the monitor account password.
  • Corrected an issue where the EAC datagroup/iRule were not created if BIG-IP APM was not deployed.
  • The iApp template now uses the proper built in Exchange support iRule for ActiveSync.

Known issues

  • If upgrading to this version of the iApp template from an iApp version prior to 1.2.0, you must carefully review all settings before submitting the template. For example, if you had configured the original template for SSL bridging, after upgrading this setting defaults back to SSL offload, and you must change it.

Features added

  • The iApp template now fully supports Exchange Server 2013 CU2, Exchange Server 2013 CU1, and Exchange Server 2013.

    • The template no longer configures objects for MAPI (RPC Client Access) when Exchange Server 2013 is selected.
    • The template does not apply persistence profiles for Exchange Server 2013 services.
    • The template now supports accessing the Exchange Admin Center (EAC), and adds the ability to restrict access via group membership when using BIG-IP APM.
    • Simple monitors now check healthcheck.htm.
    • The ActiveSync monitor has been updated to accommodate a change in Exchange Server 2013 CU2.
  • Users may show or hide inline Help.

    • The HTML Help content has been removed in favor of inline configuration notes and Deployment Guide instructions.
  • Users may specify priority groups when using customized pool settings.
  • Added support for Exchange Web Services (EWS) when not deploying Outlook Anywhere.
  • Added a new EWS-specific External Application Verification (EAV) monitor.
  • BIG-IP APM-Specific New Features

    • Users may specify a pool of Active Directory (AD) servers rather than just one when using BIG-IP APM on BIG-IP 11.2.0 or later.
    • Added monitoring options for the AAA Active Directory pool.
    • Client-side NTLM support is included for BIG-IP 11.3.0 and later.
    • Converted BIG-IP APM Forms-based SSO objects to v2 (Forms - Client Initiated).
    • Added support for the new F5 Exchange profile on BIG-IP 11.4.0 and later, substituting for system iRules.

Issues resolved

  • User input for monitor time-out is now applied to EAV monitors.
  • Removed redirect iRule when unencrypted client connection is selected.
  • owa/ URI modification field from template because it was not used.
  • When selecting different IP addresses for each service, the Monitoring section now automatically provides a separate text field for each service's fully-qualified domain name (FQDN).
  • Excluded uglobal.js and owa.ev from caching profiles, and removed Accept-Encoding header, to prevent client hanging.
  • BIG-IP APM sessions are now terminated after a user logs out of Outlook Web Access (OWA).
  • When switching from a specific certificate and key to a default certificate and key, the Client SSL profile now accepts the change.
  • Pools are now configured to Reject as Action on Service Down (changed from None).
  • SNAT pool arrays are now uniquely named, so they are not overwritten by subsequent iApp instances.
  • Removed a trailing slash from the HTTP::uri command in OWA to append the iRule to force the Client Access server to send a redirect to /owa/; previously, users navigating back to or over HTTP would not get redirected correctly.
  • Added the system ActiveSync APM iRule when a separate ActiveSync virtual server is configured.
  • Fixed an incorrect combined iRule pool assignment for EWS and OAB traffic in BIG-IP LTM plus BIG-IP APM scenarios.
  • Made corrections to Autodiscover EAV monitor scripts.
  • Added IPv6 support to EAV monitor scripts.
  • Added a fix for a session cookie persistence bug.

Known issues

Features added

  • None

Issues resolved

  • POP3 and IMAP4 monitors and pools now use the correct ports when SSL Offload is selected (ID 387421).
  • POP and IMAP built-in monitors function as expected (ID 386958).
  • Autodiscover EAV monitor in Exchange Server Client Access server iApp no longer incorrectly marks servers up (ID 385801).
  • OneConnect profile source mask is now set to in all cases (ID 386433).
  • The oa_persist iRule is now associated with a separate Outlook Anywhere virtual server (ID 386447).
  • Windows and Macintosh clients can now connect to Exchange Server Client Access server using EWS or other protocols without multiple login requests (ID 385297).
  • The Advanced monitor for OWA now correctly supports NTLM authentication (ID 387670).
  • Time-out set to zero seconds (session persistence) on cookie persistence profile applied to combined virtual server (ID 386218).
  • Autodiscover EAV now honors the option to re-encrypt traffic on the server side (ID 385803).

Known issues

  • SSL profile configuration options are somewhat limited, requiring manual adjustment to the iApp template.
  • If the advanced OWA monitor is used to monitor OWA on the Exchange Server, and Basic authentication is disabled on the server (forcing NTLM authentication), disable strictness and remove the trailing CR/LF from the OWA monitor send string. (ID 385451).

Features added

  • Tested to work with Exchange Server 2010 SP2.
  • Support added for BIG-IP APM, including BIG-IP Edge Gateway, with all HTTP-based Client Access services.
  • Reorganized into a scenario-based approach for deployment.

    • BIG-IP Edge Gateway forwarding traffic to a separate LTM
    • LTM receiving traffic from an BIG-IP Edge Gateway
    • LTM and APM on the same BIG-IP system
    • LTM only
  • Added a choice of monitor types:

    • Simple monitors provide a lightweight way to check server health without requiring login credentials.
    • Advanced monitors perform logins to mailbox accounts by sending specific queries to OWA, Outlook Anywhere, Autodiscover, and ActiveSync services to more accurately reflect the health of the end-to-end Client Access system.
    • Optionally, a second advanced monitor can be configured to monitor a second mailbox for each service to mitigate the effect that a single locked or misconfigured user account would have on monitor status.
  • Added an option to re-encrypt connections (SSL bridging) before forwarding from BIG-IP LTM to Client Access servers, or between BIG-IP Edge Gateway and BIG-IP LTM.
  • Added customization options for many pool settings.
  • Added the option for a different FQDN for each HTTP-based service.
  • The default load-balancing method is now Least Connections (member) instead of Round Robin, which provides in more intelligent load balancing decisions.
  • Added extensive inline documentation and notes.
  • Added the ability to specify the type of certificate on the remote BIG-IP LTM to correctly set the Require Secure configuration option. 

Issues resolved

  • Corrected iRule to test for the OutlookSession cookie, rather than a header of the same name, for Outlook Anywhere persistence.
  • Disabled OneConnect for NTLM connections, which eliminates an extra user login prompt.
  • A new iRule keeps connections from a single IP address tied to a single translated address when using a SNAT pool. This fixes issues with Blackberry Enterprise Server.
  • The default TCP time-out value for RPC connections is now 7200 seconds (2 hours) rather than 300 seconds (5 minutes). This should prevent various MAPI time-out issues seen with the Outlook client and Blackberry Enterprise Server.
  • Clarified SNAT scenarios in simpler terms.
  • Corrected RPC pools to use all-ports ( * ) or user-defined values rather than port 135.
  • Removed an extraneous RPC virtual server and pool along with associated question.
  • Removed the Server SSL certificate and key questions because those were never used and are unneeded.

Known issues

  • None

  • Initial iApp for Exchange Server that ships with BIG-IP 11.0.0 and 11.1.0.

Known issues

  • NTLM Authentication must be disabled for traffic using the Negotiate authentication header.
  • When using Autodiscover and supporting Macintosh clients, chunking must be configured in the HTTP profile.
  • HTTP caching and compression should be enabled for only a few specific responses when OWA or Outlook Anywhere/OAB are used.

Supplemental Information

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)