APM EWS Remote Connectivity Analyser

Question

Hello&nbsp;Found strange issue with APM protecting Exchange 2019&nbsp;Deployed configuration using&nbsp;Appendix C: Manual configuration tables from https://www.f5.com/pdf/deployment-guides/microsoft-exchange-2016-dg.pdf&nbsp;Everything working fine (all required protocols). But Microsoft Remote Connectivity Analyser https://testconnectivity.microsoft.com/tests/EwsAccess/input shows that Autodiscovery and EWS cannot be reached (timeout error)&nbsp;I took decrypted tcpdump for traffic from Remote Connectivity Analyser (RCA) and found that front-end request (RCA-F5) contains Basic Authorization header, but back-end request (F5-Exchange) does not contain one&nbsp;Front-End requestPOST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.20.7828.000
Accept-Encoding: gzip,deflate
X-RCA-IgnoreCertificateTrust: true
X-ClientStatistics: MessageId=,ResponseTime=99882,SoapAction=GetFolder;
Authorization: Basic BASE64_STRING
Host: exchange.domain.tld
Content-Length: 764
Expect: 100-continue
X-Forwarded-For: 52.109.8.10&nbsp;Back-End requestHeader "Authorization: Basic BASE64_HIDDEN_STRING" is missingHeader "APM_session: a63a0c88" is added by standard iRule from Exchange deployment guidePOST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.20.7828.000
X-RCA-IgnoreCertificateTrust: true
X-ClientStatistics: MessageId=,ResponseTime=99882,SoapAction=GetFolder;
Host: exchange.domain.tld
Content-Length: 764
Expect: 100-continue
X-Forwarded-For: 52.109.8.10
APM_session: a63a0c88

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
request-id: b9c88db3-461b-427b-9be0-54915949a9e5
X-OWA-Version: 15.2.1544.11
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
X-FEServer: EXCHANGE_SERVER
Date: Fri, 09 Aug 2024 18:38:16 GMT
Content-Length: 0&nbsp;Logs from APM:Policy result allow, so everything should be fineVPE with name "App EXCH" contains SSO credential mapping# grep a63a0c88 /var/log/apm
2024-08-09T21:33:43.488+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'Client for MS Exchange' from item 'Client for MS Exchange' to terminalout 'Client'
2024-08-09T21:33:43.488+03:00 bigip01 notice apmd[7113]: 01490010:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Username 'domain	est_user'
2024-08-09T21:33:43.507+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'Successful' from item 'AD Auth' to terminalout 'Success'
2024-08-09T21:33:43.516+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'memberOf' from item 'AD Query' to terminalout 'Success'
2024-08-09T21:33:43.517+03:00 bigip01 notice apmd[7113]: 01490009:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: ACL '/PARTITION/Exchange_acl' assigned
2024-08-09T21:33:43.517+03:00 bigip01 notice apmd[7113]: 01490115:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'fallback' from item 'Advanced Resource Assign' to terminalout 'Out'
2024-08-09T21:33:43.517+03:00 bigip01 notice apmd[7113]: 01490005:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Following rule 'Out' from item 'App EXCH' to ending 'Allow'
2024-08-09T21:33:43.518+03:00 bigip01 notice apmd[7113]: 01490102:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Access policy result: LTM+APM_Mode
2024-08-09T21:33:43.519+03:00 bigip01 notice apmd[7113]: 01490248:5: /PARTITION/Exchange_access:PARTITION:a63a0c88: Received client info - Hostname:  Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0&nbsp;APM config:Exchange profile according to latest docs. Front-end authorization is Basic and back-end is NTLM. As described on page 113 on deployment guideapm profile access /PARTITION/Exchange_access {
    exchange-profile /PARTITION/Exchange_exchange
}
apm profile exchange /PARTITION/Exchange_exchange {
    app-service none
    auto-discover-auth-type basic
    auto-discover-sso-config /PARTITION/Exchange_ntlmv2
    ntlm-auth-name none
    offline-address-book-auth-type basic
    offline-address-book-sso-config /PARTITION/Exchange_ntlmv2
    rpc-over-http-auth-type basic
    rpc-over-http-sso-config none
    web-service-auth-type basic
    web-service-sso-config /PARTITION/Exchange_ntlmv2
    web-service-url /[ae][pw][is]/*
}
apm sso ntlmv2 /PARTITION/Exchange_ntlmv2 {
    ntlm-domain corp.domain.tld
    partition PARTITION
}&nbsp;However we do not have BIG-IP NTLM account created in Active Directory. Deployment guide does not instruct to force this action&nbsp;I tried to switch "auto-discover-sso-config", "offline-address-book-sso-config" and "web-service-sso-config" to "none" instead of ntlmv2 object but issue is still there&nbsp;Have anybody such issues with APM protected Exchange? Could you please check and share with me your Exchange profile if your EWS test will succeed?&nbsp;Thanks!

injeyan_kostas · Answer

Depenging on how username is provided in login page, session.logon.last.domain variable might not be setted.

session.logon.last.domain is used be default on NTLM sso config.

As you have AD Auth on the VPE, I would suggest changing the sso configuration to use session.ad.last.actualdomain as the domain source and try again.

vladimir_akhmarov · Answer

Unfortunately that did not helped me :(&nbsp;I tried both options:Use session variable "session.ad.last.actualdomain" for NTLMv2 SSO object. That value exactly matches "ntlm-domain" under apm sso ntlmv2 /PARTITION/Exchange_ntlmv2Use session.logon.last.domain and set "ntlm-domain" to DOMAIN (NetBIOS domain name) under apm sso ntlmv2 /PARTITION/Exchange_ntlmv2&nbsp;Seems that something else stops APM from attaching SSO to the back-end request&nbsp;Moreover all my tests shows now that APM did not send any request to the /EWS/Exchange.asmx even after I reverted all the changes back. BIG-IP reboot did not helped :)&nbsp;

injeyan_kostas · Answer

Are you using the same sso for the other services?Does it work there?

vladimir_akhmarov · Answer

Nope, the only service is Exchange for this SSO object&nbsp;If you have APM policy for Exchange may I ask you to check EWS health on Microsoft Remote Connectivity Analyser?

injeyan_kostas · Answer

I mean other Exchange services except EWS, like OWA for example.

Forum Discussion

APM EWS Remote Connectivity Analyser

Recent Discussions

Certificate server name issue--wildcard certificate

BIG-IQ DNS TPS Per Geo Location

Ddos

cache size and timeout ssl client profile for 1 million tps

APM subsession variables disappear before session is terminated

Related Content

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Integrate F5 Distributed Cloud remote logging with ELK

SIEM news! F5 Distributed Cloud’s remote logging adds IBM’s QRadar

F5 remote logging server

How I did it - "Remote logging with F5 BIG-IP Next and OpenTelemetry"