Solved: Ace 4710 Exchange 2010 not working

Andrew MacDonald · ‎01-10-2014

Struggling here with getting my ACE to play nice with two Exchange 2010 servers in a DAG. He ave the CAS array all set up and The VIP of my ACE is the FQDN of my CAS Array.

Here is the config. nothing seems to be working. Any thoughts? Thanks for the help!!

crypto chaingroup WWW-PROD-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt

access-list allow line 8 extended permit ip any any

probe https Exchange-OWA
interval 30
ssl version all
request method get url get /owa/auth/logon.aspx
expect status 400 404
probe tcp TCP135
description RPC Endpoint Mapper
port 135
interval 30
connection term forced
probe tcp TCP60000
description RPC Client Access
port 60000
interval 30
connection term forced
probe tcp TCP60001
description Address Book Service
port 60001
interval 30
connection term forced

rserver redirect OWA-SSL-REDIRECT
webhost-redirection https://%h%p 301
inservice
rserver host mail1
ip address 10.0.14.11
inservice
rserver host mail2
ip address 10.0.14.12
inservice

serverfarm host Exchange-CAS-HTTPS
predictor leastconns
probe Exchange-OWA
rserver mail1 443
    inservice
rserver mail2 443
    inservice
serverfarm host Exchange-CAS-RPC
predictor leastconns
probe TCP135
probe TCP60000
probe TCP60001
fail-on-all
rserver mail1
    inservice
rserver mail2
    inservice
serverfarm redirect Exchange-OWA-REDIRECT
rserver OWA-SSL-REDIRECT
    inservice

parameter-map type http Exchange-OWA
case-insensitive
persistence-rebalance
set header-maxparse-length 16384
set content-maxparse-length 8192
parameter-map type ssl SSL_PARAMS
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA

sticky ip-netmask 255.255.255.255 address source Exchange-CAS-RPC
timeout 7200
replicate sticky
serverfarm Exchange-CAS-RPC
sticky http-cookie Exchange-Sticky Exchange-CAS-HTTPS-Cookie
cookie insert browser-expire
replicate sticky
serverfarm Exchange-CAS-HTTPS
sticky http-header Authorization Exchange-CAS-HTTPS-AuthZHeader
timeout 7200
replicate sticky
serverfarm Exchange-CAS-HTTPS
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-HTTPS-SourceIP
timeout 7200
replicate sticky
serverfarm Exchange-CAS-HTTPS

action-list type modify http Exchange-CAS-HTTP
header insert request X-Forwarded-For header-value "%is"

ssl-proxy service Exchange-CAS
key ProdKEYPAIR.PEM
cert WWW-PROD-CERT.crt
chaingroup WWW-PROD-CHAINGROUP
ssl advanced-options SSL_PARAMS

class-map match-any Exchange-CAS-HTTPS
2 match virtual-address 10.0.14.6 tcp eq https
class-map type http loadbalance match-any Exchange-CAS-HTTPS-RootRequest
2 match http url /
class-map match-any Exchange-CAS-RPC
2 match virtual-address 10.0.14.6 tcp eq 60001
3 match virtual-address 10.0.14.6 tcp eq 60000
4 match virtual-address 10.0.14.6 tcp eq 135
class-map match-any Exchange-OWA-REDIRECT
2 match virtual-address 10.0.14.6 tcp eq www
class-map type management match-any mgmt-cm
2 match protocol https any
3 match protocol snmp any
4 match protocol ssh any
5 match protocol icmp any

policy-map type management first-match mgmt-pm
class mgmt-cm
permit

policy-map type loadbalance first-match Exchange-CAS-HTTPS
match OWA http url /owa.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
match ECP http url /ecp.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
match EWS http url /ews.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
match ActiveSync http url /Microsoft-Server-ActiveSync.*
    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
    action Exchange-CAS-HTTP
match OutlookAnywhere http header User-Agent header-value "MSRPC"
    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
    action Exchange-CAS-HTTP
class Exchange-CAS-HTTPS-RootRequest
    serverfarm Exchange-OWA-REDIRECT
class class-default
    sticky-serverfarm Exchange-CAS-HTTPS-SourceIP
    action Exchange-CAS-HTTP
policy-map type loadbalance first-match Exchange-CAS-RPC
class class-default
    sticky-serverfarm Exchange-CAS-RPC
policy-map type loadbalance http first-match Exchange-OWA-REDIRECT
class class-default

policy-map multi-match vlan100
class Exchange-OWA-REDIRECT
    loadbalance vip inservice
    loadbalance policy Exchange-OWA-REDIRECT
class Exchange-CAS-RPC
    loadbalance vip inservice
    loadbalance policy Exchange-CAS-RPC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 100
class Exchange-CAS-HTTPS
    loadbalance vip inservice
    loadbalance policy Exchange-CAS-HTTPS
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 100
    appl-parameter http advanced-options Exchange-OWA
    ssl-proxy server Exchange-CAS

interface vlan 100
ip address 10.0.14.7 255.255.255.0
access-group input allow

nat-pool 1 10.0.14.6 10.0.14.6 netmask 255.255.255.255 pat

service-policy input mgmt-pm
service-policy input vlan100
no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.14.1

snmp-server community mycompany group Network-Monitor

MailSwitch/Exchange#

Kanwaljeet Singh · ‎01-10-2014

Hi Andrew,

It seems that you have rservers listening on port 443 for serverfarm Exchange-CAS-HTTPS which means that you have end-to-end ssl in place. But i don't see "ssl-proxy client configured. Please configure that and see if it resolves the issue.

You need to configure ACE as a client along with server when doing end-to -end ssl. In your case it is just server. Please configure the above command under "policy-map type loadbalance first-match Exchange-CAS-HTTPS".

Regards,

Kanwal

View solution in original post

Kanwaljeet Singh · ‎01-10-2014

Hi Andrew,

It seems that you have rservers listening on port 443 for serverfarm Exchange-CAS-HTTPS which means that you have end-to-end ssl in place. But i don't see "ssl-proxy client configured. Please configure that and see if it resolves the issue.

You need to configure ACE as a client along with server when doing end-to -end ssl. In your case it is just server. Please configure the above command under "policy-map type loadbalance first-match Exchange-CAS-HTTPS".

Regards,

Kanwal