01-15-2014 08:56 AM
I have set up our ACE 4710 and everything is working great with the exception of Outlook Anywhere. When i take one of the servers out of service in the
serverfarm host Exchange-CAS-HTTPS everything runs correctly but when i put the server back in service everything involving outlook anywhere blows up again. I contacted Microsoft and they informed me this was an issue with our ACE. Any help would be greatly appreciated.
crypto chaingroup WWW-PROD-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt
access-list allow line 8 extended permit ip any any
probe https Exchange-OWA
interval 30
ssl version all
request method get url get /owa/auth/logon.aspx
expect status 400 404
probe tcp TCP135
description RPC Endpoint Mapper
port 135
interval 30
connection term forced
probe tcp TCP60000
description RPC Client Access
port 60000
interval 30
connection term forced
probe tcp TCP60001
description Address Book Service
port 60001
interval 30
connection term forced
rserver redirect OWA-SSL-REDIRECT
webhost-redirection https://%h%p 301
inservice
rserver host mail1
ip address 10.0.14.11
inservice
rserver host mail2
ip address 10.0.14.12
inservice
serverfarm host Exchange-CAS-HTTPS
predictor leastconns
probe Exchange-OWA
rserver mail1 443
inservice
rserver mail2 443
inservice
serverfarm host Exchange-CAS-RPC
predictor leastconns
probe TCP135
probe TCP60000
probe TCP60001
fail-on-all
rserver mail1
inservice
rserver mail2
inservice
serverfarm redirect Exchange-OWA-REDIRECT
rserver OWA-SSL-REDIRECT
inservice
parameter-map type http Exchange-OWA
case-insensitive
persistence-rebalance
set header-maxparse-length 16384
set content-maxparse-length 8192
parameter-map type ssl SSL_PARAMS
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-RPC
timeout 7200
replicate sticky
serverfarm Exchange-CAS-RPC
sticky http-cookie Exchange-Sticky Exchange-CAS-HTTPS-Cookie
cookie insert browser-expire
replicate sticky
serverfarm Exchange-CAS-HTTPS
sticky http-header Authorization Exchange-CAS-HTTPS-AuthZHeader
timeout 7200
replicate sticky
serverfarm Exchange-CAS-HTTPS
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-HTTPS-SourceIP
timeout 7200
replicate sticky
serverfarm Exchange-CAS-HTTPS
action-list type modify http Exchange-CAS-HTTP
header insert request X-Forwarded-For header-value "%is"
ssl-proxy service Exchange-CAS
key ProdKEYPAIR.PEM
cert WWW-PROD-CERT.crt
chaingroup WWW-PROD-CHAINGROUP
ssl advanced-options SSL_PARAMS
class-map match-any Exchange-CAS-HTTPS
2 match virtual-address 10.0.14.6 tcp eq https
class-map type http loadbalance match-any Exchange-CAS-HTTPS-RootRequest
2 match http url /
class-map match-any Exchange-CAS-RPC
2 match virtual-address 10.0.14.6 tcp eq 60001
3 match virtual-address 10.0.14.6 tcp eq 60000
4 match virtual-address 10.0.14.6 tcp eq 135
class-map match-any Exchange-OWA-REDIRECT
2 match virtual-address 10.0.14.6 tcp eq www
class-map type management match-any mgmt-cm
2 match protocol https any
3 match protocol snmp any
4 match protocol ssh any
5 match protocol icmp any
policy-map type management first-match mgmt-pm
class mgmt-cm
permit
policy-map type loadbalance first-match Exchange-CAS-HTTPS
match OWA http url /owa.*
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match ECP http url /ecp.*
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match EWS http url /ews.*
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match ActiveSync http url /Microsoft-Server-ActiveSync.*
sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
match OutlookAnywhere http header User-Agent header-value "MSRPC"
sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
class Exchange-CAS-HTTPS-RootRequest
serverfarm Exchange-OWA-REDIRECT
class class-default
sticky-serverfarm Exchange-CAS-HTTPS-SourceIP
action Exchange-CAS-HTTP
ssl-proxy client Exchange-CAS
policy-map type loadbalance first-match Exchange-CAS-RPC
class class-default
sticky-serverfarm Exchange-CAS-RPC
policy-map type loadbalance http first-match Exchange-OWA-REDIRECT
class class-default
serverfarm Exchange-OWA-REDIRECT
policy-map multi-match vlan100
class Exchange-OWA-REDIRECT
loadbalance vip inservice
loadbalance policy Exchange-OWA-REDIRECT
class Exchange-CAS-RPC
loadbalance vip inservice
loadbalance policy Exchange-CAS-RPC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
class Exchange-CAS-HTTPS
loadbalance vip inservice
loadbalance policy Exchange-CAS-HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
appl-parameter http advanced-options Exchange-OWA
ssl-proxy server Exchange-CAS
interface vlan 100
ip address 10.0.14.7 255.255.255.0
access-group input allow
nat-pool 1 10.0.14.6 10.0.14.6 netmask 255.255.255.255 pat
service-policy input mgmt-pm
service-policy input vlan100
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.14.1
snmp-server community mycompany group Network-Monitor
01-15-2014 09:17 AM
Hi Andrew,
Can you explain when the connection breaks? Do you have pcaps showing the problem? Is it SSL handshake problem, server resetting the connection, ACE not forwarding the traffic, ace forwarding traffic to wrong server, etc what exactly is going on?
Regards,
Kanwal
01-15-2014 09:27 AM
I dont think its an SSL problem because its working fine with one server at a time. The problem only happens when I put both servers in service. We are using ntlm and not basic authentication. would outlooksession be more appropriate then using authorization header? How would I determine where it is breaking down?
01-15-2014 09:34 AM
Hi Andrew,
You can take pcap on ACE and MS server decrypt in wireshark which shall actually show what is going on. Looks like persistence issue since it works with one server. Not sure about authentication stuff. Never worked on it. Sorry. May be someone else has better idea about it.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide