Encrypted MAPI on WAAS 5.0.3a I need a little help with troubles

Natalie Ramirez · ‎12-12-2012

So, I stumbled upon this portion of the 5.0.1 configuration guide that spells out step by step how to configure encrypted mapi acceleration:

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v501/configuration/guide/policy.html#wp1260556

1. Configure DNS settings - Done

2. Configure NTP settings - Done

3. Verify WAE devices are registered and online with the WAAS Central Manager - Done

4. Configure SSL Peering Service - Did this, seems to be working, but it would be great if someone could provide me with some show commands that will verify this is configured properly.

5. Verify WAN Secure mode is enabled - Did this, but the command "show accelerator wansecure" shows it is enabled and running, but seems like useless information, anyone know any better commands to verify this? No tcp session are coming up wansecure...

6. Configure windows domain settings and perform domain join - I did this on the Data Center WAE-674 only, the computer account was created in the domain.

7. Configure domain identities - Ok, I was a little confused here, but I used the machine account name that I created in the previous step, seems to be working, the lack of explanation/troubleshooting at this point is very frustrating. The image shown uses a different name than the device name in the picture...

8. Enable Windows Domain Encrypted Service - Done, very strait forward

9. Enable Encrypted MAPI Traffic Optimization - Done, also very strait forward

So, from the WAE, I run the command "show stat conn" I still see the TG connections with 0.00% to the mail server. Called user, had them exit from (and I verified session closed) and reconnect to exchange, still TG 0.00%. Not sure if this one was useful or not, but "show stat conn | inc W" no sessions with W.

I did find that this command "show windows-domain encryption-service keylist" seems to be the most useful (even though I didn't find it on any Cisco support page, found it by stumbling through available commands, trying each one in turn) showing the two requests to the two exchange servers were successful. Which makes me think I did something right, who knows exactly what since the EMAPI is still not decrypted.

I have no errors showing on the CM Management console. I did have some errors pop up when I was generating the self signed certificates, but they all cleared when I finished all the devices. I am going to reboot the WAE tonight and see if things start picking up tomorrow or if I get any errors after reboot.

I am hoping that someone has some good show commands or debug commands that will point to where or what the problem is.

Natalie Ramirez · ‎12-13-2012

Ok, I got it working. Well, it is meeting the criteria I specified above anyway.

1. to verify your SSL is working properly: "show crypto ssl services host peering"

2. Wansecure is enabled/disabled, there is no verification, very strait forward.

3. DO use the computer account you create when you join the domain as the machine account.

Show commands to verify you did everything correctly:

"accelerator mapi verify encryption-settings"

"show windows-domain encryption-service keylist"

If you did everything correctly, you should get keys from the exchange server(s).

Now, the issue I ran into. Our 2 exchange servers are both behind a Citrix Netscaler for load balancing. If a user connects directly to the exchange servers, it works, if they connect to the netscaler, it fails to accelerate. I can not get a key from the netscaler, not sure if there is a way to manually exchange keys and force the to devices to trust each other. Anyone who may have seen this, your help would be greatly appreciated.

Just to clarify, MAPI acceleration works fine through the netscaler, it is just the EMAPI that fails. EMAPI and MAPI both work fine through exchange, but then I lose the load balancing the netscaler provides.

TCAM · ‎12-13-2012

I tried to enable eMAPI in 5.01 release but it failed. CM received many "digital signing alarm". Cisco said that eMAPI is not offically support in 5.01, it was a beta test for few customers only. Seeing your posts, it sounds like that you have it up and running in 5.0 3 release except the loading balancing issue. Great work! Btw, what does performance look like?

Natalie Ramirez · ‎12-14-2012

That is why I created this post, so others would see that it is a working feature. Unfortunatly, the only connections that get the wan secure mail acceleration are connections to public folders, so it is really almost no difference. The users that are getting the public folder acceleration for one connection, still have two connections to the netscaler for their mail box that are getting no acceleration.

Btw, that digital signing alarm is fixed in step 4 in the configuration link above. You must create a self signed cert on each WAAS devices in your network. And you can not enable the feature until you get everything else done, or it will just error out. Type the command "show crypto ssl services host peering" To verify once you get all your certs installed.

Jan Rockstedt · ‎01-04-2013

Have you tried 5.1.1 ?

Michael Korenbaum · ‎01-04-2013

Just posted a good troubleshooting document which explains how to setup eMAPI, troubleshooting steps, and common problems seen in the field.

eMAPI should work just fine in 5.0.3 and later.

Natalie Ramirez · ‎02-21-2013

I went to 5.1.1, same issue with the citrix load balancer not accelerating traffic, and another issue popped up where users surfing the web got a popup requesting authentication for every web page they went to, they could cancel out and get the page to load, but you know a single page can have 30 links to advertisers and such, so they would get 30 popups... I went back to 5.0.3

jlamousn · ‎02-21-2013

Beau,

FYI, the login pop up issue your users experienced after upgrade to 5.1.1 is due to the following software defect

CSCue25543:

Symptom:

 URL over 255 characters and WAE improperly caches in metadatacache and serves back to clients a 401 Authorization Required 

Conditions:

httpao with accelerator http metadatacache unauthorized-response enabled. (default)

Workaround:

no accelerator http metadatacache unauthorized-response enable

Joel Lamousnery
CCIE R&S - 36768
Engineer, Customer Support
Technical Services

Joel Lamousnery CCIE R&S - 36768 Engineer, Customer Support Technical Services

WILLIAM STEGMAN · ‎09-16-2013

Beau, with regard to the domain identities portion of the config, the guide reads:

"Step 7 Configure domain identities. (Not required for branch WAEs.)"

However, later in the same step it reads:

"To configure an identity for a machine account, follow these steps:

From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name)
From the menu, choose Configure > Security > Windows Domain > Encrypted Services. The Encrypted Services window appears.
Click the Add Domain Identity button to add a machine account domain identity. Every WAAS device to be accelerated must have a domain identity."

Are you able to offer any clarity on what appears to me to be a contradiction? I'm not sure if every waas, both branch and server side, need a domain identity or not.

thank you

jlamousn · ‎09-16-2013

Branch waas does not need a domain identity. Branch waas will not be retrieving the keys from Active Directory, only the core waas would do that. This is why it is not necessary to configure an identiy or join branch waas to domain.

Joel Lamousnery
CCIE R&S - 36768
Engineer, Customer Support
Technical Services

Joel Lamousnery CCIE R&S - 36768 Engineer, Customer Support Technical Services

Encrypted MAPI on WAAS 5.0.3a I need a little help with troubleshooting