Deploying F5 with Microsoft Exchange Server 2010 - PDF by mro72277

VIEWS: 125 PAGES: 121

									DEPLOYMENT GUIDE
Version 1.1




                   Deploying F5 with Microsoft Exchange
                   Server 2010
                                                                                                                                    Table of Contents




Table of Contents
Deploying F5 devices with Microsoft Exchange Server 2010
                            Product versions and revision history ..............................................................................1-1

Configuring F5 devices with the Exchange Server 2010 Client Access role
                          Configuration example .........................................................................................................1-3
                          Using the configuration table ..............................................................................................1-4
                          Connecting to the BIG-IP device .......................................................................................1-6
                     Performing the initial configuration tasks ..................................................................................1-6
                          Creating a VLAN ...................................................................................................................1-6
                          Creating a self IP ....................................................................................................................1-7
                          Creating a SNAT ....................................................................................................................1-8
                     Configuring the BIG-IP LTM for Outlook Web App ............................................. 1-11
                          Creating HTTP health monitor ....................................................................................... 1-11
                          Creating the pool ................................................................................................................ 1-12
                          Configuring the BIG-IP LTM for SSL offload ................................................................ 1-14
                          Creating the profiles .......................................................................................................... 1-15
                          Creating the iRules ............................................................................................................. 1-20
                          Creating the OWA virtual servers ................................................................................. 1-22
                     Configuring the WebAccelerator Outlook Web App .......................................... 1-26
                          Prerequisites and configuration notes ........................................................................... 1-26
                     Configuring the BIG-IP LTM for Outlook Anywhere ............................................ 1-30
                          Configuring SSL Certificates for Outlook Anywhere ................................................. 1-30
                          Creating the HTTP health monitor ................................................................................ 1-30
                          Creating the Outlook Anywhere pool .......................................................................... 1-30
                          Creating the Outlook Anywhere persistence iRule ................................................... 1-31
                          Creating the profiles .......................................................................................................... 1-31
                     Configuring the BIG-IP LTM for ActiveSync ............................................................. 1-34
                          Creating the HTTP health monitor ................................................................................ 1-34
                          Creating the ActiveSync pool .......................................................................................... 1-34
                          Creating the profiles .......................................................................................................... 1-34
                     Configuring the BIG-IP LTM to support Outlook Web App, Outlook
                     Anywhere, and Active Sync using a single virtual server .................................... 1-36
                          Using one pool for all HTTP services, with no WebAccelerator ........................... 1-37
                          Using different pools for each service and using the WebAccelerator ................. 1-39
                     Configuring the BIG-IP LTM for RPC Client Access ............................................. 1-42
                          Prerequisites ........................................................................................................................ 1-42
                          Creating the TCP health monitor ................................................................................... 1-42
                          Creating the RPC Client Access pool ............................................................................ 1-43
                          Creating the profiles .......................................................................................................... 1-44
                     Configuring the BIG-IP LTM for POP3 and IMAP4 .............................................. 1-45
                          Configuring the BIG-IP LTM for IMAP4 ........................................................................ 1-45
                          Configuring the BIG-IP system for POP3 ...................................................................... 1-48
                     Configuring the FirePass controller for Exchange Server 2010 ....................... 1-51
                          Prerequisites and configuration notes ........................................................................... 1-51
                          Configuration scenario ...................................................................................................... 1-51
                          Connecting to the FirePass controller ........................................................................... 1-52
                          Creating groups on the FirePass controller ................................................................. 1-52
                          Configuring auto-logon ...................................................................................................... 1-55
                          Configuring Outlook Web Access through the FirePass device ............................. 1-56
                          Configuring Mobile Email for HTML-based access to email ..................................... 1-57
                          Configuring Network Access to the Exchange server ............................................... 1-58
                          Configuring Endpoint security ......................................................................................... 1-59


                                                                                                                                                                    i
Table of Contents




Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers
                       Prerequisites and configuration notes ..............................................................................2-1
                       Configuration example .........................................................................................................2-1
                    Configuring the BIG-IP for deployment with Edge Transport Servers ...........2-3
                       Connecting to the BIG-IP device .......................................................................................2-3
                       Creating the health monitor ...............................................................................................2-4
                       Creating the pool ...................................................................................................................2-5
                       Creating a tcp profile ............................................................................................................2-6
                       Creating the virtual server ..................................................................................................2-7
                       Synchronizing the BIG-IP configuration if using a redundant system .........................2-9
                    Configuring the Message Security Module with Edge Transport Servers .. 2-10
                       Prerequisites and configuration notes ........................................................................... 2-10
                       Accessing the Configuration utility ................................................................................. 2-10
                       Configuring MSM to manage traffic to your Edge Transport Servers .................... 2-11
                       Creating the pools .............................................................................................................. 2-12
                       Modifying the names of variables in the MSM_config data group ............................ 2-13
                       Modifying the virtual server .............................................................................................. 2-17
                    Configuring the BIG-IP GTM with Edge Transport Servers ............................. 2-19
                       Configuring a self IP address on the BIG-IP LTM ........................................................ 2-19
                       Creating a Listener on the GTM ..................................................................................... 2-20
                       Creating data centers on the GTM system .................................................................. 2-21
                       Creating the monitor ......................................................................................................... 2-22
                       Creating Servers for the data center ............................................................................. 2-22
                       Creating a GTM pool ......................................................................................................... 2-24
                       Creating a wide IP on the GTM ...................................................................................... 2-26
                       Configuring the Wide IP as an MX record using ZoneRunner ................................ 2-27

Deploying the BIG-IP WOM and Mailbox Database Availability Groups
                       Prerequisites and configuration notes ..............................................................................3-1
                    Configuring the WAN optimization module ...............................................................3-2
                       Creating the iSession profile ...............................................................................................3-4
                       Creating the WAN Optimization policy ..........................................................................3-5

Deploying F5 and Microsoft Exchange Server 2010 Hub Transport Servers
                       Prerequisites and configuration notes ..............................................................................4-1
                    Configuring the WAN optimization module ...............................................................4-2
                       Creating the iSession profile ...............................................................................................4-4
                       Creating the WAN Optimization policy ..........................................................................4-4

Deploying the F5 Management Pack with Microsoft Exchange Server 2010
                           Prerequisites and system requirements ...........................................................................5-1
                           Integrating the F5 Management Pack with Exchange Server 2010 .............................5-2
                           Downloading and installing the Management pack ........................................................5-3
                           Creating a Distributed Application Health Model .........................................................5-6
                           Discovering the Exchange CAS servers ...........................................................................5-7
                           Creating a distributed application ......................................................................................5-8




ii
1
Deploying F5 with Microsoft Exchange
Server 2010


            • Deploying F5 devices with Microsoft Exchange
              Server 2010

            • Performing the initial configuration tasks

            • Configuring the BIG-IP LTM for Outlook Web App

            • Configuring the BIG-IP LTM for Outlook Anywhere

            • Configuring the BIG-IP LTM for ActiveSync

            • Configuring the BIG-IP LTM for RPC Client Access

            • Configuring the BIG-IP LTM for POP3 and IMAP4

            • Configuring the FirePass controller for Exchange
              Server 2010
Deploying F5 devices with Microsoft Exchange
Server 2010
                     Welcome to the F5 deployment guide for Microsoft® Exchange Server
                     2010. This guide contains detailed procedures on configuring F5 devices
                     with the different components of Exchange Server 2010. This deployment
                     guide contains the following chapters:
                     • Configuring F5 devices with the Microsoft Exchange Server 2010 Client
                       Access role, on page 1-2
                     • Deploying F5 and Microsoft Exchange Server 2010 Edge Transport
                       Servers, on page 2-1
                     • Deploying the BIG-IP WOM and Mailbox Database Availability Groups,
                       on page 3-1
                     • Deploying F5 and Microsoft Exchange Server 2010 Hub Transport
                       Servers, on page 4-1
                     • Deploying the F5 Management Pack with Microsoft Exchange Server
                       2010, on page 5-1
                     For more information on the F5 devices included in this guide, see
                     http://www.f5.com/products/.
                     You can also visit the Microsoft page of F5’s online developer community,
                     DevCentral, for Microsoft forums, solutions, blogs and more:
                     http://devcentral.f5.com/Default.aspx?tabid=89.
                     For more information on Microsoft Exchange Server 2010, see
                     http://www.microsoft.com/exchange/2010/en/us/default.aspx



Product versions and revision history
                     Product and versions tested for this deployment guide:

              Product Tested              Version Tested

              BIG-IP LTM                  v10.0.1, v10.1 (applies to v9.4.7 and later)

              Microsoft Exchange Server   2010 only



                     Revision history:

              Document Version            Description

              1.0                         New deployment guide

              1.1                         Added support for BIG-IP v10.1. Replaced previous guidance
                                          with BIG-IP WOM configuration for DAG and Hub Transport.




1-1
                                                Deploying F5 with Microsoft Exchange Server 2010




Configuring F5 devices with the Microsoft Exchange
Server 2010 Client Access role
                       This chapter gives you step-by-step procedures for configuring the BIG-IP
                       system, including the Local Traffic Manager (LTM) and WebAccelerator,
                       for deployment with the Client Access server role of Microsoft Exchange
                       Server 2010.
                       The Client Access server role supports the following client connectivity
                       services for mailboxes, public folders, calendar items, the Global Address
                       list and related data:
                       ◆   Outlook Web App (previously known as Outlook Web Access)
                           provides access for web browsers such as Microsoft Internet Explorer,
                           Mozilla Firefox, or Apple Safari; the related Outlook Web App Light is a
                           web interface optimized for mobile or other slow connections.
                       ◆   Outlook Anywhere allows Exchange access via the Microsoft Outlook
                           2010 client by tunneling Outlook’s MAPI protocol over an HTTP
                           connection.
                       ◆   ActiveSync provides access, primarily to mobile devices, that implement
                           the ActiveSync client libraries, also using HTTP as a transport.
                       ◆   RPC Client Access, new to Exchange Server 2010, provides traditional
                           “native” access to Exchange mailboxes via MAPI (Messaging API), but
                           moves the connectivity point from the Mailbox server role to Client
                           Access.
                       ◆   POP3 (Post Office Protocol version 3) and IMAP4 (Internet Message
                           Access Protocol version 4rev1) are available for email clients that do not
                           support any of the previous protocols.
                       We describe the procedures for configuring the F5 BIG-IP LTM system, the
                       WebAccelerator module, and the FirePass controller. While we recommend
                       using all of these products together with Exchange Server 2010 Client
                       Access Servers, it is not required. Simply use the sections for the products
                       you have.
                       For more information on the Client Access Server role, see
                       technet.microsoft.com/en-us/library/bb124915%28EXCHG.140%29.aspx


Prerequisites and configuration notes
                       The following are general prerequisites for this deployment; each section
                       contains specific prerequisites:
                       • This guide is written for the Client Access Server component of
                         Microsoft Exchange Server 2010. Although most of the guidance will
                         work with Exchange Server 2007, you should use the appropriate
                         deployment guide for that version, or the application template included
                         with BIG-IP LTM version 10.0 and later.




F5® Deployment Guide                                                                             1-2
                 • For advanced administrators very familiar with F5 devices and Exchange
                   Server 2010, Using the configuration table, on page 1-4, contains table
                   of the Exchange 2010 Server roles and the associated BIG-IP
                   configuration objects.
                 • All of the configuration procedures in this document are performed on F5
                   devices. For information on how to deploy or configure the components
                   of Microsoft Exchange Server 2010, consult the appropriate Microsoft
                   documentation. F5 cannot provide support for Microsoft products.
                 • The BIG-IP LTM system must be running version 9.0 or later. We
                   strongly recommend using version 9.4 or later. Examples shown are from
                   a version 10.0 system, but in the majority of cases (other than minor
                   interface differences) are applicable to version 9.x systems as well. We
                   note all cases where a feature is unique to a particular version of BIG-IP.
                 • We recommend you save your existing BIG-IP configuration before you
                   begin the procedures in this Deployment Guide. For information, refer to
                   the appropriate BIG-IP LTM manual, available on Ask F5.



Configuration example
                 In the following diagram, we show connectivity options for several types of
                 clients to the same Exchange Server 2010 Client Access servers. Users may
                 connect via a Firepass SSL VPN device to access the internal networks, and
                 from there to an F5 BIG-IP LTM system that load-balances the client access
                 servers. Alternately, users who are not using the Firepass VPN may connect
                 directly to the LTM systems via secure connections (HTTPS, POP3S, or
                 IMAPS, depending on choice of web browser or email client). In all cases,
                 the LTM offloads all SSL processing from the Exchange Client Access
                 servers. Your implementation may be different from the one shown in
                 Figure 1.1 on the following page.




1-3
                                                               Deploying F5 with Microsoft Exchange Server 2010




                                 VPN Clients                                Non-VPN Clients




                                                                                         HTTPS
                                  HTTPS
                                                                                         POP3S
                                                                                         IMAPS
                                                          Internet                       MAPI


                   FirePass SSL VPN


                                HTTPS
                                POP3S
                                IMAPS
                                MAPI

              Exchange Service Delivery Location (SDL) A             Exchange Service Delivery Location (SDL) B
                                             BIG-IP LTM with                                       BIG-IP LTM with
                                             WebAccelerator                                        WebAccelerator

                                        HTTP                                                  HTTP
                                        POP3                                                  POP3
                                        IMAP4                                                 IMAP4
                                        MAPI                                                  MAPI




                    Multiple Client Access Servers                         Multiple Client Access Servers



Figure 1.1 BIG-IP Client Access Server logical configuration example



Using the configuration table
                                The table on the following page contains a list of the BIG-IP configuration
                                objects that are a part of this deployment. It is provided for reference, but
                                advanced users extremely familiar with the BIG-IP system can use it rather
                                than relying on the step-by-step configuration procedures that follow. If you
                                find the table does not contain enough information for you to configure an
                                individual object, see the appropriate detailed section. The table does not
                                contain the initial configuration steps of creating VLANs or Self IP
                                addresses; see Performing the initial configuration tasks, on page 1-6.

                                      Note

                                This table is for users configuring separate virtual servers for each of the
                                Client Access roles that use HTTP. For configuring a single virtual server
                                for Outlook Web App, Outlook Anywhere, and ActiveSync, see Configuring
                                the BIG-IP LTM to support Outlook Web App, Outlook Anywhere, and
                                Active Sync using a single virtual server, on page 1-36.




F5® Deployment Guide                                                                                                 1-4
 Client Access Server Role     Monitor     Pool Port             iRule                   Profiles               VIP Port/Notes


 Outlook Web App               HTTP            80         Append (pg 1-21)       - HTTP (Redirect           - 443
 (For detailed instructions,                              redirect* (pg 1-21)      Rewrite: Match & Keep    SNAT Pool: Automap**
 see: Configuring the BIG-IP                                                       Accept Encoding)
 LTM for Outlook Web App,                                                        - TCP (LAN* & WAN*)        - 80* if using redirect
 on page 1-11)                                                                   - Client SSL               iRule
                                                                                 - OneConnect
                                                                                 - Cookie


 Outlook Anywhere              HTTP            80         OA Persist (pg 1-31)   - HTTP (Redirect           - 443
 (See Configuring the BIG-IP                                                       Rewrite: Match & Keep    SNAT Pool: Automap**
 LTM for Outlook Anywhere,                                                         Accept Encoding)
 on page 1-30)                                                                   - TCP (LAN* & WAN*)
                                                                                 - Client SSL
                                                                                 - OneConnect
                                                                                 - Universal Persistence
                                                                                   using iRule


 ActiveSync                    HTTP            80         N/A                    - HTTP (Redirect           - 443
 (See Configuring the BIG-IP                                                       Rewrite: Match & Keep    SNAT Pool: Automap**
 LTM for ActiveSync, on page                                                       Accept Encoding)
 1-34)                                                                           - TCP (LAN* & WAN*)
                                                                                 - Client SSL
                                                                                 - OneConnect


 RPC Client Access***          RPC         All Services   N/A                    - TCP (LAN* & WAN*)        - All Ports
 (See Configuring the BIG-IP                                                     - OneConnect                SNAT Pool: Automap**
 LTM for RPC Client Access,                                                      - Source Address
 on page 1-42)                                                                     Affinity (source_addr)
                                                                                   persistence


 POP3                          POP3            110        N/A                    - TCP (LAN* & WAN*)        993
 (See Configuring the BIG-IP                                                     - Client SSL               SNAT Pool: Automap**
 LTM for POP3 and IMAP4 ,                                                        - OneConnect
 on page 1-45)


 IMAP4                         IMAP            143        N/A                    - TCP (LAN* & WAN*)        995
 (See Configuring the BIG-IP                                                     - Client SSL               SNAT Pool: Automap**
 LTM for POP3 and IMAP4 ,                                                        - OneConnect
 on page 1-45)

Table 1.1 Exchange 2010 configuration table


*   Optional
** If you have more than 65,000 users, you use the SNAT pool you created
*** For RPC Client Access: In Exchange Server 2010, you must configure a Client Access Array for your
    site to use the FQDN that you have set to resolve to the IP address of your BIG-IP LTM virtual server,
    and you must update existing mailbox database attributes to use that Array.

                                         Important
                                      Remember, this table does not contain the initial configuration steps of
                                      creating VLANs or Self IP addresses; see Performing the initial
                                      configuration tasks, on page 1-6.




1-5
                                               Deploying F5 with Microsoft Exchange Server 2010




Connecting to the BIG-IP device
                       Use the following procedure to access the BIG-IP web-based Configuration
                       utility using a web browser.

                       To connect to the BIG-IP LTM system using the
                       Configuration utility
                            1. In a browser, type the following URL: https://<administrative IP
                               address of the BIG-IP device> A Security Alert dialog box
                               appears, click Yes.
                            2. Type your user name and password, and click OK. The Welcome
                               screen opens.
                       Once you are logged onto the BIG-IP LTM system, the Welcome screen of
                       the new Configuration utility opens. From the Configuration utility, you can
                       configure and monitor the BIG-IP LTM system, as well as access online
                       help, download SNMP MIBs and Plug-ins, and even search for specific
                       objects.




Performing the initial configuration tasks
                       In this section, we configure the BIG-IP LTM with required VLAN and Self
                       IP address information. Complete these procedures only if you do not
                       already configured these objects on the BIG-IP LTM.



Creating a VLAN
                       The first procedure in this deployment is to create a VLAN on the BIG-IP
                       LTM system. Depending on the desired network architecture, you may have
                       one or multiple VLANs associated with the BIG-IP LTM configuration:
                       ◆   One armed configuration
                           When the clients reside on the same network as the Client Access
                           servers, or you wish to have your BIG-IP LTM virtual servers reside on
                           the same network as your Client Access servers, you only need one
                           VLAN. This is also known as a one armed configuration. You need to
                           provide a SNAT (source network address translation) in this
                           configuration, as detailed later in this guide.

                           Note

                       In an extremely large-scale deployment, where you anticipate more than
                       65,000 simultaneous connections to the Client Access systems, you need to
                       configure more than one SNAT address on the BIG-IP LTM (a SNAT Pool).
                       See Configuring a SNAT for large deployments, on page 1-9.




F5® Deployment Guide                                                                           1-6
                     ◆   Routed configuration
                         A more common example is when the clients and the IP addresses of
                         your BIG-IP LTM virtual servers reside on a different network than the
                         Client Access servers. In this case, you will need an external VLAN for
                         the incoming clients, and an internal VLAN for the Client Access
                         servers. This is known as a routed configuration.

                     To create a VLAN
                          1. On the Main tab, expand Network, and then click VLANs.
                             The VLANs screen opens.
                          2. Click the Create button.
                             The new VLAN screen opens.
                          3. In the Name box, type a unique name for the VLAN. In our
                             example we use clientaccess-vlan.
                          4. In the Tag box, you can optionally type a tag. In our example, we
                             leave this blank, and the BIG-IP LTM automatically assigns a tag.
                          5. In the Resources section, from the Available list, select the interface
                             that will have access to tagged traffic, and add it to the Untagged
                             box by clicking the Add (<<) button.
                             In our example, we select 1.14.
                          6. Click the Finished button.
                     In a routed configuration, you will have at least two VLANs; use the
                     preceding procedure for each one. Give each VLANs a distinct name (such
                     as clientaccess-internal-vlan and clientaccess-external-vlan), and assign
                     them to the interfaces through which each VLAN’s traffic should flow.



Creating a self IP
                     Self IP addresses are the IP addresses owned by the BIG-IP LTM system
                     that you use to access the internal and external VLANs. The next step in this
                     configuration is to create a self IP address for the VLAN we created in the
                     preceding procedure.

                     To create a self IP address
                          1. On the Main tab, expand Network, and then click Self IPs.
                             The Self IP screen opens.
                          2. Click the Create button.
                             The new Self IP screen opens.
                          3. In the IP Address box, type a static IP address that resides on the
                             VLAN you created in the preceding procedure. Note that this needs
                             to be on the same network as the Client Access servers. In our
                             example, we use 10.133.20.10.
                          4. In the Netmask box, type the corresponding subnet mask.
                             In our example, we use 255.255.255.0.


1-7
                                               Deploying F5 with Microsoft Exchange Server 2010




                           5. From the VLAN list, select the VLAN you created in Creating a
                              VLAN. In our example, we select clientaccess-vlan.
                           6. Click the Finished button. The new self IP address appears in the
                              list.
                           7. In a routed configuration, repeat this procedure to create a Self IP
                              address for each of the VLANs you created.



Creating a SNAT
                       In a one-armed configuration, a SNAT allows BIG-IP virtual servers to exist
                       on the same IP subnet as the Client Access hosts.
                       In both routed and one-arm configurations, a SNAT allows the Client
                       Access servers to use the BIG-IP LTM as a gateway to other networks
                       (including the Internet).
                       A default SNAT is appropriate for most deployments. If more than 65,000
                       simultaneous users are connecting to the Client Access Servers, see
                       Configuring a SNAT for large deployments, on page 1-9.
                       Use the procedure most applicable for your deployment.


To create a default SNAT for small or medium deployments
                       Use this procedure if your Exchange Server 2010 Client Access deployment
                       has fewer than 65,000 simultaneous users.

                       To create a default SNAT
                           1. On the Main tab, expand Local Traffic, and then click SNATs.
                              The SNATs screen opens.
                           2. In the upper right portion of the screen, click the Create button.
                              The New SNAT screen opens.
                           3. In the Name box, type a name for this SNAT. In our example, we
                              type clientaccess-default-snat.
                           4. From the Translation list, select a setting appropriate for your
                              configuration. In our example, we select Automap.
                           5. From the VLAN Traffic list, select Enabled on.
                           6. In the VLAN List row, from the Available list, select the VLANs on
                              which your Client Access devices reside, and click the Add (<<)
                              button. In our example, we select clientaccess-external-vlan.
                           7. Click the Finished button.




F5® Deployment Guide                                                                               1-8
Configuring a SNAT for large deployments
                    For very large deployments (with 65,000 simultaneous users), we create a
                    SNAT pool. A SNAT pool is a pool with at least one otherwise-unused
                    address on the same subnet as the BIG-IP virtual servers and Client Access
                    Servers. You must have one IP address in your SNAT pool for each 65,000
                    clients (or fraction thereof).

                      Important
                    This procedure is only necessary for large deployments. If your Client
                    Access Server deployment has less than 65,000 simultaneous users, you do
                    not need to create a SNAT pool. Use the previous procedure.

                    To create a SNAT pool for large deployments
                        1. On the Main tab, expand Local Traffic, and then click SNATs. The
                           SNATs screen opens.
                        2. On the Menu bar, click SNAT Pool List.
                        3. In the upper right portion of the screen, click the Create button. The
                           New SNAT Pool screen opens.
                        4. In the Name box, type a name for this SNAT Pool. In our example,
                           we type clientaccess-snat-pool.
                        5. In the IP Address box, type in a valid and otherwise-unused address
                           on the subnet containing your Client Access servers, and click the
                           Add button. In our example, we type 10.133.53.110.
                            Repeat this step for each additional address needed. At least one
                            address should be added for each 65,000 anticipated concurrent
                            connections (the number of connection generally corresponds to the
                            number of clients). In our example, we add 10.133.53.111.
                        6. Click the Finished button.
                    The next part of the SNAT pool configuration is to configure a default
                    SNAT that uses the SNAT pool.
                        7. On the Main tab, expand Local Traffic, and then click SNATs.
                           The SNATs screen opens.
                        8. In the upper right portion of the screen, click the Create button.
                           The New SNAT screen opens.
                        9. In the Name box, type a name for this SNAT.
                           In our example, we type clientaccess-default-snat.
                       10. From the Translation list, select SNAT Pool.
                       11. From the Select list, select the name of the SNAT pool you created
                           in the preceding procedure. In our example, we select
                           clientaccess-snat-pool.
                       12. From the VLAN Traffic list, select Enabled on.




1-9
                                                Deploying F5 with Microsoft Exchange Server 2010




                          13. In the VLAN List row, from the Available list, select the VLANs
                              on which your Client Access devices reside, and click the Add (<<)
                              button. In our example, we select clientaccess-internal-vlan.
                          14. Click the Finished button.


                       This concludes the initial configuration tasks.




F5® Deployment Guide                                                                       1 - 10
Configuring the BIG-IP LTM for Outlook Web App
                 In this section we detail the steps necessary to configure the BIG-IP LTM
                 system for directing traffic to the Outlook Web App component of the
                 Client Access server. This includes using the BIG-IP LTM system to offload
                 SSL traffic from the servers.
                 Outlook Web App allows authorized users to securely access their Exchange
                 mailboxes through a web browser. By using BIG-IP LTM in front of an
                 Outlook Web App server, you gain the following benefits:
                 • Terminating HTTPS connections at the BIG-IP LTM reduces CPU and
                   memory load on Outlook Web App servers.
                 • Terminating HTTPS connections at the BIG-IP LTM simplifies
                   TLS/SSL certificate management.
                 • The BIG-IP LTM can balance load and ensure high-availability across
                   multiple Outlook Web App servers using a variety of load-balancing
                   methods and priority rules.
                 • The BIG-IP LTMs TCP Express feature set ensures optimal network
                   performance for all clients and servers, regardless of operating system
                   and version.
                 • The BIG-IP LTM provides content compression features which improve
                   client performance.

                    Note

                 Note: To configure the Outlook Web App servers to support SSL offloading,
                 you must first follow the Microsoft documentation.

                 Once you have completed the steps outlined in that document on each of
                 your Outlook Web App servers, you must complete the following
                 procedures.



Creating HTTP health monitor
                 In this section, we create a health monitor for Outlook Web App. This
                 procedure is optional, but very strongly recommended. For this
                 configuration, we use an HTTP monitor, which checks nodes (IP address
                 and port combinations), and can be configured to use send and recv
                 statements in an attempt to retrieve explicit content from nodes, to not only
                 verify that the server is up, but providing the proper content.

                 To configure a health monitor
                     1. On the Main tab, expand Local Traffic, and then click Monitors.
                        The Monitors screen opens.
                     2. Click the Create button. The New Monitor screen opens.
                     3. In the Name box, type a name for the Monitor. In our example, we
                        type exch_owa_http.


1 - 11
                                               Deploying F5 with Microsoft Exchange Server 2010




                           4. From the Type list, select http. The HTTP Monitor configuration
                              options appear.
                           5. In the Configuration section, in the Interval and Timeout boxes,
                              type an Interval and Timeout. We recommend at least a 1:3 +1 ratio
                              between the interval and the timeout. In our example, we use a
                              Interval of 30 and a Timeout of 91.
                           6. Optional: In the Send String and Receive String sections, you can
                              add Send and Receive strings specific to the device being checked.
                              In our example, we are using the default IIS configuration, so we
                              use a Send String of iisstart.htm, and expect the Under
                              Construction page to be returned. If you have modified the IIS
                              configuration on the OWA servers, type strings appropriate for your
                              configuration.
                               If the page you are requesting in the Send String requires
                               authentication, type a user name and password in the appropriate
                               boxes.
                           7. Click the Finished button.




                       Figure 1.2 Configuring the health monitor



Creating the pool
                       You must create a pool on the BIG-IP LTM system for the Outlook Web
                       App service. A BIG-IP pool is a set of devices grouped together to receive
                       traffic according to a load balancing method.


F5® Deployment Guide                                                                         1 - 12
         To create the OWA pool
             1. On the Main tab, expand Local Traffic, and then click Pools. The
                Pool screen opens.
             2. In the upper right portion of the screen, click the Create button. The
                New Pool screen opens.
             3. From the Configuration list, select Advanced.
             4. In the Name box, enter a name for your pool. In our example, we
                use exch_owa_pool.
             5. In the Health Monitors section, select the name of the monitor you
                created in the Creating HTTP health monitor section, and click the
                Add (<<) button. In our example, we select exch_owa_http.
             6. In the Slow Ramp Time box, type 300. We set the Ramp Time in
                order to ensure that if a pool member becomes available after
                maintenance or a new member is added, the Least Connections load
                balancing algorithm does not send all new connections to that
                member (a newly available member will always have the least
                number of connections).




         Figure 1.3 Configuring the pool general properties (truncated)


             7. From the Load Balancing Method list, choose your preferred load
                balancing method (different load balancing methods may yield
                optimal results for a particular network). In our example, we select
                Least Connections (node).
             8. For this pool, we leave the Priority Group Activation Disabled.
             9. In the New Members section, make sure the New Address option
                button is selected.
            10. In the Address box, add the first server to the pool. In our example,
                we type 10.133.20.55

1 - 13
                                                Deploying F5 with Microsoft Exchange Server 2010




                          11. In the Service Port box, type the service number you want to use
                              for this device, or specify a service by choosing a service name from
                              the list. In our example, we type 80.
                          12. Click the Add button to add the member to the list.
                          13. Repeat steps 10 and 11 for each server you want to add to the pool.
                          14. Click the Finished button.




                       Figure 1.4 Configuring the resource section of the pool



Configuring the BIG-IP LTM for SSL offload
                       The BIG-IP LTM supports offloading of encryption (SSL/TLS) from
                       servers for a number of protocols. In such configurations, all communication
                       between the clients and the BIG-IP LTM take place over encrypted
                       channels, and communication between the BIG-IP LTM and the Microsoft
                       Exchange Server 2010 servers is unencrypted. Besides freeing the servers
                       from the processing and memory overhead associated with encryption, and
                       centralizing certificate management, the LTM is able to operate on the
                       traffic using features such as acceleration profiles, iRules, and advanced
                       persistence profiles.
                       Optionally, administrators can configure the BIG-IP LTM to re-encrypt
                       traffic to the servers after initial decryption and processing; the LTM is still
                       able to offer advanced traffic manipulation, but the servers are still burdened
                       with encryption overhead. Such a configuration may be required in some
                       organizations where network communications are mandated to be
                       encrypted. Server-side SSL re-encryption is not covered in this guide.


Importing keys and certificates
                       Before you can enable the BIG-IP LTM system to offload SSL traffic, you
                       must install a SSL certificate and key on the BIG-IP LTM system. You will
                       need one certificate and key pair for each FQDN (fully qualified domain
                       name) that will be used for connectivity. In this guide, we show you how to


F5® Deployment Guide                                                                             1 - 14
                   use unique FQDNs for each service, each of which will require a certificate
                   and key; we also show a configuration example where a single
                   certificate/key pair is used for all services.
                   For this Deployment Guide, we assume that you already have obtained the
                   required SSL certificates, but they are not yet installed on the BIG-IP LTM
                   system. For information on generating certificates, or using the BIG-IP
                   LTM system to generate a request for a new certificate and key from a
                   certificate authority, see the ‘Managing SSL Traffic’ chapter in the
                   Configuration Guide for Local Traffic Management.
                   Once you have obtained a certificate, you can import this certificate into the
                   BIG-IP LTM system using the Configuration utility. You can use the Import
                   SSL Certificates and Keys screen only when the certificate you are
                   importing is in Privacy Enhanced Mail (PEM) format.

                   To import a key or certificate
                        1. On the Main tab, expand Local Traffic.
                        2. Click SSL Certificates. This displays the list of existing certificates
                        3. In the upper right corner of the screen, click Import.
                        4. From the Import Type list, select the type of import (Certificate or
                           Key).
                        5. In the Certificate (or Key) Name box, type a unique name for the
                           certificate or key.
                        6. In the Certificate (or Key) Source box, choose to either upload the
                           file or paste the text.
                        7. Click Import.
                        8. If you imported the certificate, repeat this procedure for the key.



Creating the profiles
                   The next step is to create the profiles. A profile is an object that contains
                   user-configurable settings for controlling the behavior of a particular type of
                   network traffic, such as HTTP connections. Using profiles enhances your
                   control over managing network traffic, and makes traffic-management tasks
                   easier and more efficient.
                   Although you may use the default profiles, we strongly recommend you
                   create new profiles based on the default parent profiles. By creating new
                   profiles, you may easily modify the profile settings specific to your
                   deployment without altering default global behaviors.




1 - 15
                                               Deploying F5 with Microsoft Exchange Server 2010




Creating HTTP profile
                       The first profile we create is the HTTP profile. We recommend using the
                       parent profile http-wan-optimized-compression-caching (included with
                       BIG-IP LTM version 9.4 and later). This profile includes some default
                       optimization settings that increase the performance of Outlook Web App
                       over the WAN. There are a couple of caveats for using this profile:
                       • This profile is only available in BIG-IP LTM version 9.4 and later.
                       • If you plan on using the WebAccelerator module for Outlook Web App
                         (as shown later in this Deployment Guide) you should not use the
                         http-wan-optimized-compression-caching HTTP profile, because the
                         WebAccelerator module performs the compression and caching duties in
                         addition to its other optimizations. If you are using the WebAccelerator
                         module, we recommend you configure an HTTP profile based off of the
                         default HTTP profile, and only change the Redirect Rewrite option to
                         Match. Any other settings in this case are optional.

                       To create a new WAN optimized HTTP profile
                           1. On the Main tab, expand Local Traffic, and then click Profiles. The
                              HTTP Profiles screen opens.
                           2. In the upper right portion of the screen, click the Create button. The
                              new HTTP Profile screen opens.
                           3. In the Name box, type a name for this profile. In our example, we
                              type exch_owa_http_wanopt.
                           4. From the Parent Profile list, select
                              http-wan-optimized-compression-caching.
                              If you are using the WebAccelerator, select http from the list.
                           5. In the Settings section, check the Custom box for Redirect Rewrite,
                              and from the Redirect Rewrite list, select Matching.
                           6. Optional: Check the Custom box next to Insert XForwarded For.
                              Select Enabled from the list.
                              Note on XForwarded For: It may be necessary for the BIG-IP
                              system to insert the original client IP address in an HTTP header
                              and configure the web server receiving the request to log the client
                              IP address instead of the SNAT address. See SOL4816
                              (https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.
                              html) for more information on this header, and for the additional
                              steps you will need to take to configure IIS on each of your
                              Exchange Client Access Servers.
                           7. In the Compression section, check the Custom box for
                              Compression, and from the Compression list, select Enabled.
                           8. Check the Custom box for Content Compression, and leave
                              Content List selected.
                           9. In the Content List section, add the following entries to the Content
                              Type box one at a time, each followed by clicking the Include
                              button:


F5® Deployment Guide                                                                            1 - 16
                                • application/(word|doc|msword|winword|ms-word|x-word|x-ms
                                  word|vnd.word|vnd.msword|vnd.ms-word)
                                • application/(xls|excel|msexcel|ms-excel|x-excel|x-xls|x-
                                  msexcel|x-ms-excel|vnd.excel|vnd.msexcel|vnd.ms-excel)
                                • application/(powerpoint|mspowerpoint|ms-powerpoint|x-pow
                                  erpoint|x-mspowerpoint|vnd.powerpoint|vnd.mspowerpoint
                                  |vnd.ms-powerpoint|vnd.ms-pps)
                                • application/(mpp|msproject|x-msproject|x-ms-project|vnd.
                                  ms-project)
                                • application/(visio|x-visio|vnd.visio|vsd|x-vsd|x-vsd)
                                • application/(pdf|x-pdf|acrobat|vnd.pdf)

                                You can enter any additional Content Types (in MIME type format)
                                that are used in your organization that you want to make sure are
                                compressed by the BIG-IP system. Pre-compressed documents,
                                such as image or video files, Open XML documents, and ZIP
                                archives should not be added
                           10. Check the Custom box for Keep Accept Encoding, and check the
                               box to enable Keep Accept Encoding
                           11. Modify any of the other options as applicable for your
                               configuration. See the online help for more information on the
                               configuration options.
                           12. Click the Finished button.

                           Note

                        Some browsers and operating systems may have difficulty downloading or
                        displaying certain compressed files. We suggest testing compression of each
                        of these object types against the full range of web browsers and client
                        operating systems in use at your organization to ensure full compatibility.


Creating TCP profiles
                        The next task is to create the TCP profiles. We recommend creating one
                        TCP profile using the tcp-lan-optimized parent. If your configuration uses
                        various WAN links and your users are widely distributed, you should also
                        create a second profile that uses tcp-wan-optimized as the parent profile.
                        This profile (available only in BIG-IP LTM version 9.4 and later) contains
                        preconfigured WAN optimization settings. If all of your users are accessing
                        the BIG-IP LTM over a LAN, you only need to create the LAN optimized
                        profile.

Creating the LAN optimized TCP profile
                        The first TCP profile we create is the LAN optimized profile.

                        To create a new LAN optimized TCP profile
                            1. On the Main tab, expand Local Traffic, and then click Profiles. The
                               HTTP Profiles screen opens by default.
                            2. On the Menu bar, from the Protocol menu, select TCP.


1 - 17
                                                Deploying F5 with Microsoft Exchange Server 2010




                           3. In the upper right portion of the screen, click the Create button. The
                              New TCP Profile screen opens.
                           4. In the Name box, type a name for this profile. In our example, we
                              type exch_tcp_lan.
                           5. Modify any of the settings as applicable for your network. See the
                              online help for more information on the configuration options. In
                              our example, we leave the settings at their default levels.
                           6. Click the Finished button.

Creating the WAN optimized TCP profile
                       If your configuration uses various WAN links and your users are widely
                       distributed, we recommend configuring the following WAN profile.

                       To create a new WAN optimized TCP profile
                           1. On the Main tab, expand Local Traffic, click Profiles, and then, on
                              the Menu bar, from the Protocol menu, select TCP.
                           2. Click the Create button. The New TCP Profile screen opens.
                           3. In the Name box, type a name for this profile. In our example, we
                              type exch_tcp_wan.
                           4. Modify any of the settings as applicable for your network. See the
                              online help for more information on the configuration options. In
                              our example, we leave the settings at their default levels.
                           5. Click the Finished button.


Creating a cookie persistence profile
                       The first profile we create is a persistence profile. For this configuration, we
                       create a new cookie persistence profile, based off of the default cookie
                       persistence profile. We use cookie persistence because users must maintain
                       a connection to the same Outlook Web App device.

                       To create a new cookie persistence profile
                           1. On the Main tab, expand Local Traffic, click Profiles, and then, on
                              the Menu bar, click Persistence.
                           2. Click the Create button.
                           3. In the Name box, type a name for this profile. In our example, we
                              type exch_owa_cookie.
                           4. From the Persistence Type list, select Cookie. The configuration
                              options for Cookie persistence appear.
                           5. Modify any of the settings as applicable for your network. See the
                              online help for more information on the configuration options.




F5® Deployment Guide                                                                             1 - 18
                        6. Click the Finished button.




                    Figure 1.5 Creating the cookie persistence profile


Creating the OneConnect Profile
                    OneConnect dramatically reduces the overhead of maintaining TCP
                    connections between the BIG-IP LTM and the Client Access servers.

                    To create a new OneConnect profile
                        1. On the Main tab, expand Local Traffic, and then click Profiles.
                           The HTTP Profiles screen opens.
                        2. On the Menu bar, from the Other menu, click OneConnect.
                           The Persistence Profiles screen opens.
                        3. In the upper right portion of the screen, click the Create button.
                           The New HTTP Profile screen opens.
                        4. In the Name box, type a name for this profile. In our example, we
                           type exch-oneconnect.
                        5. From the Parent Profile list, ensure that oneconnect is selected.
                        6. Modify any of the other settings as applicable for your network. In
                           our example, we leave the settings at their default levels.
                        7. Click the Finished button.


Creating the NTLM profile
                    The next profile we create is an NTLM profile. An NTLM profile, also
                    called an NTLM Connection Pool, is only required if you are using NTLM
                    authentication for Outlook Web App or Outlook Anywhere and have
                    OneConnect configured. NTLM Connection Pools are only available in
                    BIG-IP version 10.0 and later.


1 - 19
                                               Deploying F5 with Microsoft Exchange Server 2010




                       To create a new NTLM profile
                           1. On the Main tab, expand Local Traffic, click Profiles, and then, on
                              the Menu bar, from the Other menu, click NTLM.
                           2. Click the Create button.
                           3. In the Name box, type a name for this profile. In our example, we
                              type exch_ntlm.
                           4. Modify any of the settings as applicable for your network. See the
                              online help for more information on the configuration options.
                           5. Click the Finished button.


Creating a Client SSL profile
                       The next step is to create an SSL profile. This profile contains the SSL
                       certificate and Key information for offloading the SSL traffic.

                       To create a new Client SSL profile
                           1. On the Main tab, expand Local Traffic, click Profiles, and then, on
                              the Menu bar, from the SSL menu, select Client.
                           2. Click the Create button.
                           3. In the Name box, type a name for this profile. In our example, we
                              type exch_owa_https.
                           4. In the Configuration section, click a check in the Certificate and
                              Key Custom boxes.
                           5. From the Certificate list, select the name of the Certificate you
                              imported in the Importing keys and certificates section.
                           6. From the Key list, select the key you imported in the Importing keys
                              and certificates section.
                           7. Click the Finished button.



Creating the iRules
                       In the following procedures, we create two iRules on the BIG-IP LTM
                       system. These iRules are designed to transparently assist users in accessing
                       Outlook Web App if they do not properly type the correct URI.
                       While these iRules are optional, we recommend using them as they can
                       greatly improve end user experience.

                          Note

                       The following iRules may not be appropriate for all installations. Both
                       iRules assume that only Exchange Server 2010 (and not previous versions)
                       is accessible through the configured virtual server. Exchange Server 2010
                       Client Access Role servers can provide front-end services to Exchange 2010
                       Mailbox servers as well as existing Exchange Server 2007, Exchange Server


F5® Deployment Guide                                                                              1 - 20
                     2003, or Exchange Server 2000 back-end servers, as well as previous
                     versions of Exchange Server.

                     In that case, the URIs will differ; for instance, the URI
                     https://<hostname>/owa/ will provide Exchange Server 2010 services, and
                     https://<hostname2>/exchange/ might provide services for those users still
                     on Exchange Server 2003. For this reason, F5 recommends using a unique
                     virtual server for each Exchange Server version being supported, in order to
                     be able to customize each to take into account differences in the product
                     versions. Consult the Microsoft product documentation for more
                     information about configuring Outlook Web App to accommodate multiple
                     versions of Exchange Server. For more information on advanced iRules, see 
                     http://devcentral.f5.com/


Creating the Redirect iRule
                     The Redirect iRule takes incoming HTTP requests (non-secure) and
                     redirects them to the correct HTTPS (secure) virtual server, without user
                     interaction. For example, this allows end users to simply type
                     webmail.domain.com or http://webmail.domain.com without having to
                     remember that they are going to an HTTPS URI. The rule also appends the
                     required /owa/ to the host portion of the URI.

                     To create the Redirect iRule
                         1. On the Main tab, expand Local Traffic, and then click iRules.
                         2. In the upper right portion of the screen, click the Create button. The
                            New iRule screen opens.
                         3. In the Name box, enter a name for your iRule. In our example, we
                            use exch_owa_httptohttps.
                         4. In the Definition section, copy and paste the following iRule:
                              when HTTP_REQUEST {
                                  HTTP::redirect https://[HTTP::host]/owa/
                              }

                         5. Click the Finished button.


Creating the appending iRule
                     This iRule, which will be applied to the HTTPS virtual server, is another
                     precautionary measure to cover the case where a user types the URI for
                     OWA (i.e. https://webmail.domain.com), but forgets to add the required
                     /owa/ at the end. If the user did not include /owa/, they would likely get an
                     Under Construction page, or another page other than their mailbox login.
                     This iRule takes the original URI, checks to see if it has the /owa/ portion. If
                     it does not, the iRule adds /owa/ automatically, transparently sending users
                     to the correct page.




1 - 21
                                                Deploying F5 with Microsoft Exchange Server 2010




                       To create the appending iRule
                           1. On the Main tab, expand Local Traffic, and then click iRules.
                           2. Click the Create button. The New iRule screen opens.
                           3. In the Name box, enter a name for your iRule. In our example, we
                              use exch_owa_append.
                           4. In the Definition section, copy and paste the following iRule:
                               when HTTP_REQUEST {
                                   if { not ([HTTP::uri] starts_with "/owa") } {
                                       HTTP::uri /owa[HTTP::uri]
                                   }
                               }

                           5. Click the Finished button.



Creating the OWA virtual servers
                       Next, we configure two virtual servers on the BIG-IP LTM system. The first
                       virtual server is solely to intercept incoming HTTP traffic and redirect it to
                       HTTPS using the iRule you created; this virtual is optional. The second
                       virtual server terminates the SSL (HTTPS) connections and sends traffic via
                       HTTP to the pool of OWA servers.


Creating the HTTP virtual server
                       The first virtual server we create is the HTTP virtual server.

                       To create the HTTP virtual server
                           1. On the Main tab, expand Local Traffic, and then click Virtual
                              Servers. The Virtual Servers screen opens.
                           2. In the upper right portion of the screen, click the Create button. The
                              New Virtual Server screen opens.
                           3. In the Name box, type a name for this virtual server. In our
                              example, we type exch_owa_virtual_http.
                           4. In the Destination section, select the Host option button.
                           5. In the Address box, type the IP address of this virtual server. In our
                              example, we use 10.133.20.200.
                           6. In the Service Port box, type 80, or select HTTP from the list.
                           7. In the Configuration section, select Advanced from the list. The
                              Advanced configuration options appear.
                           8. From the Protocol Profile (Client) list, select the name of the
                              profile you created in the Creating the WAN optimized TCP profile
                              section. In our example, we select exch_tcp_wan. This is optional,
                              an only necessary if you created a WAN optimized profile.


F5® Deployment Guide                                                                            1 - 22
                         9. From the HTTP Profile list, select the name of the profile you
                            created in the Creating HTTP profile section. In our example, we
                            select exch_owa_http_wanopt.
                        10. In the Resources section, from the iRules Available list, select the
                            iRule you created for redirection in the Creating the iRules section.
                            In our example, we select exch_owa_httptohttps.

                             Do not select a default pool for this virtual server.
                        11. Click the Finished button.


Creating the HTTPS virtual server
                     Next, we create the HTTPS virtual server.

                     To create the HTTPS virtual server
                         1. On the Main tab, expand Local Traffic, click Virtual Servers, and
                            then click the Create button.
                         2. In the Name box, type a name for this virtual server. In our
                            example, we type exch_owa_virtual_https.
                         3. In the Destination section, select the Host option button.
                         4. In the Address box, type the IP address of this virtual server. In our
                            example, we use 10.133.20.200.
                         5. In the Service Port box, type 443, or select HTTPS from the list.




                     Figure 1.6 Configuring the virtual server general properties


                         6. From the Configuration list, select Advanced.
                         7. From the Protocol Profile (Client) list, select the name of the
                            profile you created in the Creating the WAN optimized TCP profile
                            section. In our example, we select exch_tcp_wan. This is optional.
                         8. From the Protocol Profile (Server) list, select the name of the
                            profile you created in the Creating the LAN optimized TCP profile
                            section. In our example, we select exch_tcp_lan.




1 - 23
                                               Deploying F5 with Microsoft Exchange Server 2010




                           9. From the OneConnect Profile list, select the name of the profile
                              you created in the Creating the OneConnect Profile section. In our
                              example, we select exch_oneconnect.
                          10. From the HTTP Profile list, select the name of the profile you
                              created in the Creating HTTP profile section. In our example, we
                              select exch_owa_http_wanopt.
                          11. From the NTLM Conn Pool list, select the name of the profile you
                              created in the Creating the NTLM profile section. In our example,
                              we select exch_ntlm.
                              Note: You must first select the OneConnect and HTTP profiles to be
                              able to select the NTLM profile.
                          12. From the SSL Profile (Client) list, select the SSL profile you
                              created in the Creating a Client SSL profile section. In our example,
                              we select exch_owa_https.




                       Figure 1.7 Adding the profiles to the virtual server (truncated)

                          13. From the SNAT Pool list:
                               • If you did not create a SNAT pool for a large deployment, select
                                 Automap.
                               • If you created a SNAT pool for a large deployment, from the
                                 SNAT Pool list, select the name of the SNAT pool you created in
                                 To create a SNAT pool for large deployments, on page 1-9.
                          14. In the Resources section, from the iRules Available list, select the
                              appending iRule you created in the Creating the iRules section. In
                              our example, we select exch_owa_append.
                          15. From the Default Pool list, select the pool you created in Creating
                              the pool. In our example, we select exch_owa_pool.
                          16. From the Default Persistence Profile list, select the persistence
                              profile you created in Creating a cookie persistence profile. In our
                              example, we select exch_owa_cookie.
                          17. Click the Finished button.



F5® Deployment Guide                                                                          1 - 24
         Figure 1.8 Configuring the virtual server resources

         The next section describes configuring the BIG-IP WebAccelerator module
         for Outlook Web App. If you are not using the WebAccelerator, continue
         with Configuring the BIG-IP LTM for Outlook Anywhere, on page 1-30.




1 - 25
                                                Deploying F5 with Microsoft Exchange Server 2010




Configuring the F5 WebAccelerator module with
Exchange 2010 Outlook Web App
                       In this section, we configure the WebAccelerator module for Exchange
                       2010 Outlook Web App to increase performance for end users. The F5
                       WebAccelerator is an advanced web application delivery solution that
                       provides a series of intelligent technologies designed to overcome problems
                       with browsers, web application platforms and WAN latency issues which
                       impact user performance.
                       For more information on the F5 WebAccelerator, see
                       http://www.f5.com/products/WebAccelerator/.

                           Note

                       If you have not purchased the WebAccelerator module, you cannot complete
                       this section of the Deployment Guide. Continue with Configuring the
                       BIG-IP LTM for Outlook Anywhere, on page 1-30. Contact your F5 Sales
                       Representative for more information about purchasing this module.



Prerequisites and configuration notes
                       The following are prerequisites for this section:
                       ◆   We assume that you have already configured the BIG-IP LTM system for
                           directing traffic to the Outlook Web App portion of Client Access, as
                           described in this Deployment Guide.
                       ◆   If you are using the WebAccelerator module, we recommend you do not
                           configure the BIG-IP LTM system for compression or caching.
                       ◆   You must have purchased and licensed the WebAccelerator module on
                           the BIG-IP LTM system, version 9.4 or later.
                       Configuring the WebAccelerator module requires creating an HTTP class
                       profile, creating an Application, and modifying the virtual server you
                       created for Outlook Web App. The WebAccelerator device has a large
                       number of other features and options for fine tuning performance gains, see
                       the WebAccelerator Administrator Guide for more information.


Creating an HTTP Class profile
                       The first procedure is to create an HTTP class profile. When incoming
                       HTTP traffic matches the criteria you specify in the WebAccelerator class,
                       the system diverts the traffic through this class. In the following example,
                       we create a new HTTP class profile, based on the default profile.

                       To create a new HTTP class profile
                            1. On the Main tab, expand WebAccelerator, and then click Classes.
                               The HTTP Class Profiles screen opens.



F5® Deployment Guide                                                                           1 - 26
                          2. In the upper right portion of the screen, click the Create button. The
                             New HTTP Class Profile screen opens.
                          3. In the Name box, type a name for this Class. In our example, we
                             type exch2010_class.
                          4. From the Parent Profile list, make sure httpclass is selected.
                          5. In the Configuration section, from the WebAccelerator row, make
                             sure Enabled is selected
                          6. In the Hosts row, from the list select Match Only. The Host List
                             options appear.
                              a) In the Host box, type the host name that your end users use to
                                 access Outlook Web App. In our example, we type
                                 owa.siterequest.com.
                              b) Leave the Entry Type at Pattern String.
                              c) Click the Add button.
                              d) Repeat these sub-steps for any other host names users might use
                                 to access Outlook Web App.
                          7. The rest of the settings are optional, configure them as applicable
                             for your deployment.
                          8. Click the Finished button. The new HTTP class is added to the list.


Modifying the Virtual Server to use the Class profile
                      The next step is to modify the HTTPS virtual server you created in Creating
                      the HTTPS virtual server, on page 1-23 to use the HTTP Class profile you
                      just created. The HTTP profile associated with this virtual server should not
                      have compression or RAM cache enabled, as the WebAccelerator module
                      performs these tasks in addition to its other optimizations.

                      To modify the Virtual Server to use the Class profile
                          1. On the Main tab, expand Local Traffic, and then click Virtual
                             Servers. The Virtual Servers screen opens.
                          2. From the Virtual Server list, click the name of the virtual server
                             you created for your Outlook Web App devices. In our example, we
                             click exch_owa_virtual_https. The General Properties screen for
                             the Virtual Server opens.
                          3. On the Menu bar, click Resources. The Resources screen for the
                             Virtual Server opens.
                          4. In the HTTP Class Profiles section, click the Manage button.
                          5. From the Available list, select the name of the HTTP Class Profile
                             you created in the preceding procedure, and click the Add (<<)
                             button to move it to the Enabled box. In our example, we select
                             exch_class.




1 - 27
                                               Deploying F5 with Microsoft Exchange Server 2010




                           6. Click the Finished button. The HTTP Class Profile is now
                              associated with the Virtual Server.


Downloading and importing the WebAccelerator policy
                       If you are using a version of the BIG-IP WebAccelerator prior to version
                       10.0, you need to download and import the policy for Microsoft Exchange.
                       Version 10.0 and later version include this policy by default. Downloading
                       and importing the policy is a simple two-part procedure. We currently use
                       the WebAccelerator policy for Microsoft Exchange/OWA 2007.

                          Note

                       You must be a member of DevCentral (requires a free registration) in order
                       to download the policy.

                       To download and import the WebAccelerator policy
                           1. Open a web browser, and copy and paste the following URL:
                              http://devcentral.f5.com/Policies/Exchange.xml. This is currently
                              the same policy as for Exchange Server 2007.
                           2. Save the Exchange.xml file in a place that is accessible from the
                              WebAccelerator.
                           3. Return to the BIG-IP LTM system (see Connecting to the BIG-IP
                              device).
                           4. On the Main tab, expand WebAccelerator, and then click Policies.
                              The Policy list opens.
                           5. At the bottom of the page, click Import Policies.
                           6. Click the Browse button, and navigate to the location where you
                              saved the Exchange.xml file.
                           7. Click the Import button. The Policy is added to the list. You choose
                              the new policy in the next procedure.


Creating an Application
                       The next procedure is to create a WebAccelerator Application. The
                       Application provides key information to the WebAccelerator so that it can
                       handle requests to your application appropriately.

                       To create a new Application
                           1. On the Main tab, expand WebAccelerator, and then click
                              Applications. The Application screen of the WebAccelerator UI
                              opens in a new window.
                           2. Click the New Application button.
                           3. In the Application Name box, type a name for your application.
                              In our example, we type OWA 2010.



F5® Deployment Guide                                                                         1 - 28
             4. In the Description box, you can optionally type a description.
             5. From the Local Policies list, select Microsoft Outlook Web
                Access (OWA) 2007.
             6. In the Requested Host box, type the host name that your end users
                use to access Outlook Web Access. This should be the same host
                name you used in Step 6a in the preceding procedure. In our
                example, we type owa.siterequest.com
                If you have additional host names, click the Add Host button and
                enter the host name(s).
             7. Click the Save button.


         The rest of the configuration options on the WebAccelerator are optional,
         configure these as applicable for your network. With this base configuration,
         your end users will notice a marked improvement in performance after their
         first visit.




1 - 29
                                               Deploying F5 with Microsoft Exchange Server 2010




Configuring the BIG-IP LTM for Outlook Anywhere
                       Outlook Anywhere for Exchange 2010 allows you to use Outlook 2007 and
                       Outlook 2003 clients to connect to your Exchange server over the Internet,
                       using HTTPS to encapsulate RPC traffic. By using BIG-IP LTM in front of
                       an Outlook Anywhere-enabled Client Access Server, you can offload
                       TLS/SSL processing from the servers to reduce their CPU and memory load
                       and simplify certificate management. You can also select from a number of
                       intelligent load balancing methods to distribute traffic to the servers.
                       In Exchange 2010, simply use the Outlook Anywhere setup wizard on an
                       Exchange 2010 computer with the Client Access server role installed. All
                       users with mailboxes on Exchange 2010 are automatically enabled for
                       Outlook Anywhere access. For more information on Outlook Anywhere, see
                       the Microsoft documentation.
                       Because many of the BIG-IP LTM configuration procedures for Outlook
                       Anywhere are nearly identical to the procedures for Outlook Web App, we
                       refer back to the those procedures in this section, noting any differences.



Configuring SSL Certificates for Outlook Anywhere
                       IMPORTANT: To enable and require SSL for all communications between
                       the Client Access server and the Outlook clients, you must obtain and
                       publish a certificate at the default Web site level. We recommend that you
                       purchase your certificate from a third-party certification authority whose
                       certificates are trusted by a wide variety of Web browsers. By default,
                       applications and Web browsers do not trust your root certification authority
                       when you install your own certification authority, such as a BIG-IP
                       self-signed certificate. When a user tries to connect in Microsoft Office
                       Outlook 2007 or Outlook 2003 by using Outlook Anywhere, and the user’s
                       computer does not trust the certificate and root Certificate Authority, the
                       connection will fail. For more information on this topic, see the following
                       Microsoft TechNet article:
                       http://technet.microsoft.com/en-us/library/aa997703.aspx



Creating the HTTP health monitor
                       To create the Outlook Anywhere monitor, follow the procedure Creating
                       HTTP health monitor, on page 1-11, using a unique name for Outlook
                       Anywhere. In our example, we use exch_oa_http.



Creating the Outlook Anywhere pool
                       To create the Outlook Anywhere pool, follow the procedure Creating the
                       pool, on page 1-12, using a unique name for Outlook Anywhere. In our
                       example, we use exch_oa_pool. Select the name of the monitor you created
                       in the preceding procedure. Type the appropriate IP addresses and port (80).



F5® Deployment Guide                                                                          1 - 30
Creating the Outlook Anywhere persistence iRule
                     For Outlook Anywhere, we create an iRule that is used for persistence. This
                     iRule is necessary because the Microsoft Outlook client does not support
                     HTTP cookies, so the BIG-IP LTM persists based on other HTTP header
                     information.
                     In some cases you may be able to use other persistence methods such as
                     Source Address Affinity, which bases persistence on the IP address of the
                     client. However, because proxy servers or NAT (network address
                     translation) devices may aggregate clients behind a single IP address, such
                     methods are not always effective. To ensure reliable persistence, we
                     recommend using the following iRule and associated persistence profile.

                     To create the iRule
                         1. On the Main tab, expand Local Traffic, and then click iRules. The
                            Virtual Servers screen opens.
                         2. In the upper right portion of the screen, click the Create button. The
                            New iRule screen opens.
                         3. In the Name box, type a name for this iRule. In our example, we
                            type OutlookAnywherePersistRule.
                         4. In the Definition box, copy and paste the following iRule:
                             when HTTP_REQUEST {
                                 if { [HTTP::header "User-Agent"] contains "MSRPC" } {
                                     persist uie [HTTP::header "Authorization"] 3600
                                 }
                             }

                         5. Click the Finished button.



Creating the profiles
                     In this section, we create the profiles for Outlook Anywhere. Again, we
                     refer back to the OWA section for many of the profiles, however there is
                     one unique profile for Outlook Anywhere for persistence that uses the iRule
                     you created.


Creating the HTTP profile
                     To create the HTTP profile, follow the procedure Creating HTTP profile, on
                     page 1-16. For Outlook Anywhere, use the base HTTP parent profile (not an
                     optimized profile). All other settings are optional.


Creating the TCP profiles
                     To create the TCP profiles, follow the procedures found in Creating TCP
                     profiles, on page 1-17. There is one important change for this profile:



1 - 31
                                               Deploying F5 with Microsoft Exchange Server 2010




                       ◆   In the Nagle’s Algorithm row, click the Custom box, and then click to
                           clear the box to disable Nagle’s Algorithm.
                       Use unique names for these profiles. In our example, we create both LAN
                       and WAN optimized TCP profiles for Outlook Anywhere.


Creating the OneConnect profile
                       To create the OneConnect profile, follow the procedure found in Creating
                       the OneConnect Profile, on page 1-19. Use a unique name.


Creating the NTLM profile
                       To create the NTLM profile, follow the procedure found in Creating the
                       NTLM profile, on page 1-19. Use a unique name.


Creating the Client SSL profile
                       To create the Client SSL profile, follow the procedure found in Creating a
                       Client SSL profile, on page 1-20. Use a unique name. Make sure to see
                       Configuring SSL Certificates for Outlook Anywhere, on page 1-30 for an
                       important note about the type of certificate to use in this profile. See
                       Importing keys and certificates, on page 1-14 for information on importing
                       certificates and keys.


Creating the persistence profile
                       Outlook Anywhere uses Basic Authentication by default. If you use Basic
                       Authentication, you are able to take advantage of the OneConnect profile
                       which provides additional performance enhancements. Specifically,
                       OneConnect dramatically reduces the overhead of maintaining TCP
                       connections between the BIG-IP LTM and the Client Access servers.

                           Note

                       The BIG-IP LTM system can also accommodate NTLM authentication. If
                       you are using BIG-IP LTM prior to 10.0, you cannot use OneConnect if you
                       choose NTLM as the authentication type.

                       To create the persistence profile
                            1. On the Main tab, expand Local Traffic, click Profiles, and then, on
                               the Menu bar, click Persistence. The Persistence Profiles screen
                               opens.
                            2. Click the Create button.
                            3. In the Name box, type a name for this profile. In our example, we
                               type exch_oa_persist.
                            4. From the Persistence Type list, select Universal. The configuration
                               options for universal persistence appear.
                            5. Click the Custom boxes for iRule and Timeout.


F5® Deployment Guide                                                                         1 - 32
                          6. From the iRule list, select the name of the iRule you created in
                             Creating the Outlook Anywhere persistence iRule, on page 1-31. In
                             our example, we select OutlookAnywherePersistRule.
                          7. In the Timeout box, type 3600 seconds (one hour).
                          8. Click the Finished button.


Creating the virtual server
                      To create the virtual server for Outlook Anywhere, follow the procedure
                      found in Creating the HTTPS virtual server, on page 1-23. Use a unique
                      name and appropriate IP address. The port should be 443. Select all of the
                      configuration objects (pool and profiles) you created for Outlook Anywhere
                      in this section where appropriate.


                      This completes the BIG-IP LTM configuration for Outlook Anywhere.




1 - 33
                                               Deploying F5 with Microsoft Exchange Server 2010




Configuring the BIG-IP LTM for ActiveSync
                       Exchange ActiveSync is a synchronization protocol based on HTTP and
                       XML that is designed to work over a cellular, wireless Internet or other
                       similar low-bandwidth, high-latency connections. Exchange ActiveSync can
                       synchronize e-mail messages, contacts, calendar, and task data.
                       By deploying BIG-IP LTM in front of ActiveSync-enabled servers, you gain
                       the advantages of intelligent load distribution, SSL/TLS offloading, and
                       ease of certificate management.
                       For more information on ActiveSync, see the Microsoft documentation.
                       As with Outlook Anywhere, many of the BIG-IP LTM configuration
                       procedures for ActiveSync are nearly identical to the procedures for Outlook
                       Web App. We refer back to the those procedures in this section, noting any
                       differences.



Creating the HTTP health monitor
                       To create the Outlook Anywhere monitor, follow the procedure Creating
                       HTTP health monitor, on page 1-11, using a unique name for ActiveSync. In
                       our example, we use exch_activesync_http.



Creating the ActiveSync pool
                       To create the ActiveSync pool, follow the procedure Creating the pool, on
                       page 1-12, using a unique name for ActiveSync. In our example, we use
                       exch_activesync_pool. Select the name of the monitor you created in the
                       preceding procedure. Type the appropriate IP addresses and port (80).



Creating the profiles
                       In this section, we create the profiles for ActiveSync. Again, we refer back
                       to the OWA section for many of the profiles.


Creating the HTTP profile
                       To create the HTTP profile, follow the procedure Creating HTTP profile, on
                       page 1-16, using the http-wan-optimized-compression-caching parent
                       profile. All other settings are optional.


Creating the TCP profiles
                       To create the TCP profiles, follow the procedures found in Creating TCP
                       profiles, on page 1-17. Use unique names for these profiles. In our example,
                       we create both LAN and WAN optimized TCP profiles for ActiveSync.




F5® Deployment Guide                                                                           1 - 34
Creating the OneConnect profile
                      To create the OneConnect profile, follow the procedure found in Creating
                      the OneConnect Profile, on page 1-19. Use a unique name.


Creating the Client SSL profile
                      To create the Client SSL profile, follow the procedure found in Creating a
                      Client SSL profile, on page 1-20. Use a unique name. See Importing keys
                      and certificates, on page 1-14 for information on importing certificates and
                      keys (you should have a separate certificate for each FQDN).


Creating the persistence profile
                      To create the persistence profile, follow the procedure found in Creating a
                      cookie persistence profile, on page 1-18. Use a unique name.


Creating the virtual server
                      To create the virtual server for ActiveSync, follow the procedure found in
                      Creating the HTTPS virtual server, on page 1-23. Use a unique name and
                      appropriate IP address. The port should be 443. Select only the
                      configuration objects (pool and profiles) you created for ActiveSync in this
                      section where appropriate.


                      This completes the BIG-IP LTM configuration for ActiveSync.




1 - 35
                                                Deploying F5 with Microsoft Exchange Server 2010




Configuring the BIG-IP LTM to support Outlook
Web App, Outlook Anywhere, and Active Sync using
a single virtual server
                       For most deployments, F5 recommends creating a separate virtual server for
                       Outlook Web App, Outlook Anywhere (RPC-over-HTTP), and ActiveSync
                       on Client Access servers, while re-using one of those virtual servers for
                       Autodiscover services (typically Outlook Web App). By maintaining a
                       separate virtual server for each component, you can manage each service
                       largely independently from one another. For instance, you may wish to have
                       different pool membership, load balancing methods, or custom monitors for
                       Outlook Web App and Outlook Anywhere. If those services are each
                       associated with a different virtual server, granular management becomes
                       easier.
                       In some cases, however, you may find it desirable or necessary to combine
                       multiple functions on the same virtual server; for instance, you may wish to
                       have a single fully-qualified domain name (FQDN) and associated SSL
                       certificate for all client access methods.

                           Tip
                       You may use the same FQDN and SSL certificate for IMAP4 and POP3
                       access, even though they are on different virtual servers, because neither of
                       those services share the same TCP port (443) as Outlook Web App, Outlook
                       Anywhere, ActiveSync, and Autodiscover.

                       In the following procedures, we demonstrate methods for combining
                       functionality on a single virtual server, using an iRule to identify and treat
                       each traffic type individually. The examples shown only provide the basic
                       functionality required for each service. If you would like to customize the
                       iRule to provide additional services, such as customized event logging,
                       please refer to the iRules documentation, forums, and CodeShare examples
                       on DevCentral.
                       Because most tasks in this section are identical to those in previous sections,
                       we detail only those that are unique when using a single virtual server.
                       There are two options, each described in the following sections. See each
                       section for more specific details:
                       ◆   Using one pool for all HTTP services, with no WebAccelerator, on page
                           1-37
                           Follow the procedures in this section if you want to use a single FQDN
                           for all three services, a single pool and are not using the WebAccelerator.
                       ◆   Using different pools for each service and using the WebAccelerator, on
                           page 1-39
                           Follow the procedures in this section if you want to use a single FQDN
                           for all three services, multiple pools, and are using the WebAccelerator.




F5® Deployment Guide                                                                             1 - 36
Using one pool for all HTTP services, with no WebAccelerator
                        You should use this example if the following conditions are true:
                        ◆     You want to use a single FQDN for Outlook Web App, Outlook
                              Anywhere, and ActiveSync.
                        ◆     You want to use the same BIG-IP LTM pool of Client Access Servers for
                              all three services.
                        ◆     You do not have a Web Accelerator module licensed and configured on
                              your BIG-IP LTM, or you do not wish to use a Web Accelerator policy
                              for Outlook Web App.
                        In the following sections, we refer to the procedures from Configuring the
                        BIG-IP LTM system for the Outlook Web App component of Client Access,
                        on page 1-3, but calling out the places where the configuration differs.


Configuring Outlook Client Access servers to support SSL offloading
                        You must complete this step on each Client Access server that will be a
                        member of your pool. You must also identically configure every Client
                        Access server in the pool to support Outlook Anywhere and ActiveSync as
                        described in the Microsoft Exchange 2010 documentation. In all cases, the
                        External URL configured for each service must use an identical FQDN.


Configuring the BIG-IP LTM system
                        Use the following procedures to configure the BIG-IP LTM.

Creating the health monitor
                        To create the health monitor, follow the procedure Creating HTTP health
                        monitor, on page 1-11. Use a unique name for this monitor.

Creating the pool
                        To create the pool, follow the procedure Creating the pool, on page 1-12.
                        Note that the pool must contain members that have Outlook Web App,
                        Outlook Anywhere, and ActiveSync all enabled and configured correctly.
                        You may wish to name the pool to indicate its use; in our example, we use
                        exch_http_pool.

Creating the profiles
                        The next step is to create the BIG-IP LTM profiles.
                        ◆     HTTP profile - Use Creating HTTP profile, on page 1-16, giving the
                              profile a unique name.
                        ◆     TCP profiles - Use Creating TCP profiles, on page 1-17 to create both
                              LAN and WAN optimized TCP profiles, giving each a unique name.




1 - 37
                                                Deploying F5 with Microsoft Exchange Server 2010




                           There is one important change for the TCP profiles:
                           In the Nagle’s Algorithm row, click the Custom box, and then click to
                           clear the box to disable Nagle’s Algorithm.
                       ◆   OneConnect profile - Use Creating the OneConnect Profile, on page
                           1-19, giving the profile a unique name.
                       ◆   NTLM profile - Use Creating the NTLM profile, on page 1-19, giving the
                           profile a unique name.
                       ◆   Client SSL profile - Use Creating a Client SSL profile, on page 1-20. If
                           you have not already imported a certificate and key for this profile, see
                           Importing keys and certificates, on page 1-14.
                       You should not create a cookie persistence profile for this configuration.


Creating the iRules
                       If you are using the functionality found in the Redirect and Appending
                       iRules, follow the procedures found in Creating the Redirect iRule, on page
                       1-21 and Creating the appending iRule, on page 1-21. Explanations of each
                       iRule precede each procedure.
                       For this configuration, you must create an additional iRule which changes
                       persistence methods based on the service being accessed. When using a
                       single virtual server for Outlook Web App, Outlook Anywhere, and
                       ActiveSync, you need to use an iRule to separate out the traffic that supports
                       cookie persistence (Outlook Web App and ActiveSync) from that which
                       does not (Outlook Anywhere) and assign appropriate persistence methods.
                       The following example creates a persistence iRule that uses correct
                       persistence methods for each access type. This iRule assumes the use of a
                       single pool for all three services, and no Web Accelerator HTTP class
                       policy.

                       To create the persistence iRule
                            1. On the Main tab, expand Local Traffic, and then click iRules.
                            2. In the upper right portion of the screen, click the Create button.
                            3. In the Name box, enter a name for your iRule. In our example, we
                               use exch_owa_persist.
                            4. In the Definition section, copy and paste the following iRule:
                                when HTTP_REQUEST {
                                   if { [HTTP::header "User-Agent"] contains "MSRPC" } {
                                     persist uie [HTTP::header "Authorization"] 3600 }
                                    else {
                                     persist cookie
                                     }
                                }

                            5. Click the Finished button.




F5® Deployment Guide                                                                            1 - 38
Creating the virtual servers
                        For this configuration, you create two virtual servers:
                        • HTTP
                          To create the HTTP virtual server that redirects to HTTPS, follow the
                          procedure To create the HTTP virtual server, on page 1-17 exactly as
                          directed, except that you may wish to name the in a manner similar to the
                          other objects you have created (in our example exch_virtual_http), and
                          select the appropriate objects you created in this section.
                        • HTTPS To create the HTTPS virtual server, follow the procedure To
                          create the HTTPS virtual server, on page 1-18. Give the virtual server a
                          unique name. In Step 10, in addition to adding the appending iRule, also
                          select the persistence iRule you just created in the preceding procedure.
                          The Persistence iRule should be placed below the appending iRule in the
                          Enabled box. In Step 12, rather than selecting a custom persistence
                          profile, select cookie.
                        This concludes this section. If you are using a redundant BIG-IP LTM
                        configuration, see Synchronizing the BIG-IP configuration if using a
                        redundant system, on page 1-53.



Using different pools for each service and using the
WebAccelerator
                        You should use this example if the following conditions are true:
                        ◆   You want to use a single FQDN for Outlook Web App, Outlook
                            Anywhere, and ActiveSync.
                        ◆   You want to use a different BIG-IP LTM pool of Client Access Servers
                            for each of the three services.
                        ◆   You have a Web Accelerator module licensed and configured on your
                            BIG-IP LTM, and you wish to use a Web Accelerator policy to
                            accelerate Outlook Web App.
                        In the following sections, we refer to the procedures from Configuring the
                        BIG-IP LTM system for the Outlook Web App component of Client Access,
                        on page 1-3, but calling out the places where the configuration differs.


Configuring the BIG-IP LTM system
                        Use the following procedures to configure the BIG-IP LTM

Creating the health monitors
                        For this configuration, you configure three different health monitors for the
                        Exchange Server 2010 roles. The health monitors are the same, only the
                        names are different. Use Creating HTTP health monitor, on page 1-11 to
                        create a monitor for Outlook Web App, Outlook Anywhere, and
                        ActiveSync, using unique names for each monitor. All other settings are
                        optional.


1 - 39
                                                  Deploying F5 with Microsoft Exchange Server 2010




Creating the pools
                         For this configuration, you configure three different pools for the Exchange
                         Server 2010 roles. The pools are the same, only the names, IP addresses and
                         the health monitors are different. Use Creating the pool, on page 1-12 to
                         create pools for Outlook Web App, Outlook Anywhere, and ActiveSync,
                         using unique names for each pool, choosing the appropriate monitor, and
                         using the appropriate IP addresses. All other settings are optional.

Creating the profiles
                         The next step is to create the BIG-IP LTM profiles.
                         ◆   HTTP profile - Use Creating HTTP profile, on page 1-16, giving the
                             profile a unique name.
                         ◆   TCP profiles - Use Creating the TCP profiles, on page 1-31 to create
                             both LAN and WAN optimized TCP profiles, giving each a unique
                             name. Make sure that Nagle’s Algorithm is disabled.
                         ◆   OneConnect profile - Use Creating the OneConnect Profile, on page
                             1-19, giving the profile a unique name.
                         ◆   NTLM profile - Use Creating the NTLM profile, on page 1-19, giving the
                             profile a unique name.
                         ◆   Client SSL profile - Use Creating a Client SSL profile, on page 1-20. If
                             you have not already imported a certificate and key for this profile, see
                             Importing keys and certificates, on page 1-14.
                         You should not create a cookie persistence profile for this configuration.


Creating the iRules
                         For this configuration, you must create an additional iRule which changes
                         persistence methods based on the service being accessed. When using a
                         single virtual server for OWA, Outlook Anywhere, and ActiveSync, you
                         will need to use an iRule to separate out the traffic that supports cookie
                         persistence (Outlook Web App and ActiveSync) from that which does not
                         (Outlook Anywhere) and assign appropriate persistence methods.
                         This example creates a persistence iRule that uses correct persistence
                         methods for each access type. This iRule assumes the use of three pools for
                         the three services, and the Web Accelerator HTTP class policy.

To create the persistence iRule
                              1. On the Main tab, expand Local Traffic, and then click iRules.
                              2. In the upper right portion of the screen, click the Create button.
                              3. In the Name box, type a name for your iRule. In our example, we
                                 use exch_owa_persistence.
                              4. In the Definition section, copy and paste the following iRule:




F5® Deployment Guide                                                                              1 - 40
                               when HTTP_REQUEST {
                                  if { [HTTP::header "User-Agent"] contains "MSRPC" } {
                                   persist uie [HTTP::header "Authorization"] 3600
                                   pool exch_oa_pool
                                   }
                               elseif { [HTTP::uri] contains
                               "Microsoft-Server-ActiveSync" } {
                                   persist cookie
                                   pool exch_activesync_pool
                                   }
                               else {
                                   persist cookie
                                   pool exch_owa_pool
                                   HTTP::class select exch07-class
                                   }
                               }


                          5. Click the Finished button.


Creating the virtual servers
                      For this configuration, you create two virtual servers:
                      • HTTP
                        To create the HTTP virtual server that redirects to HTTPS, follow the
                        procedure To create the HTTP virtual server, on page 1-17 exactly as
                        directed, except that you may wish to name the in a manner similar to the
                        other objects you have created (in our example exch_virtual_http), and
                        select the appropriate objects you created in this section.
                      • HTTPS
                        To create the HTTPS virtual server, follow the procedure To create the
                        HTTPS virtual server, on page 1-18. Give the virtual server a unique
                        name. In Step 10, in addition to adding the appending iRule, also select
                        the persistence iRule you just created in the preceding procedure. The
                        Persistence iRule should be placed below the appending iRule in the
                        Enabled box. In Step 12, rather than selecting a custom persistence
                        profile, select cookie.




1 - 41
                                                      Deploying F5 with Microsoft Exchange Server 2010




Configuring the BIG-IP LTM for RPC Client Access
                              With Exchange Server 2010, Outlook clients connect using native MAPI to
                              the new RPC Client Access service, which runs on Client Access servers,
                              rather than directly to Mailbox servers. You can use BIG-IP LTM to
                              intelligently balance those incoming MAPI connections.
                              Unlike most of the other Client Access server roles, the RPC Client Access
                              service does not support offloading of encryption to the BIG-IP LTM.

                                 Note

                              Because the RPC Client Access Service requires the BIG-IP LTM to pass
                              traffic to the Client Access servers on a large number of ports, we
                              recommend that you use a firewall to permit only internal networks to
                              access the RPC Client Access virtual server IP address.



Prerequisites
                              You should refer to Microsoft documentation regarding the configuration of
                              the RPC Client Access service and mailboxes for each site. However, at a
                              minimum you will need to complete the following steps.
                                  1. In the Microsoft Exchange Management Shell, create a new Client
                                     Access Array and associate it with the same FQDN that you will be
                                     using. In our example, we type:
                       New-ClientAccessArray -Name "First Array" -FQDN outlook.siterequest.com

                                     You should use a name and FQDN appropriate to your deployment.
                                  2. You must modify the attributes of any pre-existing mailbox
                                     databases to use the new array. In our example, for existing Mailbox
                                     Database 1059170712, we type:
Set-MailboxDatabase "Mailbox Database 1059170712" -RPCClientAccessServer outlook.ex2010.siterequest.com

                                     You must specify the correct mailbox databases for your site, and
                                     the correct FQDN for your Client Access Array.

                                 Note

                              You can only configure one Client Access Array (and thus one FQDN and
                              one BIG-IP virtual server) per site.



Creating the TCP health monitor
                              For RPC Client Access, we create a TCP health monitor for port 135.

                              To create the TCP health monitor
                                  1. On the Main tab, expand Local Traffic, click Monitors, and then
                                     click the Create button. The New Monitor screen opens.



F5® Deployment Guide                                                                                1 - 42
                      2. In the Name box, type a name for the Monitor. In our example, we
                         type exch_rpc_tcp.
                      3. From the Type list, select TCP.
                      4. From the Configuration list, select Advanced.
                      5. In the Configuration section, in the Interval and Timeout boxes,
                         type an Interval and Timeout. We recommend at least a 1:3 +1 ratio
                         between the interval and the timeout. In our example, we use a
                         Interval of 30 and a Timeout of 91.
                      6. In the Alias Service Port box, type 135.
                      7. All other settings are optional, configure as applicable for your
                         configuration.
                      8. Click the Finished button.




                  Figure 1.9 Configuring the TCP monitor



Creating the RPC Client Access pool
                  To create the RPC pool, follow the procedure Creating the pool, on page
                  1-12, using a unique name for RPC. In our example, we use exch_rpc_pool.
                  Select the name of the monitor you created in the preceding procedure. Type
                  the appropriate IP addresses.
                  From the Service Port list, select *All Services.



1 - 43
                                               Deploying F5 with Microsoft Exchange Server 2010




Creating the profiles
                       Next we configure the RPC profiles.


Creating the TCP profiles
                       To create the TCP profiles, follow the procedures found in Creating TCP
                       profiles, on page 1-17. There is one important change for this profile:
                       ◆   In the Nagle’s Algorithm row, click the Custom box, and then click to
                           clear the box to disable Nagle’s Algorithm.
                       Use unique names for these profiles. In our example, we create both LAN
                       and WAN optimized TCP profiles for RPC.


Creating the OneConnect profile
                       To create the OneConnect profile, follow the procedure found in Creating
                       the OneConnect Profile, on page 1-19. Use a unique name.


Creating the persistence profile
                       To maintain server persistence for users connecting over the RPC Client
                       Access service, you must use a method such as Source Address Affinity.

                       To create the new source address persistence profile
                            1. On the Main tab, expand Local Traffic, click Profiles, and then, on
                               the Menu bar, click Persistence.
                            2. Click the Create button.
                            3. In the Name box, type a name. We type exch_rpc_persist.
                            4. From the Persistence Type list, select Source Address Affinity.
                               The configuration options for source address persistence appear.
                            5. Make sure that source_addr is the Parent Profile.
                            6. Click the Custom box for Timeout.
                            7. In the Timeout box, type 3600 seconds (one hour). You may adjust
                               this to match your local network policies.
                            8. Click the Finished button.


Creating the virtual server
                       To create the virtual server for RPC Client Access, follow the procedure
                       found in Creating the HTTP virtual server, on page 1-22. Use a unique
                       name and appropriate IP address.
                       From the Service Port list, select All Ports.
                       Select only the configuration objects (pool and profiles) you created for
                       RPC Client Access in this section where appropriate.
                       This completes the BIG-IP LTM configuration for the RPC Client Access
                       Service.

F5® Deployment Guide                                                                          1 - 44
Configuring the BIG-IP LTM for POP3 and IMAP4
                 POP3 and IMAP4 enable a variety of clients to connect to the Exchange
                 server. These include Outlook, Outlook Express, and third-party clients such
                 as Eudora or Mozilla Thunderbird.
                 The instructions in this guide detail configuring the BIG-IP LTM to serve
                 secure versions of POP3 and IMAP4, known as POP3S and IMAPS
                 respectively, perform all SSL/TLS processing, and forward unencrypted
                 traffic to standard ports on the Client Access Servers. Alternate
                 configurations, such as simply forwarding the encrypted traffic, are not
                 included in this guide.
                 For more information about how to manage POP3 and IMAP4 in Exchange
                 2010, see Understanding POP3 and IMAP4 on Microsoft TechNet at
                 http://technet.microsoft.com/en-us/library/bb124107%28EXCHG.140%29.aspx



Configuring the BIG-IP LTM for IMAP4
                 By default, the Exchange 2010 IMAP4 service requires encrypted
                 connections. Since you will be using the BIG-IP LTM to process all secure
                 connections, you must first change the default setting on each Client Access
                 server. You can either change the default setting from the Exchange
                 Management Console or the Management Shell.

                 To change the default setting using the Exchange
                 Management Console
                     1. Expand Server Configuration, then Client Access.
                     2. In the list of Client Access servers, select a server to which you will
                        be sending IMAP4 traffic.
                     3. Select the IMAP4 protocol, right-click, and select Properties.
                     4. On the Authentication tab, change the setting to one of the plain text
                        login methods (Basic or Integrated Windows) as appropriate for
                        your environment and clients.
                     5. Click OK.
                     6. Restart the IMAP4 service on that Client Access server.
                     7. Repeat for each of the Client Access servers to which you will be
                        sending IMAP4 connections.


                 To change the default setting using the Exchange
                 Management Shell
                     1. Type one of the following commands, substituting the name of a
                        Client Access server for “servername”:
                         For Basic authentication:
                 Set-ImapSettings -Server "servername" -LoginType PlainTextLogin



1 - 45
                                                       Deploying F5 with Microsoft Exchange Server 2010




                                       For Windows Integrated authentication
                       Set-ImapSettings -Server "servername" -LoginType PlainTextAuthentication

                                   2. Restart the IMAP4 service on that Client Access server.
                                   3. Repeat for each of the Client Access servers to which you will be
                                      sending IMAP4 connections.


Importing the certificate and key
                               The next step in configuring the BIG-IP LTM for IMAP4 is to import a
                               certificate and key for IMAP. To import the certificate and key, follow the
                               procedure Importing keys and certificates, on page 1-14, using the
                               certificate and key for IMAP4.


Creating the IMAP health monitor
                               There are two options for creating an IMAP monitor. For the most accurate
                               monitor, we recommend method 1, in which the BIG-IP LTM logs into the
                               Client Access servers as an IMAP user. If you do not want to have a user
                               and mailbox that is used for this purpose, use method 2, which simply
                               checks for a valid IMAP server banner message.

Method 1
                               For Method 1, we create an IMAP monitor on the BIG-IP LTM. For this
                               monitor, you need an IMAP user account. We recommend creating a new
                               IMAP user to be used solely for this purpose.

                               To create the IMAP health monitor
                                   1. On the Main tab, expand Local Traffic, click Monitors and then
                                      click the Create button. The New Monitor screen opens.
                                   2. In the Name box, type a name for the Monitor. In our example, we
                                      type exch_imap4.
                                   3. From the Type list, select IMAP.
                                       For advanced configuration options, from the Configuration list,
                                       select Advanced.
                                   4. In the Configuration section, in the Interval and Timeout boxes,
                                      type an Interval and Timeout. We recommend at least a 1:3 +1 ratio
                                      between the interval and the timeout. In our example, we use a
                                      Interval of 30 and a Timeout of 91.
                                   5. In the User Name box, type a user name of a user with a valid
                                      IMAP account. We recommend creating a user account just for this
                                      monitor.
                                   6. In the Password box, type the corresponding password.
                                   7. All other settings are optional, configure as applicable.
                                   8. Click the Finished button.



F5® Deployment Guide                                                                                  1 - 46
Method 2
                            If you do not want to create an IMAP user account for health monitoring,
                            you can create the following TCP health monitor for IMAP.

                            To create the TCP health monitor
                                1. On the Main tab, expand Local Traffic, click Monitors, and then
                                   click the Create button. The New Monitor screen opens.
                                2. In the Name box, type a name for the Monitor. In our example, we
                                   type exch_imap_tcp.
                                3. From the Type list, select TCP.
                                4. From the Configuration list, select Advanced.
                                5. In the Configuration section, in the Interval and Timeout boxes,
                                   type an Interval and Timeout. We recommend at least a 1:3 +1 ratio
                                   between the interval and the timeout. In our example, we use a
                                   Interval of 30 and a Timeout of 91.
                                6. Optional: In the Receive String box, type the default banner
                                   provided by the Client Access IMAP4 service:
                                    The Microsoft Exchange IMAP4 service is ready.

                                    If you have changed the default banner, you must use the
                                    appropriate banner in this field.
                                7. In the Alias Service Port box, type 143.
                                8. All other settings are optional, configure as applicable for your
                                   configuration.
                                9. Click the Finished button


Creating the IMAP4 pool
                            To create the IMAP4 pool, follow the procedure Creating the pool, on page
                            1-12, using a unique name for IMAP. In our example, we use
                            exch_imap4_pool. Select the name of the monitor you created in the
                            preceding procedure. Type the appropriate IP addresses, and in the Service
                            Port box, type 143.


Creating the profiles
                            In this section, we create the profiles for IMAP4. Again, we refer back to the
                            OWA section for many of the profiles.

Creating the TCP profiles
                            To create the TCP profiles, follow the procedures found in Creating TCP
                            profiles, on page 1-17. Use unique names for these profiles. In our example,
                            we create both LAN and WAN optimized TCP profiles for IMAP4.




1 - 47
                                                  Deploying F5 with Microsoft Exchange Server 2010




Creating the OneConnect profile
                          To create the OneConnect profile, follow the procedure found in Creating
                          the OneConnect Profile, on page 1-19. Use a unique name.

Creating the Client SSL profile
                          To create the Client SSL profile, follow the procedure found in Creating a
                          Client SSL profile, on page 1-20. Use a unique name, and the certificate and
                          key you imported for IMAP4. For more information on importing
                          certificates, see Importing keys and certificates, on page 1-14.


Creating the virtual server
                          To create the virtual server for IMAP4, follow the procedure found in
                          Creating the HTTPS virtual server, on page 1-23. Use a unique name and
                          appropriate IP address.
                          From the Service Port list, select 993 (the standard SSL IMAP4 port).
                          Select only the configuration objects (pool and profiles) you created for
                          IMAP4 in this section where appropriate.
                          This completes the BIG-IP LTM configuration for IMAP4.




Configuring the BIG-IP system for POP3
                          In this section, we configure the BIG-IP LTM for POP3. By default, the
                          Exchange 2010 POP3 service requires encrypted connections. Since you
                          will be using the BIG-IP LTM to process all secure connections, you must
                          first change the default setting on each Client Access server. You can either
                          change the default setting from the Exchange Management Console or the
                          Management Shell.

                          To change the default setting using the Exchange
                          Management Console
                              1. Expand Server Configuration, then Client Access.
                              2. In the list of Client Access servers, select a server to which you will
                                 be sending POP3 traffic.
                              3. Select the POP3 protocol, right-click, and select Properties.
                              4. On the Authentication tab, change the setting to one of the plain text
                                 login methods (Basic or Integrated Windows) as appropriate for
                                 your environment and clients.
                              5. Click OK.
                              6. Restart the POP3 service on that Client Access server.
                              7. Repeat for each of the Client Access servers to which you will be
                                 sending POP3 connections.




F5® Deployment Guide                                                                               1 - 48
                       To change the default setting using the Exchange
                       Management Shell
                           1. Type one of the following commands, substituting the name of a
                              Client Access server for “servername”:
                               For Basic authentication:
                       Set-PopSettings -Server "servername" -LoginType PlainTextLogin

                               For Windows Integrated authentication
               Set-PopSettings -Server "servername" -LoginType PlainTextAuthentication

                           2. Restart the POP3 service on that Client Access server.
                           3. Repeat for each of the Client Access servers to which you will be
                              sending POP3 connections.


Importing the certificate and key
                       The first step in configuring the BIG-IP LTM for POP3 is to import a
                       certificate and key for POP3. To import the certificate and key, follow the
                       procedure Importing keys and certificates, on page 1-14, using the
                       certificate and key for POP3.


Creating the POP3 health monitor
                       Creating the health monitor for POP3 is very similar to creating the monitor
                       for IMAP4. As with IMAP4, there are two options for creating an POP3
                       monitor. For the most accurate monitor, we recommend method 1, in which
                       the BIG-IP LTM logs into the Client Access servers as an POP3 user. If you
                       do not want to have a user and mailbox that is used for this purpose, use
                       method 2, which simply checks for a valid POP3 server banner message.

Method 1
                       For this monitor, you need an POP3 user account. We recommend creating a
                       new POP3 user to be used solely for this purpose. Use the appropriate user
                       name and password for this monitor. All other settings are optional.
                       To create this monitor, follow the procedure in Method 1, on page 1-46, with
                       the following exceptions:
                       • In step 2, use a unique name, such as exch_pop3.
                       • In step 3, select POP3 from the list.
                       • In steps 5 and 6, use a user name and password for a POP3 account.

Method 2
                       For this monitor, follow the procedure Method 2, on page 1-47, with the
                       following exceptions:
                       • In step 2, use a unique name, such as exch_pop3_tcp.
                       • In step 6, the optional Receive Rule for POP3 is
                          The Microsoft Exchange POP3 service is ready.



1 - 49
                                                     Deploying F5 with Microsoft Exchange Server 2010




                            • In step 7, in the Alias Service Port box, type 110.


Creating the POP3 pool
                            To create the POP3 pool, follow the procedure Creating the pool, on page
                            1-12, using a unique name for POP3. In our example, we use
                            exch_POP3_pool. Select the name of the monitor you created in the
                            preceding procedure. Type the appropriate IP addresses, and in the Service
                            Port box, type 110.


Creating the profiles
                            In this section, we create the profiles for POP3. Again, we refer back to the
                            OWA section for many of the profiles.

Creating the TCP profiles
                            To create the TCP profiles, follow the procedures found in Creating TCP
                            profiles, on page 1-17. Use unique names for these profiles. In our example,
                            we create both LAN and WAN optimized TCP profiles for POP3.

Creating the OneConnect profile
                            To create the OneConnect profile, follow the procedure found in Creating
                            the OneConnect Profile, on page 1-19. Use a unique name.

Creating the Client SSL profile
                            To create the Client SSL profile, follow the procedure found in Creating a
                            Client SSL profile, on page 1-20. Use a unique name, and the certificate and
                            key you imported for POP3. For more information on importing certificates,
                            see Importing keys and certificates, on page 1-14.


Creating the virtual server
                            To create the virtual server for POP3, follow the procedure found in
                            Creating the HTTPS virtual server, on page 1-23. Use a unique name and
                            appropriate IP address.
                            From the Service Port list, select 995 (the standard SSL IMAP4 port).
                            Select only the configuration objects (pool and profiles) you created for
                            POP3 in this section where appropriate.
                            This completes the BIG-IP LTM configuration for POP3.




F5® Deployment Guide                                                                                1 - 50
Configuring the FirePass controller for Exchange
Server 2010
                   This section of the Deployment Guide shows you how to configure the F5
                   FirePass controller for secure remote access to Microsoft Exchange Server
                   2010.
                   F5’s FirePass® controller is the industry leading SSL VPN solution that
                   enables organizations of any size to provide ubiquitous secure access for
                   employees, partners and customers to applications such as Microsoft
                   Exchange Server 2010, while significantly lowering support costs associated
                   with legacy client-based VPN solutions.
                   For more information on the Microsoft Exchange Server, see
                   http://www.microsoft.com/exchange/default.mspx
                   For more information on the FirePass controller, see
                   http://www.f5.com/products/FirePass/.



Prerequisites and configuration notes
                   The following are prerequisites for this section:
                   ◆   The FirePass controller should be running version 6.0 or later.
                   ◆   All of the configuration procedures in this document are performed on
                       the FirePass controller.
                   ◆   This configuration uses previously defined Active Directory groups to
                       provide authentication and simple user maintenance. For information on
                       how to configure Active Directory groups, consult the proper
                       documentation.
                   ◆   This Deployment Guide is written to the scenario outlined in the
                       following section. It is meant as a template; modify the configuration as
                       necessary for your deployment.



Configuration scenario
                   For the scenario used in this Deployment Guide, the Microsoft Exchange
                   deployment, along with an Active Directory instance, resides behind a
                   BIG-IP system. A group on the FirePass controller is given three access
                   methods for reading Microsoft Exchange/Outlook Web Access email:
                       • Through an Outlook Web Access Portal Favorite on the FirePass
                         device.
                       • Through the Network Access adapter, with a locally installed
                         Microsoft Outlook client.
                       • Through the Mobile Email feature, which provides lightweight, pure
                         HTML access to Exchange mailboxes using IMAP/POP3 and SMTP.


1 - 51
                                               Deploying F5 with Microsoft Exchange Server 2010




                       This Deployment Guide describes how to configure the FirePass controller
                       to allow secure remote access to the Exchange device(s), using Active
                       Directory for authentication. In our deployment, the FirePass device and the
                       Exchange deployment use a common Active Directory Domain Controller.
                       This guide also contains procedures on configuring some endpoint security
                       features, including antivirus checks.
                       To configure the FirePass controller for allowing secure remote access to the
                       Microsoft Exchange Servers deployment, use the following procedures:
                       • Connecting to the BIG-IP device
                       • Creating groups on the FirePass controller
                       • Configuring auto-logon
                       • Configuring Outlook Web Access through the FirePass device
                       • Configuring Mobile Email for HTML-based access to email
                       • Configuring Network Access to the Exchange server
                       • Configuring Endpoint security



Connecting to the FirePass controller
                       To perform the procedures in this Deployment Guide you must have
                       administrative access to the FirePass controller.
                       To access the Administrative console, in a browser, type the URL of the
                       FirePass controller followed by /admin/, and log in with the administrator’s
                       user name and password.
                       Once you are logged on as an administrator, the Device Management screen
                       of the Configuration utility opens. From here, you can configure and
                       monitor the FirePass controller



Creating groups on the FirePass controller
                       In this configuration, we configure two types of groups on the FirePass
                       controller, Resource and Master groups. Master groups contain user
                       information, including details about authentication methods. Resource
                       groups contain information about applications (resources) that are available
                       to FirePass controller users.


Creating a Resource group
                       Resource groups allow you to preconfigure specific applications and access
                       by group, and assign the group to a master group or an individual user. For
                       this configuration, we create a single resource group for employees.

                         Tip
                       If you already have a resource group configured on the FirePass controller
                       for employees, you can use that group and this procedure.


F5® Deployment Guide                                                                           1 - 52
                            To configure a resource group
                                1. From the navigation pane, click Users, expand Groups, and then
                                   click Resource Groups.
                                2. Click the Create new group button.
                                   The Group Management - Create New Group screen opens.
                                3. In the New group name box, type a name for your group and click
                                   the Create button. In our example we type employees_email. The
                                   new group appears in the Resource Groups table.


Creating the Master Group
                            FirePass controller master groups are composed of users, authentication
                            methods, and security and policy information. The next task is to create a
                            Master group that will use the resource group we just created.

                            To create a new Master Group
                                1. From the Administrative Console navigation pane, click Users,
                                   expand Groups, and click the Create new group button.
                                   The Group Management Create New Group screen opens.
                                2. In the New group name box, type the name of your group. In our
                                   example we type exchangeAD.
                                3. In the Users in group box, select External.
                                4. From the Authentication method list, select Active Directory.
                                5. In the Copy settings from list, make sure Do not copy is selected
                                   (see Figure 1.10).
                                6. Click the Create button.
                                   The General tab of the new Master Group displays.




Figure 1.10 Creating a new Master Group


                                7. Click the Resource Groups tab.
                                   The Resource Groups screen opens.



1 - 53
                                               Deploying F5 with Microsoft Exchange Server 2010




                           8. From the Available box, select the name of the Resource group you
                              created in the Creating a Resource group section. In our example,
                              we select employees_email.
                           9. Click the Add button to move the group to the Selected box, and
                              click the Update button. The Resource group is now associated with
                              the Master group.


Configuring the Master group for Active Directory authentication
                       The next step is to configure the Master group to use Active Directory
                       authentication.

                         Important
                       The FirePass controller has a number of different authentication methods to
                       choose from; use the method applicable to your configuration. However,
                       this guide only contains instructions on configuration Active Directory
                       authentication. See the online help or FirePass documentation for more
                       information on configuring other authentication methods.

                       To configure the FirePass Master group to use Active
                       Directory authentication
                           1. From the navigation pane, click Users, expand Groups, and then
                              click Master Groups.
                           2. Click the name of the Master group you created in the Creating the
                              Master Group section. In our example, we select exchangeAD.
                           3. Click the Authentication tab.
                           4. In the Configure Active Directory Settings section, configure the
                              appropriate settings for your Active Directory deployment. Type the
                              fully qualified domain name in the Domain name box, and IP
                              addresses or DNS names for the Kerberos (Domain Controller) and
                              WINS servers in their respective boxes.
                           5. Click the Save Settings button.




F5® Deployment Guide                                                                            1 - 54
                      6. You can optionally click Test Saved Settings to test the Active
                         Directory authentication.




                  Figure 1.11 Active Directory Authentication settings


                      7. Click Select Domain Group.
                         The Active Directory Authentication screen opens.
                         Important: Be sure you have entered the Domain admin name and
                         password and saved the settings before clicking Select Domain
                         Group.
                      8. From the list, select the Active Directory Domain group the user
                         must belong to in order to authenticate, and click the Select Group
                         button.
                      9. Click the Save Settings button again. You can also click the Test
                         Saved Settings button to test the configuration.



Configuring auto-logon
                  The FirePass allows auto-logon (single sign-on) to sites supporting basic or
                  NTLM authentication with user's FirePass credentials. In our scenario, we
                  configure this option to allow single sign-on (SSO).

                  To configure SSO/NTLM for auto-login
                      1. From the navigation pane, click Portal Access.
                      2. Under Web Applications, click Master Group Settings.




1 - 55
                                              Deploying F5 with Microsoft Exchange Server 2010




                           3. From the Master Group list at the top of the page, select the Master
                              Group you created in the Creating the Master Group section. In our
                              example, we select exchangeAD.
                              The configuration settings for the Master group open.
                           4. To ensure members of the group only have access to the
                              administrator-configured Favorites, make sure that the check box
                              under Access limitation is checked.
                           5. In the NTLM and Basic Auth Proxy section, click a check in the
                              Auto-login to Basic and NTLM auth protected sites using
                              FirePass user credentials box.
                              The NTLM and Basic Auth domain boxes display.
                           6. In the NTLM Auth Domain (optional) box, you can type the
                              default Domain to be used in conjunction with the auto-login
                              support.
                           7. In the Basic Auth Domain (optional) box, you can type the default
                              Domain to be used in conjunction with the auto-login support.
                              When specified, this value is prepended to the user name in the
                              during Basic authentication (for example MYDOMAIN\username).
                           8. Click the Update button.




                       Figure 1.12 Configuring NTLM Master Group Settings



Configuring Outlook Web Access through the FirePass device
                       For organizations who want an added layer of security for their Outlook
                       Web Access deployment, want to require antivirus or other pre-logon
                       checks, or do not want to make Outlook Web Access directly accessible
                       from the Internet, the FirePass can be configured to render Outlook Web
                       Access inside the FirePass user window.



F5® Deployment Guide                                                                         1 - 56
                  To configure Outlook Web Access through the FirePass
                      1. From the navigation pane, click Users, expand Groups, and then
                         click Resource Groups.
                      2. From the Resource Groups table, find the row with the name of the
                         Resource group you created in the Creating a Resource group
                         section (employee_email in our example). In this row, from the
                         Portal access column, click Edit. The Web Applications section of
                         the Resource Group page opens.
                      3. Under Web Application Favorites, click Add New Favorite. The
                         Favorite options display.
                      4. Type a name for the Favorite. In our example, we type Outlook
                         Web Access. This Favorite link only displays for members of the
                         employee_email group.
                      5. In some versions of the FirePass controller, you see a Web
                         Application Type box. If you see this box, select Microsoft
                         Outlook Web Access from the list.
                      6. In the URL box, type the URL used to access the Outlook Web
                         Access. If you are using a BIG-IP system in front of the
                         deployment, this URL should point to the virtual server address. In
                         our example, we type http://webmail.company.com/.
                      7. Configure the rest of the settings as applicable to your deployment.
                      8. Click the Add New button.
                         The new Favorite is added to the list, and appears in the Portal
                         Access Favorite section when the end user’s logs onto the FirePass.



Configuring Mobile Email for HTML-based access to email
                  As an alternative (or in addition to) using Outlook Web Access, you can use
                  the FirePass controller’s Mobile Email feature as a lightweight and
                  extremely secure way of viewing Microsoft Exchange email.

                  To configure mobile access
                      1. From the navigation pane, click Portal Access and then click
                         Mobile E-Mail.
                         Make sure the proper Master group is selected from the Master
                         Group list in the top left.
                      2. Under Corporate mail account, click a check in the Enable
                         corporate mail account box.
                      3. In the Account Name box, type a name for this email account. In
                         our example, we type Exchange Server.
                      4. In the Mail Server box, type the name or IP address of the
                         Exchange server. In our example, we type exchange1.
                      5. In the Type box, select IMAP.


1 - 57
                                               Deploying F5 with Microsoft Exchange Server 2010




                           6. In the IMAP Folders box, type the folders that should be displayed.
                              A user can add to this list independently. Adding the folders is
                              performed to avoid the common confusion created by Exchange
                              servers that display non-email items such as contacts, calendar, etc,
                              as empty folders. In our example, we type Inbox,Drafts,Notes,Sent
                              Items. In the Sent Folder box, we type Sent Items. In the Deleted
                              Items box, we type Deleted Items.
                           7. From the Login Information box, choose the setting appropriate for
                              your configuration. In our example, we select User supplies display
                              and login information during the first logon.
                           8. In the Outgoing Mail Server box, type the name or IP address of
                              your outgoing mail server.
                           9. Click the Update button.
                          10. Configure the rest of the options as applicable for your deployment,
                              making sure to click the appropriate Update button if you make
                              changes.



Configuring Network Access to the Exchange server
                       For remote users with an Outlook client on their PC, the FirePass can be
                       configured to grant access to the corporate network to communicate directly
                       with the Exchange server.

                       To configure Network access to the Exchange Server
                           1. From the navigation pane, click Network Access, and then click
                              Global Settings.
                           2. From the Add new IP Address Pool section, in the Name box, type
                              a name for this pool of IP addresses.
                           3. In the IP Address box, type the Network address for this pool. In
                              our example, we type 10.10.101.0.
                               Important: Using Network Access requires you have one internal IP
                               address for each concurrent user, so make sure this Network
                               address can handle all possible concurrent users.

                               Warning: To prevent routing problems, ensure the Network address
                               pool does not contain the FirePass device’s IP address.
                           4. In the Mask box, type the appropriate subnet mask. In our example,
                              we type 255.255.255.0.
                           5. Click the Add button. In our example, this creates enough addresses
                              for 254 users.
                           6. Leave the Use NAPT to Access LAN box checked.
                           7. Click the Apply these rules now button.
                              The IP address pool is now configured.



F5® Deployment Guide                                                                          1 - 58
                        8. From the navigation pane, click Resources.
                           The Network Access Resource screen opens.
                        9. In the Connection Name box, type a name for the connection. This
                           is the name the end user sees in the Favorites list. In our example,
                           we type internal exchange.
                       10. You can optionally configure split tunneling. To configure split
                           tunneling, click a check in the Use split tunneling box. The LAN
                           and DNS address space boxes display. Configure these options as
                           applicable for your deployment.
                       11. Leave the Enable Client for Microsoft Networks checked. The
                           Enable File and Printer Sharing for Microsoft Networks setting
                           is optional.
                       12. If you want the FirePass device to perform GZIP compression, click
                           a check in the Use gzip compression box.
                       13. Click the Update button.
                       14. In the Configure IP Address Assignment section, make sure there is
                           a check in the Assign IP address dynamically using IP address
                           pool (lowest priority: Enabled by default) box.
                       15. From the Select IP Address Pool list, select the pool you created in
                           step 2, and click the Update button.



Configuring Endpoint security
                    One of the strong security features of the FirePass controller is the ability to
                    set endpoint security on a extremely granular level. For this Deployment
                    Guide, we illustrate how to configure a pre-logon sequence for inspections
                    before a user logs on. For more information on endpoint security, see the
                    FirePass documentation or the online help.


Creating a pre-logon sequence
                    The pre-logon sequence allows administrators to create one or more
                    sequences of inspections for items such as installed antivirus programs or
                    OS patch levels. For this Deployment Guide, we configure a Windows
                    Antivirus Checker.

                    To configure a pre-logon sequence
                        1. From the navigation pane, click Users, expand Endpoint Security,
                           and click Pre-Logon Sequence.
                        2. In the New Sequence section at the bottom of the page, type a name
                           for the sequence in the Create New Sequence box. In our example,
                           we type exchangeBasic.
                        3. From the Based on list, select template: Collect information with
                           no pre-logon actions.


1 - 59
                                            Deploying F5 with Microsoft Exchange Server 2010




                        4. Click the Create button.
                           The new sequence appears in the Select Sequence to Use table.
                        5. In the row of the sequence you just created, click the Edit button.

                           Warning - Do not click the radio button next to the sequence yet. If
                           you click the radio button, the Edit link will be replaced with the
                           View link, and you are not able to edit the sequence.
                           The Pre-Logon Sequence Editor opens.
                        6. Move the cursor between Sequence Start and Logon Allowed
                           Page. An add [+] link appears on the arrow (see the circle marked 1
                           in Figure 1.13). Click the add link.
                           The Change Sequence panel appears on the right.
                        7. Click the Check for Antiviruses option button, and click the Apply
                           Changes button.
                           The Edit Action panel opens.
                           Note: The Check for Antiviruses is an optional feature on the
                           FirePass controller. If your device does not have this license, you
                           will not see this option.
                        8. Under Inspectors, click Windows Antivirus Checker.
                           The Endpoint Inspector Details page opens in a new window.
                        9. Configure these options as applicable for your deployment. For
                           more information, click Help.
                       10. Click the Update button.
                       11. In the Sequence pane, find AV installed, and click the associated
                           Logon Denied Page link (see the circle marked 2 in Figure 1.13).
                           The End Page Properties pane appears on the right.
                       12. From the Type box, select Logon Allowed Page. This allows a user
                           to logon if they have an antivirus checker installed. You can
                           optionally type a message for failed logons.
                       13. Optional: You can click the Logon Allowed Page or Logon Denied
                           Page links for the other options to produce a custom message when
                           a user is denied access. You can also change the actions taken as a
                           result of the virus checker’s findings. For example, you might still
                           want to allow a user to login if there is virus checking software
                           installed, but not currently running.
                           In our example, we click Logon Denied Page next to Virus
                           Detected, and type a message informing the user there is a virus on
                           their computer, and they cannot log in.
                       14. When you are finished, click Back to Console in the upper right
                           corner of the screen (see the circle marked 3 in the following
                           figure).
                           You return to the Pre-Logon Sequence main page.




F5® Deployment Guide                                                                       1 - 60
                               15. From the Select Sequence to Use section, click the option button
                                   next to the sequence you just created. In our example, we click
                                   exchangeBasic.
                               16. Click the Apply button.


                                                                                                    3
                        1



                                                             2




Figure 1.13 The Pre-Logon Sequence Editor



                            The FirePass controller is now configured to allow secure remote access to
                            Exchange-based email. Remember that the procedures in this Deployment
                            Guide are specific to the scenario described in Configuration scenario, on
                            page 51. Use this guide as a template, and modify the configuration as
                            applicable to your deployment.




1 - 61
2
Deploying F5 and Microsoft Exchange Server 2010
Edge Transport Servers



              • Deploying F5 and Microsoft Exchange Server 2010
                Edge Transport Servers

              • Configuring the BIG-IP LTM system for deployment
                with Exchange 2010 Edge Transport Servers

              • Configuring the Message Security Module with
                Exchange 2010 Edge Transport Servers

              • Configuring the BIG-IP Global Traffic Manager with
                Exchange 2010 Edge Transport Servers
Deploying F5 and Microsoft Exchange Server 2010
Edge Transport Servers
                   This chapter gives you step-by-step procedures for configuring F5 products
                   for deployment with the Edge Transport Server component of Exchange
                   Server 2010.
                   In Exchange 2010, the Edge Transport server role is usually deployed in
                   your organization's perimeter network on stand-alone servers. Designed to
                   minimize the attack surface, the Edge Transport server handles all
                   Internet-facing mail flow, which provides Simple Mail Transfer Protocol
                   (SMTP) relay and smart host services for the Exchange organization. Edge
                   Transport servers also include anti-spam and antivirus features, which
                   provide services to block viruses and spam, or unsolicited commercial
                   e-mail, at the network perimeter.
                   For more information on the Edge Transport Server role, see
                   http://www.microsoft.com/technet/prodtechnol/exchange/2010/edge.ms
                   px?WT.svl=2010resources
                   For more information on Microsoft Exchange Server 2010, see
                   http://www.microsoft.com/exchange/default.mspx.
                   For more information on F5 products and features, see
                   http://www.f5.com/products/.



Prerequisites and configuration notes
                   The following are prerequisites and configuration notes for this deployment:
                   ◆   This guide is written for the Edge Transport Server component of
                       Microsoft Exchange Server 2010.
                   ◆   This chapter contains procedures on configuring multiple F5 products
                       and/or modules. To perform certain procedures, you must own the
                       appropriate product or licensed the relevant module. These sections are
                       clearly marked.
                   ◆   All of the configuration procedures in this document are performed on F5
                       devices. For information on how to deploy or configure Microsoft
                       Exchange Server 2010, consult the appropriate Microsoft documentation.



Configuration example
                   As Edge Transport Servers are most often located on or near the perimeter
                   of an organization's networks, it is possible to deploy Edge Transport
                   servers in more than one datacenter. Any or all of those Edge Transport
                   servers may be involved in relaying mail.




2-1
                                   Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




                                  In the following deployment, the BIG-IP LTM system provides local traffic
                                  management and uses SMTP health monitors to check the availability of the
                                  Edge Transport servers. We also use the Message Security Module (MSM)
                                  to provide the first line of defense in the fight against SPAM. MSM can
                                  eliminate up to 70% of unwanted email before letting the Edge Transport
                                  servers handle the rest.
                                  We also enable the GTM module in two data centers, set up active
                                  monitoring of the status of Local Traffic Manager virtual servers that are in
                                  front of Edge Transport server pools, establish a DNS record for the mail
                                  service, and build policies which direct incoming email appropriately.
                                       SMTP Server          SMTP Server
                  SMTP Server

                                                                                             SMTP Server
                                                       Internet



                                  DNS                                              DNS
                                            SMTP                          SMTP




        Exchange Service Delivery Location (SDL) A                   Exchange Service Delivery Location (SDL) B
                                        BIG-IP LTM System                                             BIG-IP LTM System
                                          with GTM and                                                  with GTM and
                                          MSM modules                                                   MSM modules


                       SMTP     SMTP                                                  SMTP     SMTP




             Multiple Edge Transport Servers                                Multiple Edge Transport Servers



Figure 2.1 Logical configuration example


                                  The example in Figure 2.1 is a logical representation of this deployment.
                                  Your configuration may be dramatically different than the one shown.
                                  This deployment guide is broken up into the following sections
                                  ◆     Configuring the BIG-IP LTM system for deployment with Exchange 2010
                                        Edge Transport Servers, on page 2-3
                                  ◆     Configuring the Message Security Module with Exchange 2010 Edge
                                        Transport Servers, on page 2-10
                                  ◆     Configuring the BIG-IP Global Traffic Manager with Exchange 2010
                                        Edge Transport Servers, on page 2-19


F5® Deployment Guide                                                                                                      2-2
Configuring the BIG-IP LTM system for deployment
with Exchange 2010 Edge Transport Servers
                  To configure the BIG-IP and Edge Transport servers for integration, you
                  need to complete the following procedures:
                  • Connecting to the BIG-IP device
                  • Creating the health monitor
                  • Creating the pool
                  • Creating a tcp profile
                  • Creating the virtual server
                  • Synchronizing the BIG-IP configuration if using a redundant system

                    Tip
                  We recommend you save your existing BIG-IP configuration before you
                  begin the procedures in this Deployment Guide. Because the back up and
                  restore process is different depending on your version, refer to the
                  appropriate BIG-IP LTM manual, available on Ask F5.



Connecting to the BIG-IP device
                  Use the following procedure to access the BIG-IP web-based Configuration
                  utility using a web browser.

                  To connect to the BIG-IP LTM system using the
                  Configuration utility
                      1. In a browser, type the following URL:
                          https://<administrative IP address of the BIG-IP
                          device>
                          A Security Alert dialog box appears, click Yes.
                          The authorization dialog box appears.
                      2. Type your user name and password, and click OK.
                         The Welcome screen opens.
                  Once you are logged onto the BIG-IP LTM system, the Welcome screen of
                  the new Configuration utility opens. From the Configuration utility, you can
                  configure and monitor the BIG-IP LTM system, as well as access online
                  help, download SNMP MIBs and Plug-ins, and even search for specific
                  objects.




2-3
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




Creating the health monitor
                       The first step is to set up a health monitor for the Edge Transport Servers.
                       This procedure is optional, but very strongly recommended. For this
                       configuration, we create a SMTP health monitor, based off the default
                       SMTP monitor.

                       To configure a SMTP health monitor
                           1. On the Main tab, expand Local Traffic, and then click Monitors.
                              The Monitors screen opens.
                           2. Click the Create button.
                              The New Monitor screen opens.
                           3. In the Name box, type a name for the Monitor.
                              In our example, we type exch_et_smtp.
                           4. From the Type list, select SMTP.
                              The SMTP Monitor configuration options appear. You can
                              optionally select Advanced from the Configuration list for more
                              options.
                           5. In the Configuration section, in the Interval and Timeout boxes,
                              type an Interval and Timeout. We recommend at least a 1:3 +1 ratio
                              between the interval and the timeout (for example, the default
                              setting has an interval of 5 and an timeout of 16). In our example,
                              we use a Interval of 30 and a Timeout of 91.
                           6. In the Domain box, type the domain name to check. In our example,
                              we type exch.f5.com
                           7. Click the Finished button (see Figure 2.2).
                              The new monitor is added to the Monitor list.




                       Figure 2.2 Creating the SMTP Monitor




F5® Deployment Guide                                                                             2-4
Creating the pool
                    The next step in this configuration is to create a pool on the BIG-IP LTM
                    system for the Edge Transport Servers. A BIG-IP pool is a set of devices
                    grouped together to receive traffic according to a load balancing method.

                    To create the pool
                        1. On the Main tab, expand Local Traffic, and then click Pools.
                           The Pool screen opens.
                        2. In the upper right portion of the screen, click the Create button.
                           The New Pool screen opens.

                            Note: For more (optional) pool configuration settings, from the
                            Configuration list, select Advanced. Configure these settings as
                            applicable for your network.
                        3. In the Name box, enter a name for your pool.
                           In our example, we use exch_et_pool.
                        4. In the Health Monitors section, select the name of the monitor you
                           created in the Creating the health monitor section, and click the Add
                           (<<) button. In our example, we select exch_et_smtp.
                        5. From the Load Balancing Method list, choose your preferred load
                           balancing method (different load balancing methods may yield
                           optimal results for a particular network).
                           In our example, we select Least Connections (node).
                        6. For this pool, we leave the Priority Group Activation Disabled.
                        7. In the New Members section, make sure the New Address option
                           button is selected.
                        8. In the Address box, add the first server to the pool. In our example,
                           we type 10.133.20.53
                        9. In the Service Port section, select SMTP from the list, or type 25.
                       10. Click the Add button to add the member to the list.
                       11. Repeat steps 8-10 for each server you want to add to the pool.
                           In our example, we repeat these steps once for the remaining server,
                           10.133.20.54.




2-5
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




                          12. Click the Finished button (see Figure 2.3).




                       Figure 2.3 Creating the Edge Transport Server pool



Creating a tcp profile
                       BIG-IP version 9.0 and later uses profiles. A profile is an object that
                       contains user-configurable settings, with default values, for controlling the
                       behavior of a particular type of network traffic, such as HTTP connections.
                       Using profiles enhances your control over managing network traffic, and
                       makes traffic-management tasks easier and more efficient.
                       Although it is possible to use the default profiles, we strongly recommend
                       you create new profiles based on the default parent profiles. Creating new
                       profiles allows you to easily modify the profile settings specific to this
                       deployment, and ensures you do not accidentally overwrite the default
                       profile.
                       For this configuration, the only profile we create is a TCP profile. In our
                       example, we leave all the options at their default settings. You can configure
                       these options as appropriate for your network.

                       To create a new TCP profile based on the default TCP
                       profile
                           1. On the Main tab, expand Local Traffic.


F5® Deployment Guide                                                                             2-6
                       2. Click Profiles.
                          The HTTP Profiles screen opens.
                       3. On the Menu bar, from the Protocol menu, select TCP.
                       4. In the upper right portion of the screen, click the Create button.
                          The New TCP Profile screen opens.
                       5. In the Name box, type a name for this profile. In our example, we
                          type exch_et_tcp.
                       6. Modify any of the settings as applicable for your network. In our
                          example, we leave the settings at their default levels.
                       7. Click the Finished button.
                   For more information on creating or modifying profiles, or applying profiles
                   in general, see the BIG-IP documentation.



Creating the virtual server
                   Next, we configure a virtual server on the BIG-IP LTM system that
                   references the pool and profile you just created.

                   To create a virtual server
                       1. On the Main tab, expand Local Traffic, and then click Virtual
                          Servers.
                          The Virtual Servers screen opens.
                       2. In the upper right portion of the screen, click the Create button.
                          The New Virtual Server screen opens.
                       3. In the Name box, type a name for this virtual server. In our
                          example, we type exch_et_virtual.
                       4. In the Destination section, select the Host option button.
                       5. In the Address box, type the IP address of this virtual server. In our
                          example, we use 10.133.20.200.




2-7
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




                           6. In the Service Port section, select SMTP from the list, or type 25.




                       Figure 2.4 Adding the Edge Transport virtual server


                           7. In the Configuration section, select Advanced from the list.
                              The Advanced configuration options appear.
                           8. from the Protocol Profile (Client) list, select the name of the
                              profile you created in the Creating a tcp profile section. In our
                              example, we select exch_et_tcp (see Figure 2.4).
                           9. In the Resources section, from the Default Pool list, select the pool
                              you created in the Creating the pool section. In our example, we
                              select exch_et_pool (see Figure 2.5).
                         10. Click the Finished button.




F5® Deployment Guide                                                                              2-8
                   Figure 2.5 Resources section of the Add Virtual Server screen



Synchronizing the BIG-IP configuration if using a redundant system
                   If you are using a redundant BIG-IP configuration, the final step is to
                   synchronize the configuration to the peer BIG-IP device.

                   To synchronize the configuration using the Configuration
                   utility
                       1. On the Main tab, expand System.
                       2. Click High Availability.
                          The Redundancy screen opens.
                       3. On the Menu bar, click ConfigSync.
                       4. Click the Self --> Peer button.
                          The configuration synchronizes with its peer.




2-9
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




Configuring the Message Security Module with
Exchange 2010 Edge Transport Servers
                       The Message Security Module (MSM) identifies and blocks unwanted
                       emails at the edge of your network. You configure MSM to block known
                       and malicious spam senders, and keep them from filling your network with
                       unwanted email. Blocking unwanted email at the edge of your network
                       minimizes the resource load on your network and associated devices like
                       Exchange Server 2010.
                       MSM includes a real-time subscription to Secure Computing®
                       TrustedSource®, and email filtering capabilities for the BIG-IP system.
                       TrustedSource® is an industry-leading system for evaluating the safety of
                       email sources, and for scoring the reputation of the IP addresses from which
                       email originates.
                       We recommend that you use MSM as a spam volume-control solution in
                       addition to using the existing, content-based, email filtering solutions that
                       are already installed on your network, like those provided with Exchange
                       2010 Edge Transport servers. This combination provides more complete
                       protection for your network than either solution alone.
                       For more information on the Message Security Module, see the
                       documentation available on Ask F5.



Prerequisites and configuration notes
                       The following are prerequisites and configuration notes specific to the
                       Message Security Module:
                       ◆   You must have purchased the Message Security Module. For more
                           information about purchasing the Message Security Module, contact
                           your sales representative.
                       ◆   MSM is available with BIG-IP LTM version 9.4 and later.
                       ◆   We assume you have already installed and licensed the Message Security
                           Module. For more information on installing and licensing MSM, see the
                           MSM documentation available on Ask F5.
                       ◆   You must have command line access to the Root directory of the BIG-IP
                           system. This means that you must be assigned the Administrator role
                           with access to the Root directory of the system.



Accessing the Configuration utility
                       To perform the tasks necessary to configure the BIG-IP Message Security
                       Module, you first access the BIG-IP system web-based Configuration
                       utility.




F5® Deployment Guide                                                                             2 - 10
                  To access the Configuration utility
                      1. In a browser, type the following URL:
                         https://<administrative IP address of the BIG-IP
                         system>
                         A Security Alert dialog box appears.
                      2. Accept the certificate.
                         The authorization dialog box appears.
                      3. Type your user name and password, and then click OK.
                         The Configuration utility opens displaying the Welcome screen.



Configuring MSM to manage traffic to your Edge Transport
Servers
                  The BIG-IP® Message Security Module installation creates a data group
                  named MSM_config, and adds the following three variables and default
                  attributes to the data group:
                  • trusted_pool:good_mail
                  • suspect_pool:maybe_mail
                  • quarantine_pool:quarantine_mail

                  These variables correspond to the IP address reputation scores that
                  TrustedSource® assigns to the sources requesting connection to your
                  network (as shown in Table 1 on page 2-11). The default value for each
                  variable is the name of a pool of mail servers to which MSM directs a
                  specified kind of traffic, as shown in Table 1.

                   Variable in MSM_config    Default value

                   trusted_pool              good_mail (This is the name of the pool of
                                             mail servers to which MSM load balances
                                             mail from trusted sources.)

                   suspect_pool              maybe_mail (This is the name of the pool of
                                             mail servers to which MSM load balances
                                             mail from suspect sources. That is, mail that
                                             you want your existing email filtering
                                             systems to scan.)

                   quarantine_pool           quarantine_mail (This is the name of the
                                             pool of mail servers to which MSM load
                                             balances mail that you want to quarantine on
                                             your network for possible manual analysis.)

                  Table 1 Default values of three variables in MSM_config




2 - 11
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




Creating the pools
                       You can create the three pools described in Table 1, or you can use existing
                       pools to manage your email traffic. In our example, create two new pools,
                       and we change the name of the good_mail to the name of the pool we
                       created for the Exchange 2010 Edge Transport servers in Creating the pool,
                       on page 2-5. If you want to use other existing pools, you need to follow the
                       procedure Modifying the names of variables in the MSM_config data group,
                       on page 2-13
                       The following procedure provides step-by-step instructions for creating the
                       pools that the MSM_config data group references by default. If you decide
                       to create these pools, we recommend that you create at least the
                       maybe_mail and quarantine_mail pools. For example, if you want all
                       email that is sent to your system to be sent to your existing email filtering
                       applications, you do not need to create a pool to which MSM directs trusted
                       email traffic. Instead, you can use the maybe_mail pool as an attribute for
                       both the trusted_pool and suspect_pool variables of the MSM_config data
                       group. For instructions on making this modification, see Modifying the
                       names of variables in the MSM_config data group, on page 2-13.

                       To create load balancing pools
                           1. On the Main tab, expand Local Traffic, and click Pools.
                              The Pool screen opens.
                           2. In the upper right portion of the screen, click the Create button.
                              The New Pool screen opens.
                           3. To display more (optional) pool configuration settings, select
                              Advanced from the Configuration list. You can configure the
                              additional settings as applicable for your network.
                           4. In the Name box, type a name of for this pool. In our example, we
                              type maybe_mail, the name of the pool referenced by the
                              suspect_pool variable.
                           5. Select a health monitor appropriate for your configuration.
                           6. From the Load Balancing Method list, select your preferred load
                              balancing method. (It is important to note that different load
                              balancing methods yield optimal results for different network
                              configurations.)
                           7. When you create the pool to which the system sends trusted email,
                              do not change the Priority Group Activation. This pool uses the
                              default, Disabled. When you create the other pools, select the
                              option that is appropriate for your network.
                           8. In the New Members section, make sure the New Address option
                              button is selected.
                           9. In the Address box, type the IP address of the first email server that
                              you want to add to this pool, for example, 10.10.100.151.
                          10. In the Service Port box, type the service port that you want to use
                              for this pool, or select a service port from the list.


F5® Deployment Guide                                                                           2 - 12
                     11. Click the Add button to add the member to the list.
                     12. Repeat steps 8-11 for each email server that you want to add to this
                         pool.
                     13. Click the Finished button.
                     14. Repeat steps 2 - 13 to create a pool for each of the other categories
                         of email that you want the system to filter. You must make sure
                         your pool names match the pool referenced by the variables, or you
                         must modify the name of the variables in the MSM_config data
                         group, as shown in the following section.
                         In our example, we create one additional pool named
                         quarantine_mail.



Modifying the names of variables in the MSM_config data group
                  As described earlier in Configuring MSM to manage traffic to your Edge
                  Transport Servers, on page 2-11, the BIG-IP Message Security Module
                  installation creates a data group named MSM_config, and adds the
                  following three variables and default attributes to the data group:
                  • trusted_pool:good_mail
                  • suspect_pool:maybe_mail
                  • quarantine_pool:quarantine_mail

                  In our example, we want trusted mail to be sent to the Exchange 2010 Edge
                  Transport server pool we already created, so we change the string record for
                  trusted_pool to use exch_et_pool.
                  If the other pools you created have different names than the pool names in
                  these three strings, you must modify the string records in the MSM_config
                  data group. Note that the pool names are the names following the colons in
                  the strings, for example, in the string, suspect_pool:maybe_mail, the pool
                  name is maybe_mail.




2 - 13
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




                       The following procedure describes how to modify MSM_config. Figure 2.6
                       shows the screen that you use to modify MSM_config.




                       Figure 2.6 Modifying the variable names in the MSM_config data group


                       To modify the MSM_config data group
                           1. On the Main tab, expand Local Traffic, and then click iRules.
                              The iRules screen opens.
                           2. On the menu bar, click Data Group List.
                              The Data Groups screen opens.
                           3. In the Name column, click MSM_config.
                              The MSM_config Properties screen opens.
                           4. In the Records area, modify the string records that represent the load
                              balancing pools that handle the email on your system.
                              a) In the String Records list, select the string that you want to
                                 modify to match the pool you created, and then click the Edit
                                 button.
                                 The string displays in the String box.
                              b) Change good_mail to the name of the pool you created in
                                 Creating the pool, on page 2-5. In our example, we change it to
                                 be trusted_pool:exch_et_pool. Click the Add button (Figure 2.7
                                 shows what our modified data group looks like).
                              c) Repeat steps 4a and 4b for each of the strings that you want to
                                 modify that identifies a pool that you created. Remember that the
                                 following three string records must exactly match the names of
                                 the pools you created:



F5® Deployment Guide                                                                           2 - 14
                   • trusted_pool:<pool_name>
                     This is the name of the pool that you created to which the
                     system load balances trusted email connections. For example:
                     trusted_pool:exch_et_pool

                   • suspect_pool:<pool_name>
                     This is the name of the pool that you created to which the
                     system load balances moderately scored email connections.
                     For example:
                     suspect_pool:maybe_mail

                   • quarantine_pool:<pool_name>
                     This is the name of the pool that you created to which the
                     system load balances poorly scored email connections. For
                     example:
                     quarantine_pool:quarantine_mail




         Figure 2.7 Modified MSM_config data group


            5. Modify the strings that represent the threshold values in the
               MSM_config data group.
                a) In the String Records list, select the string that you want to
                   modify, and then click the Edit button.
                   The string displays in the String box.
                b) Modify the string, and then click the Add button.
                   The modified string displays in the String box.




2 - 15
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




                                 The four strings that determine which IP address reputation
                                 scores force connections to which load balancing pools on your
                                 system are shown below with the default value for each string.
                                 You can modify any of these strings:
                                 • trusted:-50
                                 • suspect:25
                                 • refuse:80
                                 • quarantine:50


                           6. Click the Finished button.
                           7. After creating or updating the data group, you must force MSM to
                              re-initialize the class data. To do this:
                              a) Open an SSH client and log in to the BIG-IP system as an
                                 administrator.
                              b) Run the following command from the command line:
                                 # MSM_init

                              This loads the MSM data class and initializes the new values.


Configuring MSM to accept all connections
                       By default, the BIG-IP® Message Security Module drops connections from
                       sources that have a TrustedSource® IP address reputation score in the +81
                       through +140 range. However, you can configure MSM to route all
                       connections to your network. With this configuration, MSM continues to
                       collect statistics on connections in the +81 through +140 range. For
                       statistical purposes, MSM classifies these connections as dropped
                       connections. This enables you to evaluate the statistics and determine how
                       you want to customize the MSM configuration for your network. To do this,
                       you modify the no_drop variable in the MSM_config data group.
                       By default, the no_drop variable is set to 0 (zero) which means that the
                       system drops all connections with a TrustedSource® IP address reputation
                       score in the +81 through +140 range. When you set the no_drop variable to
                       1 (one) the system load balances all connections with a TrustedSource® IP
                       address reputation score in the +81 through +140 range to the
                       quarantine_pool.

                       To configure MSM to accept all connections
                           1. On the Main tab, expand Local Traffic, and then click iRules.
                              The iRules screen opens.
                           2. On the menu bar, click Data Group List.
                              The Data Groups screen opens.
                           3. In the Name column, click MSM_config.
                              The MSM_config Properties screen opens.


F5® Deployment Guide                                                                          2 - 16
                       4. Select the no_drop string record, and then click the Edit button.
                          The string displays in the String box.
                       5. Change the attribute to 1 (one), and then click the Add button.
                          The string displays in the String box.
                       6. Click the Finished button.
                          Now MSM collects statistics on all connections without dropping
                          any connections.
                       7. After creating or updating the data group, you must force MSM to
                          re-initialize the class data. To do this:
                           a) Open an SSH client and log in to the BIG-IP system as an
                              administrator.
                           b) Run the following command from the command line:
                             # MSM_init

                           This loads the MSM data class and initializes the new value that you
                           set for the no_drop string record.



Modifying the virtual server
                   The next step is to modify the virtual server you created in Creating the
                   virtual server, on page 2-7 to reference the iRule that the BIG-IP® Message
                   Security Module installation process creates.

                     Important
                   If your system is already configured to handle SMTP traffic, you do not have
                   to create a new virtual server for this purpose, but you must configure your
                   existing SMTP virtual server by performing steps 7 - 10, following.

                   To create an SMTP virtual server
                       1. On the Main tab, expand Local Traffic, and then click Virtual
                          Servers.
                          The Virtual Servers screen opens.
                       2. From the Virtual Server list, click the name of the virtual server you
                          created in Creating the virtual server, on page 2-7. In our example,
                          we select exch_et_virtual.
                       3. From the Configuration list, select Advanced.
                       4. From the Statistics Profile list, and select MSM_reputation. (This
                          is the Statistics profile that the MSM installation process created.)
                       5. Click the Update button.
                       6. On the menu bar, click Resources.
                       7. In the iRules section, click the Manage button.




2 - 17
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




                           8. From the iRules Available list, select MSM_reputation, and click
                              the Add (<<) button to move the iRule to the Enabled list. (This is
                              the iRule that the MSM installation process created.)
                           9. Click the Finished button.


                       The Message Security module configuration is now complete.




F5® Deployment Guide                                                                        2 - 18
Configuring the BIG-IP Global Traffic Manager with
Exchange 2010 Edge Transport Servers
                   The Edge Transport role for Microsoft Exchange 2010 provides inbound
                   and outbound SMTP connectivity between an Exchange organization and
                   other mail services, including all other Internet email users. More
                   information on the Edge Transport server role may be found at
                   http://www.microsoft.com/technet/prodtechnol/exchange/2010/edge.ms
                   px?WT.svl=2010resources
                   Most often located on or near the perimeter of an organization's networks, it
                   is possible to deploy Edge Transport servers in more than one datacenter.
                   Any or all of those Edge Transport servers may be involved in relaying mail.
                   Traditional methods of providing high availability to public-facing SMTP
                   mail relays involve using a combination of simple round-robin DNS and
                   multiple MX (mail exchange) DNS records that statically list two or more
                   delivery locations, with fixed priority levels. Those methods do not provide
                   true load balancing, do not permit dynamic redirection based on
                   performance, and make it difficult to perform maintenance or cope with
                   localized outages in predictable and controllable ways.
                   Using F5's Global Traffic Manager (GTM) allows mail administrators to
                   define policies which take into account real-time availability and
                   performance of all Edge Transport servers, plan and easily initiate local
                   maintenance outages without disrupting service, and remain
                   highly-available even in the event of a disaster.



Configuring a self IP address on the BIG-IP LTM
                   The first task in this configuration is to create a unique self IP address on the
                   BIG-IP LTM system for use by the GTM. You need a unique self IP address
                   for each redundant pair of BIG-IP LTM devices in this configuration, so if
                   you have multiple pairs of BIG-IP LTMs you need a unique self IP for each
                   one.
                   The IP address you choose, and the VLAN to which you assign it, must be
                   accessible by any clients that will be performing DNS queries against the
                   GTM. It may be a private IP address if a Network Address Translation
                   (NAT) device, such as a BIG-IP LTM, a firewall, or a router, is providing a
                   public address and forwarding DNS traffic to the listener.

                   To create a self IP address
                       1. On the Main tab, expand Network, and then click Self IPs.
                          The Self IP screen opens.
                       2. Click the Create button.
                          The new Self IP screen opens.




2 - 19
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




                           3. In the IP Address box, type an IP address in the appropriate VLAN
                              (the VLAN you choose in step 5).
                              In our example, we type 10.133.20.70.
                           4. In the Netmask box, type the corresponding subnet mask.
                              In our example, we type 255.255.255.0.
                           5. From the VLAN list, select the appropriate VLAN.
                           6. Click the Finished button.
                              The new self IP address appears in the list.



Creating a Listener on the GTM
                       The next task is to create a listener on the BIG-IP GTM system. A listener
                       instructs the Global Traffic Manager to listen for network traffic destined for
                       a specific IP address. In our case, this specific IP address is the self IP
                       address on the LTM system we just created.

                       To create a listener on the GTM system
                           1. On the Main tab of the navigation pane, expand Global Traffic and
                              then click Listeners. The main listeners screen opens.
                           2. Click the Create button.
                           3. In the Destination box, type the self IP address you created in
                              Configuring a self IP address on the BIG-IP LTM, on page 2-19. In
                              our example, we type 10.133.20.70 (see Figure 2.8).
                           4. Leave the VLAN Traffic list set to All VLANs.
                           5. Click the Finished button.
                           6. Repeat this procedure for any additional self IP addresses you
                              configured in the Configuring a self IP address on the BIG-IP LTM
                              section.




                       Figure 2.8 Creating a new listener




F5® Deployment Guide                                                                             2 - 20
Creating data centers on the GTM system
                 The next step is to create data centers on the GTM system for each
                 real-world location that will host globally load balanced Edge Transport
                 servers. A data center defines the group of Global Traffic Managers, Local
                 Traffic Managers, host systems, and links that share the same subnet on the
                 network. In our example, we created a Seattle data center and a New York
                 data center.

                 To create a new Datacenter on the GTM system
                     1. On the Main tab of the navigation pane, expand Global Traffic and
                        click Data Centers. The main screen for data centers opens.
                     2. Click the Create button.
                        The New Data Center screen opens.
                     3. In the Name box, type a name for this datacenter. In our example,
                        we type Seattle DC.
                     4. In the Location box, type a location that describes the physical
                        location of the data center. In our example, we type Seattle,
                        Washington.
                     5. In the Contact box, type the name of the person responsible for
                        managing the network at the data center. In our example, we type
                        admin@f5seattledatacenter.com.
                     6. Make sure the State list remains at Enabled (see Figure 2.9).
                     7. Click the Finished button.
                     8. Repeat this procedure for each of your data centers. In our example,
                        we repeat the procedure once for our New York data center.




                 Figure 2.9 Creating a new GTM data center




2 - 21
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




Creating the monitor
                       The next task is to create a monitor on the GTM system. Monitors verify
                       connections on pools and virtual servers and are designed to check the status
                       of a pool or virtual server on an ongoing basis, at a set interval. If a pool or
                       virtual server being checked does not respond within a specified timeout
                       period, or the status of a pool or virtual server indicates that performance is
                       degraded, then the Global Traffic Manager can redirect the traffic to another
                       resource.
                       In our example, we create a SMTP monitor, which issues standard Simple
                       Mail Transport Protocol (SMTP) commands to ensure that the BIG-IP LTM
                       virtual server, which contains the Edge Transport server pool, is available.
                       You can configure a monitor most appropriate for your configuration.
                       Although it is possible to use the default monitor, we recommend creating a
                       new monitor based off the default monitor, which enables you to configure
                       specific options.

                       To create a bigip health monitor
                           1. On the Main tab of the navigation pane, expand Global Traffic and
                              then click Monitors.
                           2. Click the Create button. The New Monitor screen opens.
                           3. In the Name box, type a name for the monitor. In our example, we
                              type gtm_smtp
                           4. From the Type list, select SMTP.
                           5. Configure the options as applicable for your deployment. In our
                              example, we leave the options at their default levels.
                           6. Click the Finished button.
                              The new monitor is added to the list.



Creating Servers for the data center
                       The next task is to create a GTM Server for the data centers. A server
                       defines a specific system on the network. In this deployment, the GTM
                       servers are the BIG-IP LTM systems we configured earlier in this guide.

                       To create a GTM server
                           1. On the Main tab of the navigation pane, expand Global Traffic and
                              click Servers.
                              The main screen for servers opens.
                           2. Click the Create button. The New Server screen opens.
                           3. In the Name box, type a name that identifies the Local Traffic
                              Manager. In our example, we type Seattle_BIG-IP.




F5® Deployment Guide                                                                             2 - 22
          4. From the Product list, select either BIG-IP System (Single) or
             BIG-IP System (Redundant) depending on your configuration. In
             our example, we select BIG-IP System (Redundant).
          5. From the Address List section, in the Address box, type the self IP
             address of the BIG-IP LTM device, and then click the Add button.
             In our example, we type 10.133.20.227.
          6. If you selected BIG-IP System (Redundant) in Step 4, from the Peer
             Address List section, in the Address box, type the self IP address of
             the redundant BIG-IP LTM device, and then click the Add button.

             Note: Do not use a floating IP address of the redundant pair. Do not
             use the administrative interface of the either member of a redundant
             pair.
          7. From the Data Center list, select the name of the data center you
             created in the Creating data centers on the GTM system section. In
             our example, we select Seattle DC.
          8. In the Health Monitors section, from the Available list, select the
             name of the monitor you created in the Creating the monitor
             section, and click the Add (<<) button. In our example, we select
             gtm_smtp.
          9. In the Resources section, from the Virtual Server Discovery list,
             choose an option. We recommend Enabled (No Delete). With this
             option, the GTM will discover all the virtual servers you have
             configured on the LTM(s) via iControl, and will update, but not
             delete them.
         10. Click the Finished button (see Figure 2.10).




2 - 23
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




                       Figure 2.10 Creating a GTM server



Creating a GTM pool
                       The next task is to create a pool on the GTM device that contains the BIG-IP
                       LTM virtual server.

                       To create a pool on the GTM
                           1. On the Main tab of the navigation pane, expand Global Traffic and
                              click Pools (located under Wide IPs).
                           2. Click the Create button. The New Pool screen opens.


F5® Deployment Guide                                                                          2 - 24
            3. In the Name box, type a name for the pool. In our example, we type
               Seattle_pool.
            4. In the Health Monitors section, from the Available list, select the
               name of the monitor you created in the Creating the monitor
               section, and click the Add (<<) button. In our example, we select
               gtm_smtp.
            5. In the Load Balancing Method section, choose the load balancing
               methods from the lists appropriate for your configuration. In our
               example, we select Global Availability, Round Robin, and Return
               to DNS, in that order.
            6. In our example, we leave the Fallback IP box blank.
            7. In the Member List section, from the Virtual Server list, select the
               virtual server you created in Creating the virtual server, on page
               2-7, and click the Add button. Note that you must select the virtual
               server by IP Address and port number combination. In our example,
               we select 10.133.20.200:25.
               If you have additional virtual servers for the Edge Transport servers
               configured on the BIG-IP LTM system, repeat this step.
            8. Click the Finished button.




         Figure 2.11 Creating a pool on the GTM

2 - 25
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




Creating a wide IP on the GTM
                       The next task is to create a wide IP on the GTM system. A wide IP is a
                       mapping of a fully-qualified domain name (FQDN) to a set of virtual servers
                       that host the domain’s content.

                       To create a wide IP on the GTM system
                           1. On the Main tab of the navigation pane, expand Global Traffic and
                              click Wide IPs.
                           2. Click the Create button. The New Wide IP screen opens.
                           3. In the Name box, type a name for the Wide IP. In our example, we
                              type mail.example.com.
                           4. In our example, we are not using any iRules, so we skip the iRule
                              section. Configure as appropriate for your deployment.
                           5. In the Pools section, from the Load Balancing Method list, select a
                              load balancing method. In our example, we select Global
                              Availability. Global Availability instructs the GTM to select the
                              first pool in the wide IP until it becomes unavailable, at which point
                              it selects the next pool until the first pool becomes available again.

                               In our example, the GTM sends all incoming email to the first-listed
                               pool, Seattle_pool. If that pool is unavailable, all incoming email is
                               sent to the next-listed pool, NewYork_pool. If you wish to
                               distribute incoming email among multiple pools, select another
                               method, such as Ratio. Consult the online documentation or the
                               product manual for more details about load balancing methods.
                           6. From the Pool List section, from the Pool list, select the name of the
                              pool you created in the Creating a GTM pool section, and then click
                              the Add button. In our example, we select Seattle_pool.
                              Repeat this step for any additional pools. In our example, we repeat
                              one time for the NewYork_pool.
                           7. All other settings are optional, configure as appropriate for your
                              deployment.
                           8. Click the Finished button (see Figure 2.12).




F5® Deployment Guide                                                                            2 - 26
                 Figure 2.12 Creating a new Wide IP on the GTM system


                 The next task is to add the newly-created Wide IP as an MX record in your
                 DNS system. If using the GTM as your primary DNS system, this is done
                 through the ZoneRunner utility.



Configuring the Wide IP as an MX record using ZoneRunner
                 The final task in this configuration is to configure the Wide IP as an MX
                 record in a DNS system. In our example, we are using the GTM system as
                 our primary DNS, and use ZoneRunner to add the Wide IP as an MX record.
                 The ZoneRunner utility is an advanced feature of the Global Traffic
                 Manager. We highly recommend that you become familiar with the various
                 aspects of BIND and DNS before you use this feature. For in-depth
                 information, we recommend the following resources:
                 • DNS and BIND, 4th edition, Paul Albitz and Cricket Liu
                 • The IETF DNS documents, RFC 1034 and RFC 1035



2 - 27
                       Deploying F5 and Microsoft Exchange Server 2010 Edge Transport Servers




                       • The Internet Systems Consortium web site,
                         http://www.isc.org/index.pl?/sw/bind/

                       For information on adding the required MX record to other DNS servers, for
                       instance BIND or Microsoft Windows 2010 DNS Service, consult the
                       appropriate product documentation.

                       To add the Wide IP as an MX record using ZoneRunner
                           1. On the Main tab of the navigation pane, expand Global Traffic and
                              click ZoneRunner.
                           2. Click the Create button. The New Resource Record screen opens.
                           3. From the View list, select a view. In our example, we select
                              external.
                           4. From the Zone list, select the appropriate zone. In our example, we
                              select example.com
                           5. In the Name box, type a name for the Resource Record. Make sure
                              the domain for which you are creating an MX record is shown, and
                              note that it must end with a period.
                           6. In the TTL box, type a number of seconds. In our example, we type
                              500 (which is the default TTL for our zone).
                           7. From the Type list, select MX.
                           8. In the Preference box, type 10. Preference is a numeric value for
                              the preference of this mail exchange host relevant to all other mail
                              exchange hosts for the domain. Lower numbers indicate a higher
                              preference, or priority.
                              In a traditional DNS configuration, you would create multiple MX
                              records with different priorities; however, since you're using GTM
                              to provide true wide-area load balancing, it is only necessary to
                              create a single record in this case.
                           9. In the Mail Server, enter the name of the Wide IP that you created
                              in Creating a wide IP on the GTM. Make sure that this name also
                              ends with a period. In our example, we type mail.example.com.
                          10. Click the Finished button (see Figure 2.13).




F5® Deployment Guide                                                                          2 - 28
         Figure 2.13 Creating a new Resource Record using ZoneRunner


         This concludes the BIG-IP GTM configuration. For more information on the
         BIG-IP GTM, see the GTM documentation.




2 - 29
3
Deploying BIG-IP WOM with Database
Availability Groups
Deploying the BIG-IP WOM and Mailbox Database
Availability Groups
                   This chapter gives you step-by-step configuration procedures for
                   configuring the BIG-IP WAN Optimization Module for deployment with
                   the Mailbox Server Database Availability Group (DAG) feature of
                   Exchange Server 2010.
                   Each DAG can have up to sixteen members and can host mailbox databases
                   from any other member. DAG members can be on the same subnet or on
                   different subnets, including being located across a WAN in an alternate
                   datacenter. Although DAG replication supports network encryption and
                   compression, those features are enabled by default only between members
                   on the same subnet, and each Mailbox server would incur CPU and memory
                   overhead if performing those functions locally.
                   F5 optimization technology speeds up mailbox database replication between
                   DAG members while simultaneously reducing the total amount of data
                   transferred over the WAN connection. Optionally, F5 can encrypt the
                   optimized tunnel, securing the replication even when traversing untrusted or
                   public networks.
                   More information about DAGs, including requirements and Exchange
                   Server configuration, can be found at
                   technet.microsoft.com/en-us/library/dd979799%28EXCHG.140%29.aspx
                   For more information on the WAN Optimization Module, see
                   http://www.f5.com/products/big-ip/product-modules/wan-optimization-module.html




Prerequisites and configuration notes
                   The following are prerequisites and configuration notes for this deployment:
                   ◆   Because compression and encryption are handled by the BIG-IP devices,
                       you should ensure network compression and encryption are disabled for
                       DAG members on different subnets. See
                       http://technet.microsoft.com/en-us/library/dd297985.aspx for
                       instructions on disabling these features.
                   ◆   DAG members on different subnets may have more than one IP address
                       used by the host servers. You must deploy your BIG-IP devices within
                       your network to optimize traffic between IP addresses assigned to the
                       DAG for database replication.
                   ◆   All of the configuration procedures in this document are performed on
                       the F5 devices. For information on how to deploy or configure Microsoft
                       Exchange Server 2010, consult the appropriate Microsoft documentation.




3-1
                                       Deploying BIG-IP WOM with Database Availability Groups




Configuring the WAN optimization module
                       First, we configure the WAN optimization module (WOM). The WAN
                       optimization module allows you to encrypt and accelerate data between
                       BIG-IP devices, accelerate applications across the WAN, and much more.
                       One of the options for initially configuring the WAN optimization module is
                       Dynamic Discovery. The benefit of dynamic discovery is that it reduces
                       configuration complexity. However, when dynamic discovery is used, the
                       BIG-IP currently disables iSession routing in order to prevent inadvertent
                       routing loops. In our environment, dynamic discovery is allowed, but care
                       was taken to ensure iSession routing was enabled.
                       In this section, we assume you have already configured basic settings such
                       as VLANs and Self-IP address on your BIG-IP systems. If you have not, see
                       Performing the initial configuration tasks, on page 1-6.

                          Note

                       The following procedure is only necessary when initially configuring the
                       BIG-IP WOM. If you have already performed the initial configuration,
                       continue with Creating the iSession profile, on page 3-4.

                       To configure the WOM module
                           1. On the Main tab of the local BIG-IP system, expand WAN
                              Optimization, and then click Configuration. The Local Endpoint
                              Configuration screen opens.
                           2. In the IP Address box, type the BIG-IP self IP address you
                              provisioned for iSession endpoint in the data center.
                           3. Make sure the Create iSession Virtual Server list is set to Yes.
                           4. Click the Save button.
                           5. In the Advertised Routes Configuration section, click the Create
                              button. The Advertised Route is the local subnet that the local
                              endpoint advertises to all configured remote endpoints to which it is
                              connected.
                           6. In the Alias box, type an alias for this route. This is optional. In our
                              example, we type exchange2010-DAG.
                           7. In the Subnet Address box, type the appropriate subnet address. In
                              our example, we type 10.133.20.0.
                           8. In the Netmask box, type the associated netmask. In our example,
                              we type 255.255.255.0.
                           9. Make sure the Enabled box is checked.
                          10. Click the Finished button.
                          11. In the Dynamic Discovery section, we leave the default settings.




F5® Deployment Guide                                                                              3-2
          12. Repeat this entire procedure on the remote endpoint BIG-IP system,
              using the appropriate BIG-IP self IP address in step 2, and the
              appropriate Advertised Route information.
      .




      Figure 3.1 The WAN optimization configuration


      After performing this procedure on both BIG-IP systems, you connect your
      two BIG-IP systems together via an iSession tunnel by identifying each
      remote endpoint. If dynamic discovery was left on (as in step 11), you only
      perform the following procedure on one of the BIG-IP systems. If you did
      not, you must repeat this procedure on the remote BIG-IP system.

      To configure the remote endpoints
           1. On the Main tab of the local BIG-IP system, expand WAN
              Optimization, and then click Configuration.
           2. On the Menu bar, click Remote Endpoints.
           3. Click the Create button.
           4. From the Remote Endpoint list, select Advanced.
           5. In the IP Address box, type the IP address you provisioned for
              remote iSession endpoint.
           6. Important: From the Routing list, select Enabled.
           7. Click Finished.




3-3
                                        Deploying BIG-IP WOM with Database Availability Groups




                           8. If you disabled dynamic discovery in the previous procedure, you
                              must repeat this procedure on the remote BIG-IP system.




                       Figure 3.2 Configuring the remote endpoint


Ensuring that iSession routing is enabled
                       As mentioned previously, if Dynamic Discovery is enabled, the BIG-IP
                       system automatically sets remote endpoint routing to disabled. We want to
                       ensure remote endpoint routing is enabled (as in step 6 above).

                         Important
                       We recommend you check that routing is enabled after anytime the BIG-IP
                       system reboots or hotfix/upgrade installations, as routing may revert to
                       Disabled to avoid any routing loops.

                       To ensure that iSession routing is enabled
                           1. On the Main tab of the local BIG-IP system, expand WAN
                              Optimization, and then click Configuration.
                           2. On the Menu bar, click Remote Endpoints.
                           3. Click the IP address of the appropriate endpoint.
                           4. From the Routing list, make sure that Enabled is selected. If it is
                              not, select Enabled from the list.
                           5. Click the Update button.
                           6. Repeat this procedure on the remote BIG-IP system.



Creating the iSession profile
                       In this procedure, we create an iSession profile. The iSession profile tells the
                       system how to optimize traffic.




F5® Deployment Guide                                                                               3-4
                 To create the iSession profile
                     1. On the Main tab, expand Local Traffic, and then click Profiles.
                     2. On the Menu bar, from the Services menu, select iSession.
                     3. Click the Create button.
                     4. In the Name box, type a name for this profile. In our example, we
                        type exchange-DAG-isession.
                     5. In our example, we leave all settings at the default levels, which
                        results in data transfers that are optimized using both adaptive
                        compression and deduplication.
                     6. Click the Finished button.
                     7. Repeat this on the Remote BIG-IP WAN Optimization module.



Creating the WAN Optimization policy
                 The next task is to create the WAN optimization policy. For this
                 configuration, we create a new optimization policy for the DAGs.

                 To create a new WAN Optimization policy
                     1. On the Main tab, expand WAN Optimization, and then click
                        Configuration.
                     2. On the Menu bar, click Optimization Policies.
                     3. Click the Create button. The Common Application Optimization
                        Policies page opens.
                     4. Click the Create Custom Policy button. The New Optimization
                        Policy wizard opens.
                     5. Type a name for this virtual server. In our example, we type
                        exchange-DAG-local.
                     6. Select No for the question asking if this is an iSession endpoint
                        tunnel terminating virtual server.
                     7. In the IP address/netmask section, select Network. Type the IP
                        Address and Netmask for the remote network where the DAG
                        member servers are located.
                     8. In the What kind of application would you like to optimize? box,
                        type 64327, the default port for Database Availability Group
                        mailbox replication. If you have changed from the default port, type
                        that port here.
                        http://technet.microsoft.com/en-us/library/dd297985.aspx contains
                        instructions on changing the DAG replication port.
                     9. From the Will clients be connecting to this virtual server over a LAN
                        list, select Yes.




3-5
                                       Deploying BIG-IP WOM with Database Availability Groups




                          10. Encrypting the tunneled data is optional. In our example, we select
                              Yes.
                          11. In the VLAN section, from the Available list, select the appropriate
                              VLANs and click the Add (<<) button.
                          12. In the Profile Settings section, from the iSession Profile box, select
                              the profile you created in Creating the iSession profile, on page 4.
                          13. Click the Finished button.
                          14. Repeat this on the remote BIG-IP WOM, but in Step 7, use the IP
                              address and Netmask for the local network where the DAG member
                              servers are located.


                       Your DAG replication traffic in either direction is now optimized and
                       encrypted.




F5® Deployment Guide                                                                            3-6
3-7
4
Deploying BIG-IP WOM with Hub
Transport Servers
Deploying F5 and Microsoft Exchange Server 2010
Hub Transport Servers
                   This chapter gives you step-by-step configuration procedures for
                   configuring the BIG-IP WAN Optimization Module for deployment with
                   the Hub Transport Server component of Exchange Server 2010.
                   The Hub Transport role of Microsoft Exchange Server 2010 is responsible
                   for handling all mail flow within an organization, applies transport rules,
                   applies journaling policies, and delivers messages to a recipient's mailbox.
                   Servers with the Hub Transport role installed are responsible for routing
                   email between two or more Exchange sites in an organization. These
                   messages can form a large part of the traffic on an organization's WAN. By
                   using BIG-IP WOM to optimize the WAN traffic, messages are routed more
                   reliably and with less impact on your organizations WAN links.
                   More information about the Hub Transport Server role can be found at
                   http://technet.microsoft.com/en-us/library/aa998616.aspx
                   For more information on Microsoft Exchange Server 2010, see
                   http://www.microsoft.com/exchange/default.mspx.
                   For more information on F5 products and features, see
                   http://www.f5.com/products/.



Prerequisites and configuration notes
                   The following are prerequisites and configuration notes for this deployment:
                   ◆   This chapter is written for the Hub Transport server component of
                       Microsoft Exchange Server 2010.
                   ◆   All of the configuration procedures in this document are performed on
                       the F5 devices. For information on how to deploy or configure Microsoft
                       Exchange Server 2010, consult the appropriate Microsoft documentation.

                       Important
                   You must perform all of the following procedures on both BIG-IP devices




4-1
                                                     Deploying BIG-IP WOM with Hub Transport Servers




Configuring the WAN optimization module
                               First, we configure the WAN optimization module (WOM). The WAN
                               optimization module allows you to encrypt and accelerate data between
                               BIG-IP devices, accelerate applications across the WAN, and much more.
                               One of the options for initially configuring the WAN optimization module is
                               Dynamic Discovery. The benefit of dynamic discovery is that it reduces
                               configuration complexity. However, when dynamic discovery is used, the
                               BIG-IP currently disables iSession routing in order to prevent inadvertent
                               routing loops. In our environment, dynamic discovery is allowed, but care
                               was taken to ensure iSession routing was enabled.
                               In this section, we assume you have already configured basic settings such
                               as VLANs and Self-IP address on your BIG-IP systems. If you have not, see
                               Performing the initial configuration tasks, on page 1-6.

                                  Note

                               The following procedure is only necessary when initially configuring the
                               BIG-IP WOM. If you have already performed the initial configuration,
                               continue with Creating the iSession profile, on page 4-4.

                               To configure the WOM module
                                   1. On the Main tab of the local BIG-IP system, expand WAN
                                      Optimization, and then click Configuration. The Local Endpoint
                                      Configuration screen opens.
                                   2. In the IP Address box, type the BIG-IP self IP address you
                                      provisioned for iSession endpoint in the data center.
                                   3. Make sure the Create iSession Virtual Server list is set to Yes.
                                   4. Click the Save button.
                                   5. In the Advertised Routes Configuration section, click the Create
                                      button. The Advertised Route is the local subnet that the local
                                      endpoint advertises to all configured remote endpoints to which it is
                                      connected.
                                   6. In the Alias box, type an alias for this route. This is optional. In our
                                      example, we type exchange2010-hub.
                                   7. In the Subnet Address box, type the appropriate subnet address. In
                                      our example, we type 10.133.20.0.
                                   8. In the Netmask box, type the associated netmask. In our example,
                                      we type 255.255.255.0.
                                   9. Make sure the Enabled box is checked.
                                  10. Click the Finished button.
                                  11. In the Dynamic Discovery section, we leave the default settings.




F5 Deployment Guide for Microsoft® Exchange Server 2007                                                   4-2
                         12. Repeat this entire procedure on the remote endpoint BIG-IP system,
                             using the appropriate BIG-IP self IP address in step 2, and the
                             appropriate Advertised Route information.
                      After performing this procedure on both BIG-IP systems, you connect your
                      two BIG-IP systems together via an iSession tunnel by identifying each
                      remote endpoint. If dynamic discovery was left on (as in step 11), you only
                      perform the following procedure on one of the BIG-IP systems. If you did
                      not, you must repeat this procedure on the remote BIG-IP system.

                      To configure the remote endpoints
                          1. On the Main tab of the local BIG-IP system, expand WAN
                             Optimization, and then click Configuration.
                          2. On the Menu bar, click Remote Endpoints.
                          3. Click the Create button.
                          4. From the Remote Endpoint list, select Advanced.
                          5. In the IP Address box, type the IP address you provisioned for
                             remote iSession endpoint.
                          6. Important: From the Routing list, select Enabled.
                          7. Click Finished.
                          8. If you disabled dynamic discovery in the previous procedure, you
                             must repeat this procedure on the remote BIG-IP system.


Ensuring that iSession routing is enabled
                      As mentioned previously, if Dynamic Discovery is enabled, the BIG-IP
                      system automatically sets remote endpoint routing to disabled. We want to
                      ensure remote endpoint routing is enabled (as in step 6 above).

                        Important
                      We recommend you check that routing is enabled after anytime the BIG-IP
                      system reboots or hotfix/upgrade installations, as routing may revert to
                      Disabled to avoid any routing loops.

                      To ensure that iSession routing is enabled
                          1. On the Main tab of the local BIG-IP system, expand WAN
                             Optimization, and then click Configuration.
                          2. On the Menu bar, click Remote Endpoints.
                          3. Click the IP address of the appropriate endpoint.
                          4. From the Routing list, make sure that Enabled is selected. If it is
                             not, select Enabled from the list.
                          5. Click the Update button.
                          6. Repeat this procedure on the remote BIG-IP system.



4-3
                                                      Deploying BIG-IP WOM with Hub Transport Servers




Creating the iSession profile
                               In this procedure, we create an iSession profile. The iSession profile tells the
                               system how to optimize traffic.

                               To create the iSession profile
                                   1. On the Main tab, expand Local Traffic, and then click Profiles.
                                   2. On the Menu bar, from the Services menu, select iSession.
                                   3. Click the Create button.
                                   4. In the Name box, type a name for this profile. In our example, we
                                      type exchange-hub-isession.
                                   5. From the Deduplication row, click the Custom box, and from the
                                      list, select Disabled.
                                   6. In our example, we leave all rest of the settings at the default levels.
                                   7. Click the Finished button.
                                   8. Repeat this on the Remote BIG-IP WAN Optimization module.



Creating the WAN Optimization policy
                               The next task is to create the WAN optimization policy.

                               To create a new WAN Optimization policy
                                   1. On the Main tab, expand WAN Optimization, and then click
                                      Configuration.
                                   2. On the Menu bar, click Optimization Policies.
                                   3. Click the Create button. The Common Application Optimization
                                      Policies page opens.
                                   4. Click the Create Custom Policy button. The New Optimization
                                      Policy wizard opens.
                                   5. Type a name for this virtual server. In our example, we type
                                      exchange-hub-local.
                                   6. Select No for the question asking if this is an iSession endpoint
                                      tunnel terminating virtual server.
                                   7. In the IP address/netmask section, select Network. Type the IP
                                      Address and Netmask for the remote network where the DAG
                                      member servers are located.
                                   8. In the What kind of application would you like to optimize? box,
                                      type 25.
                                   9. From the Will clients be connecting to this virtual server over a LAN
                                      list, select Yes.




F5 Deployment Guide for Microsoft® Exchange Server 2007                                                    4-4
        10. Encrypting the tunneled data is optional. In our example, we select
            Yes.
        11. In the VLAN section, from the Available list, select the appropriate
            VLANs and click the Add (<<) button.
        12. In the Profile Settings section, from the iSession Profile box, select
            the profile you created in Creating the iSession profile, on page 4.
        13. Click the Finished button.
        14. Repeat this on the remote BIG-IP WOM, but in Step 7, use the IP
            address and Netmask for the local network where the DAG member
            servers are located.


      This completes the BIG-IP WOM configuration.




4-5
5
Deploying the F5 Management Pack with Microsoft
Exchange Server 2010



              • Integrating the F5 Management Pack with Exchange
                Server 2010

              • Downloading and installing the Management pack

              • Creating a Distributed Application Health Model

              • Discovering the Exchange CAS servers

              • Creating a distributed application
Deploying the F5 Management Pack with Microsoft
Exchange Server 2010
                  The F5 Management Pack is a software plug-in for System Center
                  Operations Manager (SCOM) that provides a comprehensive range of F5
                  device (BIG-IP) health data as well as virtual server, pool, and pool member
                  data. The information produced and aggregated by the F5 Management Pack
                  can be used for trending and analysis, maintenance, diagnostics and
                  recovery actions, all at the application delivery architecture level, in order to
                  optimize resource utilization and effectively manage infrastructure growth.



Prerequisites and system requirements
                  The F5 Management Pack requires a Microsoft® System Center Operations
                  Manager 2007 system that meets certain minimum requirements.
                  Platform requirements
                  The server running System Center Operations Manager should meet the
                  following recommended requirements:
                  • CPU: 2 x Quad Core Xeon
                  • RAM: 8GB
                  • Disk: 100GB 15K RPM
                  • NIC: 1000BASE-T
                  • Other: CD-ROM or DVD-ROM

                  Software Requirements
                  The following software components are required:
                  • Microsoft Windows Server® 2003 Enterprise Edition Service Pack 2.
                    (Both AMD64 and x86 environments are supported.)
                  • Internet Information Server (IIS)
                  • Microsoft .Net Framework 2.0
                  • Microsoft .Net Framework 3.0
                  • Microsoft SQL Server® 2005 Enterprise or Standard w/Reporting
                    Services enabled (with Service Pack 2 or Service Pack 3)
                  • Microsoft System Center Operations Manager 2007 with Service Pack 1
                  • Microsoft System Center Operations Manager 2007 Reporting Server
                  • All Windows Updates provided by Microsoft for Windows Server 2003
                    SP2
                  Reporting Services must be installed for both Operations Manager and SQL
                  Server to exercise functions available in the Management Pack.'
                  Supported browsers
                  The F5 Management Pack™ for System Center Operations Manager™ Web
                  Console requires Microsoft® Internet Explorer™, version 6.0 or later.




5-1
                           Deploying the F5 Management Pack with Microsoft Exchange Server 2010




                       Supported F5 devices
                       This release supports all platforms running BIG-IP Local Traffic Manager
                       version 9.3.1 and later, and BIG-IP Global Traffic Manager version 9.3.1
                       and later.
                       User Accounts
                       You will want to make sure you have access to the following two accounts.
                       ◆    Installation Account
                            This is the account you will use to install the F5 Management Pack. This
                            account should have local system administrator privileges, SQL
                            administrator privileges, and Operations Manager Administrator
                            privileges.
                       ◆    Service Account
                            This is the account you will specify to run the F5 Monitoring Service.
                            This account must be in a group that is specified in the Operations
                            Manager Administrators in the Operations Manager Console under
                            Administration->Security->User Roles->Operations Manager
                            Administrators. It is recommended that you create a separate Active
                            Directory group for this purpose if you have not done so already. This
                            user is also required to be a local system administrator and a SQL
                            administrator.



Integrating the F5 Management Pack with Exchange Server 2010
                       The F5 Management Pack provides an advanced health model that greatly
                       reduces the number of objects to monitor and the administrative time and
                       resources required. The node related features (such as add/remove and
                       enable/disable) offer a powerful mechanism for administrators to outsource
                       time-consuming tasks to be handled in a more cost-effective manner.
                       Combined with a dedicated application service level health monitoring, tied
                       into the System Center Operations Manager, the F5 Management Pack
                       makes a strong addition to the overall data center management and health
                       monitoring platform for any distributed application server environment.
                       For Exchange Server 2010 integration the F5 Management Pack can be
                       combined with the Exchange Server 2010 Management Pack, to build up an
                       aggregated (roll-up) health model for managing the health of the Exchange
                       Server 2010 distributed application environment. A typical use-case
                       scenario for implementing this aggregated health model would be to map a
                       group relationship between the Client Access Servers (on the Exchange
                       Server 2010 side) and the corresponding LTM Pool Members (for the F5
                       device), using a distributed application health model in System Center
                       Operations Manager (SCOM 2007 R2), see Figure 1.




F5® Deployment Guide                                                                             5-2
Figure 5.1 Distributed Application View with CAS and LTM Pool Members


                            There could be other, more complex distributed application scenarios
                            regarding the Exchange Server 2010 deployment with F5 devices, but for
                            simplicity we'll provide the step-by-step procedure on setting up a usual
                            distributed application health model involving the Exchange Client Access
                            Servers and F5 LTM Pool Members.
                            The following sections assume a good understanding of the System Center
                            Operations Manager (SCOM 2007 R2) administration console and operating
                            concepts.



Downloading and installing the Management pack
                            The first task is to download and install the F5 Management pack. The
                            management pack resides on F5’s developer community site, DevCentral
                            (http://devcentral.f5.com), which requires a free registration.
                            For detailed documentation on the F5 Management pack, see
                            http://devcentral.f5.com/wiki/Default.aspx/MgmtPack.HomePage.




5-3
                        Deploying the F5 Management Pack with Microsoft Exchange Server 2010




                       There is also a instructional tutorial available at:
                       http://devcentral.f5.com/weblogs/dctv/archive/2009/04/28/tutorial---mana
                       gement-pack-installation.aspx

                         Important
                       In order to deploy the software across multiple management servers, you
                       must first install the F5 Networks Management Pack onto the Root
                       Management Server. From that point, you can install the suite in any order
                       onto any or all of the existing management servers.

                       To download and install the management pack
                           1. Download the F5 Management Pack from DevCentral at the
                              following location:
                              http://devcentral.f5.com/Default.aspx?tabid=217
                           2. Extract the file, and then double-click the
                              F5Networks.ManagementPack.Setup.exe file.
                              The Welcome screen of the installer opens.
                           3. Click the Next button. The SQL Configuration page opens.
                           4. In the SQL server box, type the SQL server where your Operations
                              Manager Database resides.
                           5. Click the button for which type of credentials you want to use to
                              access the SQL instance, Microsoft Windows user credentials or
                              SQL credentials.
                              In most cases, your network is set up with a specific SQL read/write
                              account in your Active Directory. For this installation, the accounts
                              need both read and write access to the SQL server as well as the
                              ability to create new databases.
                           6. In the User name and Password boxes, type the appropriate user
                              name and password.
                           7. Make sure the Enable Autogrow for Microsoft Operations
                              Manager database option is checked if you want the F5 Networks
                              Management Pack Setup to automatically enable the autogrow for
                              your Operations Manager databases.




F5® Deployment Guide                                                                           5-4
             Note: The Enable Autogrow option is enabled by default. This
             setting allows the Operations Manager databases to automatically
             increase in size when nearing capacity. We recommend that you
             enable this option unless you plan to manually configure the
             autogrow feature.




      Figure 5.2 Configuring the Management Pack SQL options


          8. Click the Next button.
             The Configure Service Account screen opens.
          9. In the User name and Password boxes, type the user name and
             password for an Active Directory account which has the right to log
             on as a service.
        10. From the Domain list, select the appropriate domain.




      Figure 5.3 Configuring the Service Account


5-5
                        Deploying the F5 Management Pack with Microsoft Exchange Server 2010




                          11. Click the Next button. The account information is validated against
                              the domain or Active Directory specified.
                              The F5 Management Pack is Ready to Install screen opens.
                          12. Review the settings, and then click Install to complete the
                              installation of the F5 Management Pack. Once installation is
                              complete, a prompt informs you that the installation was successful.
                          13. At the prompt, click OK to accept the installation.
                               If the installation was not successful, the system prompts you to
                               check for errors in the installation log: setup.log, which is located in
                               the C:/Program Files/F5 Networks/Management Pack/logs
                               directory.
                          14. Once the F5 Management Pack is properly installed, follow the
                              procedure of discovering F5 devices found on DevCentral
                              (http://devcentral.f5.com/wiki/default.aspx/MgmtPack/Discoverin
                              gF5NetworksDevices.html).
                              The following sections assume that the F5 devices are correctly
                              discovered and the System Center Operations Manager workflows
                              related to the health state of the discovered F5 devices run correctly.
                              For more information on the F5 DevCentral Management Solutions
                              see http://devcentral.f5.com/Default.aspx?tabid=213.



Creating a Distributed Application Health Model
                       Use the following procedures to create a Distributed Application view
                       related to Exchange Client Access Servers (CAS) and F5 LTM Pool
                       Members (using SCOM 2007 R2).

                       To import the Exchange 2010 Management pack
                           1. Download the Microsoft Exchange Server 2010 Management pack
                              from the Microsoft site. At the time of this writing, only the Release
                              Candidate of the Exchange Server 2010 Management Pack was
                              available for download: 64-bit version
                              (http://www.microsoft.com/downloads/details.aspx?displaylang=en
                              &FamilyID=a0d4e1f0-e2ba-4391-a118-9da83e827623),
                              or 32-bit version
                              (http://www.microsoft.com/downloads/details.aspx?FamilyID=a004
                              7276-553c-4054-afc9-ec3b4ececf3c&displaylang=en).
                           2. Log on to the computer with an account that is a member of the
                              Operations Manager Administrators role for the Operations
                              Manager 2007 management group.
                           3. In the Operations console, click Administration.
                           4. Right-click the Management Packs node, and then click Import
                              Management Packs. The Import Management Packs wizard opens.
                           5. Click Add, and then click Add from disk.




F5® Deployment Guide                                                                               5-6
                     6. The Select Management Packs to import dialog box appears. If
                        necessary, change to the directory that holds the Exchange 2010
                        management pack file you downloaded in step 1. Click the
                        Exchange 2010 management pack, and then click Open.
                     7. On the Select Management Packs page, the management packs
                        that you selected for import are listed. An icon next to each
                        management pack in the list indicates the status of the selection, as
                        follows:
                         • A green check mark indicates that the management pack can be
                           imported. When all management packs in the list display this
                           icon, click Import.
                         • A red error icon indicates that the management pack is dependent
                           on one or more management packs that are not in the Import list
                           and are not available in the catalog. To view the missing
                           management packs, click Error in the Status column. To remove
                           the management pack with the error from the Import list,
                           right-click the management pack, and then click Remove.
                         Note: When you click Import, any management packs in the Import
                         list that display the Error icon are not imported.
                     8. The Import Management Packs page appears and shows the
                        progress for each management pack. Each management pack is
                        downloaded to a temporary directory, imported to Operations
                        Manager, and then deleted from the temporary directory. If there is
                        a problem at any stage of the import process, select the management
                        pack in the list to view the status details. Click Close.



Discovering the Exchange CAS servers
                 The next task is to discover the Client Access servers through System
                 Center Operations Manager.

                 To discover the CAS servers
                     1. In the Operations console, click the Administration button.
                     2. At the bottom of the navigation pane, click Discovery Wizard.
                     3. On the Introduction page, click Next.
                        The Introduction page does not appear if the Computer and Device
                        Management Wizard has been run before and Do not show this page
                        again was selected.
                     4. On the Auto or Advanced? page select Advanced discovery. In the
                        Computer and DeviceClasses list, select Server Only.
                     5. In the Management Server list, click the management server or
                        gateway server to discover the computers. When multiple
                        management servers are in a management group, the agents are
                        automatically configured to use secondary management servers if
                        their root management server is unavailable.


5-7
                        Deploying the F5 Management Pack with Microsoft Exchange Server 2010




                           6. On the Discovery Method page, Select Browse for, or type-in
                              computer names, click Browse, specify the names of the
                              computers you want to manage, and then click OK. In the Browse
                              for, or type-in computer names box, type the computer names,
                              separated by semi-colon, comma, or a new line [ENTER]. You can
                              use NetBIOS computer names or Fully Qualified Domain Names
                              (FQDN).
                           7. Click Next, and on the Administrator Account page, select Use
                              selected Management Server Action Account if it is not already
                              selected.
                           8. Click Discover to display the Discovery Progress page. The time it
                              takes discovery to complete depends on many factors, such as the
                              criteria specified and the configuration of the IT environment.
                           9. On the Select Objects to Manage page, do the following:
                               a) Select the computers you want to agent-manage.
                               b) In the Management Mode list, click Agent and then click Next.
                          10. On the Summary page, do the following:
                               a) Leave the Agent installation directory set to the default
                                  of%ProgramFiles%\System Center Operations Manager
                                  2007 or type an installation path.
                               b) Leave Agent Action Account set to the default, Local System,
                                  or select Other and type the User name, Password, and
                                  Domain. The Agent Action Account is the default account the
                                  agent will use to perform actions.
                               c) Click Finish.
                          11. In the Agent Management Task Status dialog box, the Status for
                              each selected computer changes from Queued to Success; the
                              computers are ready to be managed.
                          12. Click Close.



Creating a distributed application
                       The next task it to create a distributed application.
                           1. Go to the Authoring section in the SCOM 2007 R2 Management
                              Console, select Distributed Applications, and then right click and
                              select Create a new distributed application.
                           2. Type a name (F5 and Exchange Server 2010, for example), an
                              optional description, choose the Blank (Advanced) template and
                              target a new (override) management pack for authoring the view
                              into. Name this override management pack
                              F5.E2K10.ManagementPack, for example.




F5® Deployment Guide                                                                          5-8
                                3. Create the diagram shown in Figure 5.4. The view contains three
                                   CAS Server groups: EX-CAS-00, EX-CAS-01, EX-CAS- 02
                                   (corresponding to the Exchange Server 2010 CAS servers CA00,
                                   CA01 and CA02) and the three related F5 LTM Pool Member
                                   groups: LTM-CAS-00, LTM-CAS-01, LTM-CAS-02
                                   (corresponding to the F5 LTM Pool Members). Between each CAS
                                   Server and the related F5 LTM Pool Member there is a “uses”
                                   relationship, which describes a “dependency” of the Exchange
                                   Server 2010 CAS Server on the F5 LTM Pool Member. See the
                                   following section on how to create these groups.




Figure 5.4 The F5 Management Pack and Exchange Server 2010 Distributed Application design view


                            To create the Client Access Role groups (EX-CAS-xx):
                                1. In the Objects section of the Distributed Application Designer
                                   select Advanced Search.
                                2. In the Search for: dropdown list-view select Client Access and
                                   click Search.
                                3. From the Available items list-view select the CAS servers and click
                                   the Add button to add them in the Selected objects list-view. Click
                                   OK to conclude the selection.




5-9
                        Deploying the F5 Management Pack with Microsoft Exchange Server 2010




                          4. In the Advanced Search Results list-view on the left, select a CAS
                             server, right click > select New Component Group…, name the
                             component group to something like EX-CAS-xx and make sure the
                             object type selected in the Objects of the following type(s)
                             list-view is Client Access. Repeat this step for all of the CAS
                             servers.

                       To create the LTM Pool Member groups (LTM-CAS-xx):
                          1. In the Objects section of the Distributed Application Designer
                             select Advanced Search.
                          2. In the Search for: dropdown list-view select F5 LTM Pool
                             Member and click Search.
                          3. From the Available items list-view select the LTM Pool Members
                             and click the Add button to add them in the Selected objects
                             list-view. Click OK to conclude the selection.
                          4. In the Advanced Search Results list-view on the left, select one or
                             more LTM Pool Members (usually grouped by the same IP
                             address), right click > select New Component Group…, name the
                             component group to something like LTM-CAS-xx and make sure
                             the object type selected in the Objects of the following type(s)
                             list-view is F5 LTM Pool Member. Repeat this step for all of the
                             LTM Pool Members (grouped by IP address).
                          5. A detailed snapshot of the Distributed Application diagram view
                             corresponding to the example presented above is shown in Figure 3.
                             The diagram can be viewed by right clicking on the F5 and
                             Exchange Server 2010 (or the name given during the design
                             process) Distributed Application object in the Authoring view and
                             selecting View Diagram…




F5® Deployment Guide                                                                       5 - 10
Figure 5.5 Detailed diagram view of the Distributed Application with CAS and LTM Pool Members


                             This diagram view shows a roll-up health model of the Exchange Server
                             2010 and F5 objects monitored and will allow access on each object's Health
                             Explorer, related server tasks (for the F5 LTM Pool Members), Maintenance
                             Mode tasks, etc.



Conclusion
                             Integrating the F5 Management Pack with the Exchange Server 2010 health
                             model described by the Exchange Server 2010 Management Pack leads to a
                             powerful solution of monitoring the overall health state for the distributed
                             application environment built around the Exchange Server 2010 platform
                             and F5 devices, providing a solid starting point for data-center orchestration
                             and management provisioning.




5 - 11

								
To top