28 C
Dubai
Monday, November 25, 2024

Configure f5 LTM with Exchange Server 2016

Had to deploy Exchange server 2016 with F5 Local Traffic manager (LTM) and F5 Application Security Manger (ASM) . Lets see how to configure it

Points to Consider –

  • F5 Local Traffic Manager (LTM) should be the gateway for the exchange server. (Highly recommended to reduce complexity and retain SMTP source IP)

Load balancing SMTP traffic and to retain the source ip in the exchange logs you need to disable SNAT/Auto map. so make sure f5 is your gateway when you deploying exchange with f5.  I have stretched my Exchange server VLAN and added as a Self IP in F5 and self ip will be my gateway for the exchange servers in the same VLAN.

As a first step your f5 should act as a router .Create a forwarding virtual servers and set source address translation snat/automap to none. So that now all my Exchange server outbound traffic goes out to the gateway and but it won’t know the route to come back to exchange server

  • Create a Forwarding IP virtual Server
  • Source address 0.0.0.0/0
  • Destination address 0.0.0.0/0
  • Service Port All Ports
  • State Enabled

image

  • Choose All Protocols so that ICMP will work
  • Choose protocol client Profile as fastL4
  • Choose Enable on Exchange server VLAN only
  • Source address translation set to none

image

Now Exchange servers gateway is f5 on the same VLAN and VLAN is forwarding all traffic from the f5 to its default gateway .

Now whatever is your default gateway Cisco Router or Firewall . Create a static route to route back the traffic to f5 floating ip. So you are making sure all the traffic via exchange servers goes to f5 and comes via f5.

get the ssl ready on exchange servers  Configuring 3rd Party SSL Exchange Certificate in Exchange 2016

we need to export the file as .pfx or use mmc to export the cert as .pfx with the private key.

image

Configuring SSL Profiles in F5 –

  • Import the Exchange Certificate (.pfx with private key)  to the f5 device

image

System – File management – SSL Certificates list –

  • Import type  – PKCS 12 (IIS)
  • Create new – Exch_Cert
  • choose file – Choose .pfx file
  • Enter the password
  • Key security – Normal

Choose Import

image

also import the root chain. get it from your certificate authority. in my case its digicert

image

image

Creating Client SSL Profile.

image

Choose the SSL Client Profile Name

Choose Parent Profile

Choose Custom

Add the Certificate you imported.

image

  • Choose Certificate
  • Choose Certificate for key ( As we imported with private key)
  • Choose Chain
  • Leave the passphrase empty
  • OCSP Stapling – none
  • Click add

image

  • Choose Finished now SSL Client is ready.

Create Server SSL Profile . Redo the same process of choosing the same cert.

image

Now you have a client ssl and server ssl profile.

  • Now we are on the same VLAN
  • Have the SSL profiles ready.

lets go the iApp templates

We need iApp Templates to configure the internal LTM . As you have a f5 account. login to https://downloads.f5.com and download iApp Templates

image

Download iapps .zip and extract it

image

Extract the zip file.

C:\iapps-1.0.0.500.0\Microsoft\Exchange_2016\f5.microsoft_exchange_2016.v1.0.2.tmpl

image

Login to F5 Local Traffic Manager (LTM)

iApps – Templates – Templates + – Choose Import

image

Choose the f5.microsoft_exchange_2016.v1.0.2.tmpl and Click on Upload

image

Click on Application Services – Create

image

Choose Name and Template

  • Exchange-2016_.
  • f5.microsoft_exchange_2016.v1.0.2

image

Choose – Yes , Show all inline help

image

Choose – Local Big-IP load balances and optimizes traffic

image

  • Choose incoming traffic as Encrypted
  • Choose Re-encrypt (SSL Bridging) – You have to choose this as Exchange can’t run on HTTP
  • Choose Client SSL Profile you created
  • Choose Server SSL Profile you created
  • Choose Optimize Connections for WAN clients. (As majority of my users are connecting via WAN)
  • Choose Same Subnet for BIG ip virtual servers and mailbox servers ( In most the network designs you can always stretch the VLAN and use in on F5 .It will be a clean design)

image

  • Choose the maximum number of concurrent users fewer than 6000 . 64,000 concurrent connections is more than sufficient for a 3000+ mailbox environment in this specific case.
  • Choose Use a single IP address for all connections
  • Choose All services will be handled by the same set of mailbox servers (In my case – have 4 nodes with same configuration in parallel )
  • All Services will be handled by the same set of mailbox servers

image

  • Choose – Server pool settings – Use settings recommended by f5
  • choose the Virtual ip will be used
  • Choose yes for deploying ECP ( Disable Admin ECP at Server level if required)
  • Choose Deploy EWS and OAB ( most common)
  • Choose MAPI over HTTP and RPC over HTTP  (Only Exchange 2016 mailboxes use MAPI over HTTP by default)

image

  • Choose Yes of Active sync
  • Yes for Autodiscover
  • Choose yes , if imap and pop3 needs to be enabled
  • Enter the mailbox server ips

image

Choose FQDN for OWA/MAPI/Outlook anywhere/EWS/Active sync/autodiscover

image

Choose finish. Now iApp with Exchange HTTPS traffic is Configured.

Now lets see how to retain the source ip for http/https traffic and Source address translation is enabled by default on the HTTPS pool Configured by the template. I want to keep the design and configuration minimal so that when you import or replace or upgrade templates. no much additional configuration is needed. Also note that X-Forward-For is enabled by default on the http profile which will remain untouched.

image

Now Open Exchange server IIS . Choose logging

image

Select Fields

image

  • Field Name – Source-IP
  • Source Type – Request Header
  • Source – X-FORWARDED-FOR

image

Add the Custom Field

Do iis reset

C:\inetpub\logs\LogFiles\W3SVC1 Check the latest log. you can see the correct source ip and not the F5 floating / non floating ips

Lets configure the SMTP Load balancing now .

As seen above , now choose the SMTP template , Import it.

image

Basic – Use F5’s recommended settings

image

  • Choose BIG IP virtual Server IP and SMTP servers are on the same subnet
  • Choose fewer than 64,000 Concurrent connections per user

image

Choose Encryption – Do nothing (No Encrypted SMTP Traffic)

Choose the same VIP as HTTPs to simplify the setup.

Choose create new pool and add the mailbox servers

image

Choose the fqdn for smtp and choose no authentication required and no message submitted as Exchange will handle the rest.

image

Choose the defaut frontend receive connector

image

  • Uncheck anonymous users to stop using this connector to receive internet email .  ( Recommended )

image

and create anonymous relay connectors for Applications which need to send out to the internet.

Anonymous Application relay connectors in Exchange 2016

and create a dedicated internet connector To receive email from internet or anti-spam appliances

Make sure connector log set to verbose

image

Check connector logs in below location to check your valid source ip of SMTP Traffic

C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

Hope it will help many . As I wasted too much time on this. F5 deployment guides are huge.  I will be sharing the F5 asm configurations on my next blog

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

2 COMMENTS

  1. Hello Satheshwaran,

    Thanks for your nice document. Quote from your blog

    If there is SNAT and exchange servers need to see the actual source how to achieve that ?

  2. Hi Satheshwaran!

    Awesome blog. Handy for F5 admins to properly configure the load balancing for Exchange 2016 with all the bells and whistles. I am in a situaton where I saw to Reject during Action on Service Down for MAPI pool. So, LTM reaps all active connections when monitor marks a pool member down. Client is not happy about it. They prefer “None” and gracefully timeout the active connection. Will there be any prolem with such implementation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?