Had to deploy Exchange server 2016 with F5 Local Traffic manager (LTM) and F5 Application Security Manger (ASM) . Lets see how to configure it
Points to Consider –
- F5 Local Traffic Manager (LTM) should be the gateway for the exchange server. (Highly recommended to reduce complexity and retain SMTP source IP)
Load balancing SMTP traffic and to retain the source ip in the exchange logs you need to disable SNAT/Auto map. so make sure f5 is your gateway when you deploying exchange with f5. I have stretched my Exchange server VLAN and added as a Self IP in F5 and self ip will be my gateway for the exchange servers in the same VLAN.
As a first step your f5 should act as a router .Create a forwarding virtual servers and set source address translation snat/automap to none. So that now all my Exchange server outbound traffic goes out to the gateway and but it won’t know the route to come back to exchange server
- Create a Forwarding IP virtual Server
- Source address 0.0.0.0/0
- Destination address 0.0.0.0/0
- Service Port All Ports
- State Enabled
- Choose All Protocols so that ICMP will work
- Choose protocol client Profile as fastL4
- Choose Enable on Exchange server VLAN only
- Source address translation set to none
Now Exchange servers gateway is f5 on the same VLAN and VLAN is forwarding all traffic from the f5 to its default gateway .
Now whatever is your default gateway Cisco Router or Firewall . Create a static route to route back the traffic to f5 floating ip. So you are making sure all the traffic via exchange servers goes to f5 and comes via f5.
get the ssl ready on exchange servers Configuring 3rd Party SSL Exchange Certificate in Exchange 2016
we need to export the file as .pfx or use mmc to export the cert as .pfx with the private key.
Configuring SSL Profiles in F5 –
- Import the Exchange Certificate (.pfx with private key)Â to the f5 device
System – File management – SSL Certificates list –
- Import type – PKCS 12 (IIS)
- Create new – Exch_Cert
- choose file – Choose .pfx file
- Enter the password
- Key security – Normal
Choose Import
also import the root chain. get it from your certificate authority. in my case its digicert
Creating Client SSL Profile.
Choose the SSL Client Profile Name
Choose Parent Profile
Choose Custom
Add the Certificate you imported.
- Choose Certificate
- Choose Certificate for key ( As we imported with private key)
- Choose Chain
- Leave the passphrase empty
- OCSP Stapling – none
- Click add
- Choose Finished now SSL Client is ready.
Create Server SSL Profile . Redo the same process of choosing the same cert.
Now you have a client ssl and server ssl profile.
- Now we are on the same VLAN
- Have the SSL profiles ready.
lets go the iApp templates
We need iApp Templates to configure the internal LTM . As you have a f5 account. login to https://downloads.f5.com and download iApp Templates
Download iapps .zip and extract it
Extract the zip file.
C:\iapps-1.0.0.500.0\Microsoft\Exchange_2016\f5.microsoft_exchange_2016.v1.0.2.tmpl
Login to F5 Local Traffic Manager (LTM)
iApps – Templates – Templates + – Choose Import
Choose the f5.microsoft_exchange_2016.v1.0.2.tmpl and Click on Upload
Click on Application Services – Create
Choose Name and Template
- Exchange-2016_.
- f5.microsoft_exchange_2016.v1.0.2
Choose – Yes , Show all inline help
Choose – Local Big-IP load balances and optimizes traffic
- Choose incoming traffic as Encrypted
- Choose Re-encrypt (SSL Bridging) – You have to choose this as Exchange can’t run on HTTP
- Choose Client SSL Profile you created
- Choose Server SSL Profile you created
- Choose Optimize Connections for WAN clients. (As majority of my users are connecting via WAN)
- Choose Same Subnet for BIG ip virtual servers and mailbox servers ( In most the network designs you can always stretch the VLAN and use in on F5 .It will be a clean design)
- Choose the maximum number of concurrent users fewer than 6000 . 64,000 concurrent connections is more than sufficient for a 3000+ mailbox environment in this specific case.
- Choose Use a single IP address for all connections
- Choose All services will be handled by the same set of mailbox servers (In my case – have 4 nodes with same configuration in parallel )
- All Services will be handled by the same set of mailbox servers
- Choose – Server pool settings – Use settings recommended by f5
- choose the Virtual ip will be used
- Choose yes for deploying ECP ( Disable Admin ECP at Server level if required)
- Choose Deploy EWS and OAB ( most common)
- Choose MAPI over HTTP and RPC over HTTPÂ (Only Exchange 2016 mailboxes use MAPI over HTTP by default)
- Choose Yes of Active sync
- Yes for Autodiscover
- Choose yes , if imap and pop3 needs to be enabled
- Enter the mailbox server ips
Choose FQDN for OWA/MAPI/Outlook anywhere/EWS/Active sync/autodiscover
Choose finish. Now iApp with Exchange HTTPS traffic is Configured.
Now lets see how to retain the source ip for http/https traffic and Source address translation is enabled by default on the HTTPS pool Configured by the template. I want to keep the design and configuration minimal so that when you import or replace or upgrade templates. no much additional configuration is needed. Also note that X-Forward-For is enabled by default on the http profile which will remain untouched.
Now Open Exchange server IIS . Choose logging
Select Fields
- Field Name – Source-IP
- Source Type – Request Header
- Source – X-FORWARDED-FOR
Add the Custom Field
Do iis reset
C:\inetpub\logs\LogFiles\W3SVC1 Check the latest log. you can see the correct source ip and not the F5 floating / non floating ips
Lets configure the SMTP Load balancing now .
As seen above , now choose the SMTP template , Import it.
Basic – Use F5’s recommended settings
- Choose BIG IP virtual Server IP and SMTP servers are on the same subnet
- Choose fewer than 64,000 Concurrent connections per user
Choose Encryption – Do nothing (No Encrypted SMTP Traffic)
Choose the same VIP as HTTPs to simplify the setup.
Choose create new pool and add the mailbox servers
Choose the fqdn for smtp and choose no authentication required and no message submitted as Exchange will handle the rest.
Choose the defaut frontend receive connector
- Uncheck anonymous users to stop using this connector to receive internet email . ( Recommended )
and create anonymous relay connectors for Applications which need to send out to the internet.
Anonymous Application relay connectors in Exchange 2016
and create a dedicated internet connector To receive email from internet or anti-spam appliances
Make sure connector log set to verbose
Check connector logs in below location to check your valid source ip of SMTP Traffic
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
Hope it will help many . As I wasted too much time on this. F5 deployment guides are huge. I will be sharing the F5 asm configurations on my next blog
Hello Satheshwaran,
Thanks for your nice document. Quote from your blog
If there is SNAT and exchange servers need to see the actual source how to achieve that ?
Hi Satheshwaran!
Awesome blog. Handy for F5 admins to properly configure the load balancing for Exchange 2016 with all the bells and whistles. I am in a situaton where I saw to Reject during Action on Service Down for MAPI pool. So, LTM reaps all active connections when monitor marks a pool member down. Client is not happy about it. They prefer “None” and gracefully timeout the active connection. Will there be any prolem with such implementation.