DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Microsoft Exchange Server 2007

DEPLOYMENT GUIDE Version 1.2 Deploying F5 with Microsoft Exchange Server 2007

Table of Contents Table of Contents Deploying F5 devices with Microsoft Exchange Server 2007 Client Access Servers Prerequisites and configuration notes...1-2 Product versions and revision history...1-2 Configuration example...1-2 Configuring the BIG-IP LTM for the OWA component of Client Access...1-4 Connecting to the BIG-IP device...1-5 Importing keys and certificates...1-5 Creating the HTTP health monitor...1-6 Creating the pool...1-7 Creating profiles...1-9 Creating the irules... 1-14 Creating the virtual servers... 1-16 Optional: Using X-Forwarded-For to log the client IP address in IIS 7.0 and 7.5... 1-20 Adding the X-Forwarded-For log field to IIS... 1-20 Configuring the WebAccelerator with Exchange 2007 OWA... 1-22 Prerequisites and configuration notes... 1-22 Configuring the WebAccelerator module for Outlook Web Access... 1-22 Connecting to the BIG-IP device... 1-23 Creating an HTTP Class profile... 1-23 Modifying the Virtual Server to use the Class profile... 1-24 Downloading and importing the WebAccelerator policy... 1-25 Creating an Application... 1-26 Configuring the BIG-IP LTM for Outlook Anywhere... 1-28 Importing keys and certificates... 1-28 Creating the HTTP health monitor... 1-29 Creating the pool... 1-29 Creating the irule... 1-30 Creating profiles... 1-31 Creating the virtual server... 1-34 Configuring the BIG-IP LTM for ActiveSync... 1-36 Importing keys and certificates... 1-36 Creating the HTTP health monitor... 1-36 Creating the pool... 1-37 Creating profiles... 1-38 Creating the virtual server... 1-40 Configuring the BIG-IP LTM to support Outlook Web Access, Outlook Anywhere, and Active Sync using a single virtual server... 1-42 Using one pool for all three services with no WebAccelerator... 1-43 Using different pools for each service and using the WebAccelerator... 1-45 Configuring the BIG-IP LTM for POP3 and IMAP4... 1-49 Configuring the BIG-IP system for IMAP4... 1-49 Creating the virtual server... 1-52 Configuring the BIG-IP system for POP3... 1-52 Creating the virtual server... 1-55 Synchronizing the BIG-IP configuration if using a redundant system... 1-56 Configuring the FirePass controller for Exchange Server 2007... 1-57 Prerequisites and configuration notes... 1-57 Configuration scenario... 1-57 Connecting to the FirePass controller... 1-58 Creating groups on the FirePass controller... 1-58 Configuring auto-logon... 1-62 Configuring Outlook Web Access through the FirePass device... 1-63 F5 Deployment Guide for Microsoft Exchange Server 2007 i

Table of Contents Configuring Mobile Email for HTML-based access to email... 1-65 Configuring Network Access to the Exchange server... 1-66 Configuring Endpoint security... 1-67 Conclusion... 1-69 Appendix A: Backing up and restoring the BIG-IP LTM system configuration... 1-70 Saving and restoring the BIG-IP configuration... 1-70 Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Prerequisites and configuration notes...2-1 Configuration example...2-1 Configuring the BIG-IP LTM with Edge Transport Servers...2-3 Connecting to the BIG-IP device...2-3 Creating the health monitor...2-4 Creating the pool...2-5 Creating a tcp profile...2-6 Creating the virtual server...2-7 Synchronizing the BIG-IP configuration if using a redundant system...2-9 Configuring the Message Security Module with Edge Transport Servers.. 2-10 Prerequisites and configuration notes... 2-10 Accessing the Configuration utility... 2-10 Configuring MSM to manage traffic to your Edge Transport Servers... 2-11 Creating the pools... 2-12 Modifying the names of variables in the MSM_config data group... 2-13 Modifying the virtual server... 2-17 Configuring the BIG-IP GTM with Edge Transport Servers... 2-19 Configuring a self IP address on the BIG-IP LTM... 2-19 Creating a Listener on the GTM... 2-20 Creating data centers on the GTM system... 2-21 Creating the monitor... 2-22 Creating Servers for the data center... 2-22 Creating a GTM pool... 2-24 Creating a wide IP on the GTM... 2-26 Configuring the Wide IP as an MX record using ZoneRunner... 2-27 Appendix A: Backing up and restoring the BIG-IP LTM system configuration... 2-30 Saving and restoring the BIG-IP configuration... 2-30 Deploying F5 and Microsoft Exchange Server 2007 Mailbox Servers with CCR Prerequisites and configuration notes...3-1 Configuring the WAN optimization module...3-2 Creating the isession profile...3-4 Creating the WAN Optimization policy...3-5 Deploying F5 and Microsoft Exchange Server 2007 Hub Transport Servers Prerequisites and configuration notes...4-1 Configuring the WAN optimization module with Hub Transport Servers...4-2 Creating the isession profile...4-4 Creating the WAN Optimization policy...4-4 ii

1 Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Configuring the BIG-IP LTM system for the Outlook Web Access component of Client Access Configuring the F5 WebAccelerator module with Exchange 2007 Outlook Web Access Configuring the BIG-IP LTM system for the Outlook Anywhere component of Client Access Configuring the BIG-IP LTM system for the ActiveSync component of Client Access Configuring the BIG-IP LTM to support Outlook Web Access, Outlook Anywhere, and Active Sync using a single virtual server Configuring the BIG-IP LTM system for the POP3 and IMAP4 components of Client Access Configuring the FirePass controller for Exchange Server 2007

Deploying F5 devices with Microsoft Exchange Server 2007 Client Access Servers Welcome to the F5 Deployment Guide for Microsoft Exchange Server 2007. This chapter covers the Exchange 2007 Client Access Server role, and gives you step-by-step procedures for configuring F5 products for deployment with the Client Access Server component of Microsoft Exchange Server 2007, including Microsoft Outlook Web Access. The Client Access server role supports the Microsoft Office Outlook Web Access and Microsoft Exchange ActiveSync client applications, the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) protocols, and the new Outlook Anywhere feature. For more information on planning for the Client Access Server role, see http://technet.microsoft.com/en-us/library/bb232184%28exchg.80% 29.aspx. For more information on the F5 devices included in this guide, see http://www.f5.com/products/. You can also visit the Microsoft page of F5 s online developer community, DevCentral, for Microsoft forums, solutions, blogs and more: http://devcentral.f5.com/default.aspx?tabid=89. This chapter of the Exchange 2007 Deployment Guide contains procedures for configuring the BIG-IP LTM system, the WebAccelerator module, and the FirePass controller. While we recommend using all of these products together with Exchange Server 2007 Client Access Servers, it is not required. Simply use the sections for the products you have. This guide is broken up into the following sections: Configuring the BIG-IP LTM system for the Outlook Web Access component of Client Access, on page 4 Configuring the F5 WebAccelerator module with Exchange 2007 Outlook Web Access, on page 22 Configuring the BIG-IP LTM system for the Outlook Anywhere component of Client Access, on page 28 Configuring the BIG-IP LTM system for the ActiveSync component of Client Access, on page 36 Configuring the BIG-IP LTM to support Outlook Web Access, Outlook Anywhere, and Active Sync using a single virtual server, on page 1-42 Configuring the BIG-IP LTM system for the POP3 and IMAP4 components of Client Access, on page 49 Configuring the FirePass controller for Exchange Server 2007, on page 57 1-1

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Prerequisites and configuration notes The following are general prerequisites for this deployment; each section contains specific prerequisites: This guide is written for the Client Access Server component of Microsoft Exchange Server 2007, which includes Outlook Web Access. All of the configuration procedures in this document are performed on F5 devices. For information on how to deploy or configure Microsoft Exchange Server 2007, consult the appropriate Microsoft documentation. Note This document is written with the assumption that you are familiar with both the BIG-IP LTM system and Microsoft Exchange and Outlook Web Access. For more information on configuring these products, consult the appropriate documentation. Product versions and revision history Product and versions tested for this deployment guide: Product Tested BIG-IP LTM Version Tested v9.4, v10.0.1, v10.1 (applies to v9.4 and later) Microsoft Exchange Server 2007 Revision history: Document Version Description 1.0 New deployment guide 1.1 Added support for BIG-IP v10.1. Replaced previous guidance with BIG-IP WOM configuration for CCR and Hub Transport. 1.2 Added optional procedure for enabling X-Forwarded-For on the BIG-IP LTM, and the section Optional: Using X-Forwarded-For to log the client IP address in IIS 7.0 and 7.5, on page 1-20 for instructions on configuring IIS to log the client IP address. Configuration example In the following diagram, we show connectivity options for several types of clients to the same Exchange Server 2007 Client Access servers. Users may connect via a Firepass SSL VPN device to access to the internal networks, and from there to an F5 BIG-IP LTM system that load-balances the client access servers. Alternately, users who are not using the Firepass VPN may F5 Deployment Guide 1-2

connect directly to the LTM systems via secure connections (HTTPS, POP3S, or IMAPS, depending on choice of web browser or email client). In all cases, the LTM offloads all SSL processing from the Exchange Client Access servers. Figure 1.1 BIG-IP Client Access Server configuration example The example in Figure 1.1 is a logical representation of this deployment. Your configuration may be dramatically different than the one shown. 1-3

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Configuring the BIG-IP LTM system for the Outlook Web Access component of Client Access First, we configure the BIG-IP LTM system for directing traffic to the Outlook Web Access component of the Client Access server. This includes using the BIG-IP LTM system to offload SSL traffic from the servers. Outlook Web Access allows authorized users to securely access their Exchange mailboxes through a web browser. By using BIG-IP LTM in front of an Outlook Web Access server, you gain the following benefits: Terminating HTTPS connections at the BIG-IP LTM reduces CPU and memory load on Outlook Web Access servers. Terminating HTTPS connections at the BIG-IP LTM simplifies TLS/SSL certificate management. The BIG-IP LTM can balance load and ensure high-availability across multiple Outlook Web Access servers using a variety of load-balancing methods and priority rules. The BIG-IP LTM's TCP Express feature set ensures optimal network performance for all clients and servers, regardless of operating system and version. The BIG-IP LTM provides content compression features which improve client performance. To configure the Outlook Web Access servers to support SSL offloading, you must first follow Microsoft's instructions at http://technet.microsoft.com/en-us/library/bb885060.aspx. Once you have completed the steps outlined in that document on each Outlook Web Access, servers, you must complete the following procedures on the BIG-IP-LTM: Connecting to the BIG-IP device Importing keys and certificates Creating the HTTP health monitor Creating the pool Creating profiles Creating the irules Creating the virtual servers Synchronizing the BIG-IP configuration if using a redundant system Tip We recommend you save your existing BIG-IP LTM configuration before you begin. To save your BIG-IP configuration, see Appendix A: Backing up and restoring the BIG-IP LTM system configuration, on page 70. F5 Deployment Guide 1-4

Connecting to the BIG-IP device Use the following procedure to access the BIG-IP web-based Configuration utility using a web browser. To connect to the BIG-IP LTM system using the Configuration utility 1. In a browser, type the following URL: https://<administrative IP address of the BIG-IP device> A Security Alert dialog box appears, click Yes. 2. Type your user name and password, and click OK. The Welcome screen opens. Once you are logged onto the BIG-IP LTM system, the Welcome screen of the new Configuration utility opens. From the Configuration utility, you can configure and monitor the BIG-IP LTM system, as well as access online help, download SNMP MIBs and Plug-ins, and even search for specific objects. Importing keys and certificates Before you can enable the BIG-IP LTM system to offload SSL traffic from Outlook Web Access, you must install a SSL certificate and key on the BIG-IP LTM system. For this Deployment Guide, we assume that you already have obtained an SSL certificate, but it is not yet installed on the BIG-IP LTM system. For information on generating certificates, or using the BIG-IP LTM system to generate a request for a new certificate and key from a certificate authority, see the Managing SSL Traffic chapter in the Configuration Guide for Local Traffic Management. Once you have obtained a certificate, you can import this certificate into the BIG-IP LTM system using the Configuration utility. You can use the Import SSL Certificates and Keys screen only when the certificate you are importing is in Privacy Enhanced Mail (PEM) format. To import a key or certificate 1. On the Main tab, expand Local Traffic. 2. Click SSL Certificates. This displays the list of existing certificates. 3. In the upper right corner of the screen, click Import. 4. From the Import Type list, select the type of import (Certificate or Key). 5. In the Certificate (or Key) Name box, type a unique name for the certificate or key. 6. In the Certificate (or Key) Source box, choose to either upload the file or paste the text. 7. Click Import. 1-5

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers If you imported the certificate, repeat this procedure for the key. Creating the HTTP health monitor The next task is to create a health monitor for the Microsoft Outlook Web Access devices. This procedure is optional, but very strongly recommended. For this configuration, we use an HTTP monitor, which checks nodes (IP address and port combinations), and can be configured to use send and recv statements in an attempt to retrieve explicit content from nodes, to not only verify that the server is up, but providing the proper content. To configure a health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. The Monitors screen opens. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type exch_owa_http. 4. From the Type list, select http The HTTP Monitor configuration options appear. 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout. In our example, we use a Interval of 30 and a Timeout of 91 (see Figure 1.2). 6. Optional: In the Send String and Receive Rule sections, you can add a Send String and Receive Rule specific to the device being checked. In our example, we are using the default IIS configuration, so we use a Send String of iisstart.htm, and expect the Under Construction page to be returned. If you have modified the IIS configuration on the OWA servers, type a Send String and Receive Rule appropriate for your configuration. If the page you are requesting in the Send String requires authentication, type a user name and password in the appropriate boxes. F5 Deployment Guide 1-6

7. Click the Finished button. The new monitor is added to the Monitor list. Figure 1.2 Creating the HTTP monitor Creating the pool The next step in this configuration is to create a pool on the BIG-IP LTM system for the Outlook Web Access service. A BIG-IP pool is a set of devices grouped together to receive traffic according to a load balancing method. To create the OWA pool 1. On the Main tab, expand Local Traffic, and then click Pools. 2. Click the Create button. The New Pool screen opens. Note: For more (optional) pool configuration settings, from the Configuration list, select Advanced. Configure these settings as applicable for your network. 3. In the Name box, enter a name for your pool. In our example, we use exch_owa_pool. 4. In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select exch_owa_http. 1-7

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 6. For this pool, we leave the Priority Group Activation Disabled. 7. In the New Members section, make sure the New Address option button is selected. 8. In the Address box, add the first server to the pool. In our example, we type 10.133.20.55 9. In the Service Port box, type the service number you want to use for this device, or specify a service by choosing a service name from the list. In our example, we type 80. 10. Click the Add button to add the member to the list. 11. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps once for the remaining server, 10.133.20.56. 12. Click the Finished button (see Figure 1.3). Figure 1.3 Creating the OWA pool F5 Deployment Guide 1-8

Creating profiles BIG-IP version 9.0 and later uses profiles. A profile is an object that contains user-configurable settings, with default values, for controlling the behavior of a particular type of network traffic, such as HTTP connections. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient. Although it is possible to use the default profiles, we strongly recommend you create new profiles based on the default parent profiles. Creating new profiles allows you to easily modify the profile settings specific to this deployment, and ensures you do not accidentally overwrite the default profile. For more information on creating or modifying profiles, or applying profiles in general, see the BIG-IP LTM system documentation. Creating a cookie persistence profile The first profile we create is a persistence profile. For this configuration, we create a new cookie persistence profile, based off of the default cookie persistence profile. We use cookie persistence because users must maintain a connection to the same Outlook Web Access device. To create a new cookie persistence profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, click Persistence. 3. Click the Create button. 4. In the Name box, type a name for this profile. In our example, we type exch_owa_cookie. 5. From the Persistence Type list, select Cookie. The configuration options for Cookie persistence appear. 6. Modify any of the settings as applicable for your network. See the online help for more information on the configuration options. 7. Click the Finished button. 1-9

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Figure 1.4 Configuring Cookie persistence Creating an HTTP profile The next profile we create is an HTTP profile. In the following example, we base our HTTP profile off of a new profile included with BIG-IP LTM version 9.4, called http-wan-optimized-compression-caching, with a few additional modifications. This profile includes some default optimization settings that increase the performance of Outlook Web Access over the WAN. There are a couple of caveats for using this profile: You must have Compression and RAM Cache licensed on your BIG-IP LTM system. Contact your Sales Representative for more information. This profile is only available in BIG-IP LTM version 9.4 and later. If you plan on using the WebAccelerator module for Outlook Web Access (as shown later in this Deployment Guide) you should not use the http-wan-optimized-compression-caching HTTP profile, as the WebAccelerator module performs the compression and caching duties in addition to its other optimizations. If you are using the WebAccelerator module, we recommend you configure an HTTP profile based off of the default HTTP profile, and only change the Redirect Rewrite option to Match. Any other settings in this case are optional. To create a new HTTP profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. Click the Create button. 4. In the Name box, type a name for this profile. In our example, we type exch_owa_http_opt. 5. From the Parent Profile list, select http-wan-optimized-compression-caching. F5 Deployment Guide 1-10

6. In the Settings section, check the Custom box for Redirect Rewrite, and from the Redirect Rewrite list, select Match (see Figure 1.5). Figure 1.5 The General settings section of the HTTP profile 7. Optional: If you want to enable the X-Forwarded-For header for accurate logging, check the Custom box for Insert X-Forwarded-For, and from the list, select Enabled. See Optional: Using X-Forwarded-For to log the client IP address in IIS 7.0 and 7.5, on page 1-11 for detailed information, including modifications to IIS to accurately log the client IP address. 8. In the Compression section, check the Custom box for Compression, and from the Compression list, select Enabled. 9. Check the Custom box for Content Compression, and leave Content List selected. 10. In the Content List section, add the following entries to the Content Type box one at a time, each followed by clicking the Include button: application/pdf application/vnd.ms-powerpoint application/vnd.ms-excel application/msword application/vnd.ms-publisher 1-11

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 11. Check the Custom box for Keep Accept Encoding, and check the box to enable Keep Accept Encoding (see Figure 1.6). Figure 1.6 Configuring the compression settings in the HTTP profile 12. Modify any of the other options as applicable for your configuration. See the online help for more information on the configuration options. F5 Deployment Guide 1-12

Creating the TCP profile 13. Click the Finished button. Note Some browsers and operating systems may have difficulty downloading or displaying certain compressed files. F5 suggests testing compression of each of these object types against the full range of web browsers and client operating systems in use at your organization to ensure full compatibility. Next, we create a TCP profile. In our example, we base the TCP profile off of the default TCP profile, and leave all the options at their default settings. You can configure these options as appropriate for your network. Tip If your configuration uses various WAN links and your userbase is widely distributed, you may want to experiment with using tcp-wan-optimized as the Parent Profile. This profile (available only in BIG-IP LTM version 9.4 and later) contains preconfigured WAN optimization settings. To create a new TCP profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the Protocol menu, select TCP. 4. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_owa_tcp. 6. Modify any of the settings as applicable for your network. See the online help for more information on the configuration options. In our example, we leave the settings at their default levels. 7. Click the Finished button. Creating a Client SSL profile The next step in this configuration is to create an SSL profile. This profile contains the SSL certificate and Key information for offloading the SSL traffic. To create a new Client SSL profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 1-13

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 3. On the Menu bar, from the SSL menu, select Client. The Client SSL Profiles screen opens. 4. In the upper right portion of the screen, click the Create button. The New Client SSL Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_owa_https. 6. In the Configuration section, click a check in the Certificate and Key Custom boxes. 7. From the Certificate list, select the name of the Certificate you imported in the Importing keys and certificates section. 8. From the Key list, select the key you imported in the Importing keys and certificates section. 9. Click the Finished button. Creating the irules In the following procedures, we create two irules on the BIG-IP LTM system. These irules are designed to transparently assist users in accessing Outlook Web Access if they do not properly type the correct URI. While these irules are optional, we recommend using them as they can greatly improve end user experience. Note Creating the Redirect irule The following irules may not be appropriate for all installations. Both irules assume that only Exchange Server 2007 (and not previous versions) is accessible through the configured virtual server. Exchange Server 2007 Client Access Role servers can provide front-end services to both Exchange 2007 Mailbox servers and existing Exchange Server 2003 or Exchange Server 2000 back-end servers. In that case, the URIs will differ; for instance, the URI https://<hostname>/owa/ will provide Exchange Server 2007 services, and https://<hostname2>/exchange/ might provide services for those users still on Exchange Server 2003. For this reason, F5 recommends using a unique virtual server for each Exchange Server version being supported, in order to be able to customize each to take into account differences in the product versions. Consult the Microsoft product documentation at http://technet.microsoft.com/en-us/library/aa998849.aspx for more information about configuring Outlook Web Access to accommodate multiple versions of Exchange Server. For more information on advanced irules, see http://devcentral.f5.com/ The Redirect irule takes incoming HTTP requests (non-secure) and redirects them to the correct HTTPS (secure) virtual server, without user interaction. For example, this allows end users to simply type F5 Deployment Guide 1-14

webmail.domain.com or http://webmail.domain.com without having to remember that they are going to an HTTPS URI. The rule also appends the required /owa/ to the host portion of the URI. To create the Redirect irule 1. On the Main tab, expand Local Traffic, and then click irules. The irule screen opens. 2. In the upper right portion of the screen, click the Create button. The New irule screen opens. 3. In the Name box, enter a name for your irule. In our example, we use exch_owa_httptohttps. 4. In the Definition section, copy and paste the following irule: when HTTP_REQUEST { HTTP::redirect https://[http::host]/owa/ } 5. Click the Finished button. Figure 1.7 Creating the irule Creating the appending irule This irule, which will be applied to the HTTPS virtual server, is another precautionary measure to cover the case where a user types the URI for OWA (i.e. https://webmail.domain.com), but forgets to add the required /owa/ at the end. If the user did not include /owa/, they would likely get an Under Construction page, or another page other than their mailbox login. This irule takes the original URI, checks to see if it has the /owa/ portion. If it does not, the irule adds /owa/ automatically, transparently sending users to the correct page. 1-15

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers To create the appending irule 1. On the Main tab, expand Local Traffic, and then click irules. The irule screen opens. 2. In the upper right portion of the screen, click the Create button. The New irule screen opens. 3. In the Name box, enter a name for your irule. In our example, we use exch_owa_append. 4. In the Definition section, copy and paste the following irule: when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/owa") } { HTTP::uri /owa[http::uri] } } 5. Click the Finished button. Creating the virtual servers Next, we configure two virtual servers on the BIG-IP LTM system. The first virtual server is solely to intercept incoming HTTP traffic and redirect it to HTTPS using the irule you just created. The second virtual server terminates the SSL (HTTPS) connections and sends traffic via HTTP to the pool of OWA servers. To create the HTTP virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type exch_owa_virtual_http. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use 10.133.20.200. 6. In the Service Port box, type 80, or select HTTP from the list. F5 Deployment Guide 1-16

Figure 1.8 Adding the Outlook Web Access virtual server 7. In the Configuration section, select Advanced from the list. The Advanced configuration options appear. 8. From the Protocol Profile (Client) list, select the name of the profile you created in the Creating the TCP profile section. In our example, we select exch_owa_tcp. 9. From the HTTP Profile list, select the name of the profile you created in the Creating an HTTP profile section. In our example, we select exch_owa_http_opt. 10. In the Resources section, from the irules Available list, select the irule you created for redirection in the Creating the irules section. In our example, we select exch_owa_httptohttps. 11. From the Default Persistence Profile list, select the persistence profile you created in the Creating a cookie persistence profile section. In our example, we select exch_owa_cookie. 12. Click the Finished button. 1-17

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Figure 1.9 Resources section of the Add Virtual Server page Now we create the virtual server for HTTPS. To create the HTTPS virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type exch_owa_virtual_https. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use 10.133.20.200. 6. In the Service Port box, type 443, or select HTTPS from the list. 7. From the Configuration list, select Advanced. The Advanced configuration options appear. 8. In the Configuration section, from the HTTP Profile list, select the profile you created in the Creating an HTTP profile section. In our example, we select exch_owa_http_opt. F5 Deployment Guide 1-18

9. From the SSL Profile (Client) list, select the SSL profile you created in the Creating a Client SSL profile section. In our example, we select exch_owa_https. 10. In the Resources section, from the irules Available list, select the irule you created for appending /owa/ to the URI in the Creating the irules section. In our example, we select exch_owa_append. 11. From the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select exch_owa_pool. 12. From the Default Persistence Profile list, select the persistence profile you created in the Creating a cookie persistence profile section. In our example, we select exch_owa_cookie. 13. Click the Finished button. 1-19

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Optional: Using X-Forwarded-For to log the client IP address in IIS 7.0 and 7.5 When you configure BIG-IP LTM to use SNAT, the BIG-IP system replaces the source IP address of an incoming connection with its local self IP address (in the case of SNAT Automap), or an address you have configured in a SNAT pool. As a result, Microsoft IIS logs each connection with its assigned SNAT address, rather than the address of the client. By configuring an HTTP profile on the BIG-IP to insert an X-Forwarded-For header, the original client IP address is sent as well; however, in default IIS configuration, this information is not logged. Beginning with IIS 7, Microsoft provides an optional Advanced Logging Feature for IIS that allows you to define custom log definitions that can capture additional information such as the client IP address included in the X-Forwarded-For header. You must first enable X-Forwarded-For in the BIG-IP HTTP profile (as described in the optional step in that procedure), and then add the log field to IIS. Adding the X-Forwarded-For log field to IIS Before beginning the following procedure, you must have installed IIS Advanced Logging. For installation instructions, see http://www.iis.net/community/files/media/advancedlogging_readme.htm Note If you are using IIS version 6, F5 has a downloadable ISAPI filter that performs a similar function to the Advanced Logging Feature discussed here. For information on that solution, see the DevCentral post at http://devcentral.f5.com/weblogs/joe/archive/2009/08/19/x_forwarded_for _log_filter_for_windows_servers.aspx To add the X-Forwarded-For log field to IIS 1. From your Windows Server 2008 or Windows Server 2008 R2 device, open the Internet Information Services (IIS) Manager. 2. From the Connections navigation pane, click the appropriate server, web site, or directory on which you are configuring Advanced Logging. The Home page appears in the main panel. 3. From the Home page, under IIS, double-click Advanced Logging. 4. From the Actions pane on the right, click Edit Logging Fields. 5. From the Edit Logging Fields dialog box, click the Add Field button, and then complete the following: a) In the Field ID box, type X-Forwarded-For. b) From the Category list, select Default. F5 Deployment Guide 1-20

c) From the Source Type list, select Request Header. d) In the Source Name box, type X-Forwarded-For. e) Click the OK button. Figure 1.10 Adding the X-Forwarded-For logging field 6. On the Connections navigation pane, return to the Computer level. 7. From the Home page, under IIS, double-click Advanced Logging. 8. In the Actions panel, click Disable Advanced Logging. 9. Click Enable Advanced Logging. Now, when you look at the logs, the client IP address is included. 1-21

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Configuring the F5 WebAccelerator module with Exchange 2007 Outlook Web Access In this section, we configure the WebAccelerator module for Exchange 2007 Outlook Web Access to increase performance for end users. The F5 WebAccelerator is an advanced web application delivery solution that provides a series of intelligent technologies designed to overcome problems with browsers, web application platforms and WAN latency issues which impact user performance. For more information on the F5 WebAccelerator, see http://www.f5.com/products/webaccelerator/. Important If you have not purchased the WebAccelerator module, you cannot complete this section of the Deployment Guide. Continue with Configuring the BIG-IP LTM system for the Outlook Anywhere component of Client Access, on page 1-28. Contact your F5 Sales Representative for more information about purchasing this module. Prerequisites and configuration notes The following are prerequisites for this section: We assume that you have already configured the BIG-IP LTM system for directing traffic to the Outlook Web Access portion of Client Access, as described in this Deployment Guide. If you are using the WebAccelerator module, we recommend you do not configure the BIG-IP LTM system for compression or caching. You must have purchased and licensed the WebAccelerator module on the BIG-IP LTM system, version 9.4 or later. For BIG-IP version 9.4.0, you need to follow the simple procedure to download and import the policy for Outlook Web Access 2007. Later versions will include this policy. Configuring the WebAccelerator module for Outlook Web Access Configuring the WebAccelerator module requires creating an HTTP class profile, creating an Application, and modifying the virtual server you created for Outlook Web Access. The WebAccelerator device has a large number of other features and options for fine tuning performance gains, see the WebAccelerator Administrator Guide for more information. F5 Deployment Guide 1-22

Connecting to the BIG-IP device Use the following procedure to access the BIG-IP system s web-based Configuration utility using a web browser. To connect to the BIG-IP system using the Configuration utility 1. In a browser, type the following URL: https://<administrative IP address of the BIG-IP device> A Security Alert dialog box appears, click Yes. The authorization dialog box appears. 2. Type your user name and password, and click OK. The Welcome screen opens. Creating an HTTP Class profile The first procedure is to create an HTTP class profile. When incoming HTTP traffic matches the criteria you specify in the WebAccelerator class, the system diverts the traffic through this class. In the following example, we create a new HTTP class profile, based on the default profile. To create a new HTTP class profile 1. On the Main tab, expand WebAccelerator, and then click Classes. The HTTP Class Profiles screen opens. 2. In the upper right portion of the screen, click the Create button. The New HTTP Class Profile screen opens. 3. In the Name box, type a name for this Class. In our example, we type exch07_class. 4. From the Parent Profile list, make sure httpclass is selected. 5. In the Configuration section, from the WebAccelerator row, make sure Enabled is selected. 6. In the Hosts row, from the list select Match Only. The Host List options appear. a) In the Host box, type the host name that your end users use to access Outlook Web Access. In our example, we type owa.f5.com (see Figure 1.11). b) Leave the Entry Type at Pattern String. c) Click the Add button. d) Repeat these sub-steps for any other host names users might use to access Outlook Web Access. 7. The rest of the settings are optional, configure them as applicable for your deployment. 1-23

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 8. Click the Finished button. The new HTTP class is added to the list. Figure 1.11 Creating a new HTTP Class profile Modifying the Virtual Server to use the Class profile The next step is to modify the HTTPS virtual server you created in Creating the virtual servers, on page 16, to use the HTTP Class profile you just created. The HTTP profile associated with this virtual server should not have compression or RAM cache enabled, as the WebAccelerator module performs these tasks in addition to its other optimizations. To modify the Virtual Server to use the Class profile 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. From the Virtual Server list, click the name of the virtual server you created for your Outlook Web Access devices. In our example, we click exch_owa_virtual_https. The General Properties screen for the Virtual Server opens. F5 Deployment Guide 1-24

3. On the Menu bar, click Resources. The Resources screen for the Virtual Server opens. 4. In the HTTP Class Profiles section, click the Manage button. 5. From the Available list, select the name of the HTTP Class Profile you created in the preceding procedure, and click the Add (<<) button to move it to the Enabled box. In our example, we select exch_class (see Figure 1.12) 6. Click the Finished button. The HTTP Class Profile is now associated with the Virtual Server. Figure 1.12 Adding the HTTP Class Profile to the Virtual Server Downloading and importing the WebAccelerator policy For the WebAccelerator module version 9.4.0, you need to download and import the custom policy for Exchange 2007 Outlook Web Access. Later versions of the module will include this policy by default. Downloading and importing the policy is a simple two-part procedure. Note You must be a member of DevCentral (requires a free registration) in order to download the policy. To download and import the WebAccelerator policy 1. Open a web browser, and copy and paste the following URL: http://devcentral.f5.com/policies/exchange.xml 2. Save the Exchange.xml file in a place that is accessible from the WebAccelerator. 3. Return to the BIG-IP LTM system (see Connecting to the BIG-IP device, on page 23 for instructions). On the Main tab, expand WebAccelerator, and then click Policies. The Policy list opens. 4. At the bottom of the page, click Import Policies. 1-25

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 5. Click the Browse button, and navigate to the location where you saved the Exchange.xml file. 6. Click the Import button. The Policy is added to the list. You choose the new policy in the next procedure. Creating an Application The next procedure is to create a WebAccelerator Application. The Application provides key information to the WebAccelerator so that it can handle requests to your application appropriately. To create a new Application 1. On the Main tab, expand WebAccelerator, and then click Applications. The Application screen of the WebAccelerator UI opens in a new window. 2. Click the New Application button. 3. In the Application Name box, type a name for your application. In our example, we type OWA 2007. 4. In the Description box, you can optionally type a description. 5. From the Local Policies list, select Microsoft Outlook Web Access (OWA) 2007. This is a pre-defined policy created specifically for Outlook Web Access 2007. 6. In the Requested Host box, type the host name that your end users use to access Outlook Web Access. This should be the same host name you used in Step 6a in the preceding procedure. In our example, we type owa.f5.com If you have additional host names, click the Add Host button and enter the host name(s). 7. Click the Save button (see Figure 1.13). F5 Deployment Guide 1-26

Figure 1.13 Configuring an Application on the WebAccelerator The rest of the configuration options on the WebAccelerator are optional, configure these as applicable for your network. With this base configuration, your end users will notice an marked improvement in performance after their first visit. 1-27

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Configuring the BIG-IP LTM system for the Outlook Anywhere component of Client Access Outlook Anywhere for Exchange 2007 allows you to use Outlook 2007 and Outlook 2003 clients to connect to your Exchange server over the Internet, using HTTPS to encapsulate RPC traffic. By using BIG-IP LTM in front of an Outlook Anywhere-enabled Client Access Server, you can offload TLS/SSL processing from the servers to reduce their CPU and memory load and simplify certificate management. You can also select from a number of intelligent load balancing methods to distribute traffic to the servers. In Exchange 2007, simply use the Outlook Anywhere setup wizard on an Exchange 2007 computer with the Client Access server role installed. All users with mailboxes on Exchange 2007 are automatically enabled for Outlook Anywhere access. For more information on Outlook Anywhere, see the Microsoft documentation at http://technet.microsoft.com/en-us/library/bb123741.aspx To configure the BIG-IP LTM system for Outlook Anywhere, you need to complete the following tasks: Importing keys and certificates Creating the HTTP health monitor Creating the pool Creating the irule Creating profiles Creating the virtual server Importing keys and certificates The first step is to import a certificate and key for Outlook Anywhere. To import the certificate and key, follow the procedure Importing keys and certificates, on page 5, using the certificate and key for Outlook Anywhere. Important Note about Certificates for Outlook Anywhere: To enable and require SSL for all communications between the Client Access server and the Outlook clients, you must obtain and publish a certificate at the default Web site level. We recommend that you purchase your certificate from a third-party certification authority whose certificates are trusted by a wide variety of Web browsers. By default, applications and Web browsers do not trust your root certification authority when you install your own certification authority, such as a BIG-IP self-signed certificate. When a user tries to connect in Microsoft Office Outlook 2007 or Outlook 2003 by using Outlook Anywhere, that user loses the connection to Microsoft Exchange without any notification. For more information on this topic, see the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/aa997703.aspx F5 Deployment Guide 1-28

Creating the HTTP health monitor The next task is to create a health monitor for the devices running Outlook Anywhere. To configure a health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. The Monitors screen opens. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type exch_oa_http. 4. From the Type list, select http The HTTP Monitor configuration options appear. 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout. In our example, we use a Interval of 30 and a Timeout of 91. The rest of the configuration settings are optional. 6. Click the Finished button. The new monitor is added to the Monitor list. Creating the pool The next step in this configuration is to create a pool on the BIG-IP LTM system for the devices running Outlook Anywhere. To create the Outlook Anywhere pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. 3. In the Name box, enter a name for your pool. In our example, we use exch_oa_pool. 4. In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select exch_oa_http. 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 6. In the New Members section, make sure the New Address option button is selected. 1-29

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 7. In the Address box, add the first server to the pool. In our example, we type 10.133.20.55 8. In the Service Port box, type the service number you want to use for this device, or specify a service by choosing a service name from the list. In our example, we type 80. 9. Click the Add button to add the member to the list. 10. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps twice for the remaining servers, 10.133.20.56 and 10.133.20.59. 11. Click the Finished button. Creating the irule The next object we configure is an irule that is used for persistence. This irule is necessary because the Microsoft Outlook client does not support HTTP cookies, so the BIG-IP LTM persists based on this rule. In some cases you may be able to use other persistence methods such as Source Address Affinity, which bases persistence on the IP address of the client. However, because proxy servers or NAT (network address translation) devices may aggregate clients behind a single IP address, such methods are not always effective. To ensure reliable persistence, we recommend using the following irule and associated persistence profile. To create the irule 1. On the Main tab, expand Local Traffic, and then click irules. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New irule screen opens. 3. In the Name box, type a name for this irule. In our example, we type OutlookAnywherePersistRule. 4. In the Definition box, copy and paste the following irule: when HTTP_REQUEST { if { [HTTP::header "User-Agent"] contains "MSRPC" } { persist uie [HTTP::header "Authorization"] 3600 } } 5. Click the Finished button. F5 Deployment Guide 1-30

Creating profiles For Outlook Anywhere, we create five profiles: persistence, HTTP, TCP, SSL, and an optional OneConnect profile. As previously mentioned, you can use the default profiles if you are not changing any of the settings; however we strongly recommend creating new profiles. Outlook Anywhere uses Basic Authentication by default. If you use Basic Authentication, you are able to take advantage of the OneConnect profile which provides additional performance enhancements. Specifically, OneConnect dramatically reduces the overhead of maintaining TCP connections between the BIG-IP LTM and the Client Access servers. Although the BIG-IP LTM system can accommodate NTLM authentication, if you choose NTLM as the authentication type, the OneConnect profile can not be used. Creating the persistence profile The first profile we create is a persistence profile that uses the irule you created. To create a new cookie persistence profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, click Persistence. The Persistence Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New Persistence Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type exch_oa_persist. 5. From the Persistence Type list, select Universal. The configuration options for universal persistence appear. 6. Click the Custom boxes for irule and Timeout. 7. From the irule list, select the name of the irule you created in Creating the irule, on page 1-30. In our example, we select OutlookAnywherePersistRule. 8. In the Timeout box, type 3600 seconds (one hour). 9. Click the Finished button (see Figure 1.14). 1-31

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Figure 1.14 Creating the persistence profile Creating the HTTP profile Next, we create an HTTP profile. In our example, we leave all the options at their default settings. You can configure these options as appropriate for your network. Unlike Outlook Web Access, Outlook Anywhere does not benefit from configuring compression and caching on the BIG-IP LTM system, so we recommend you leave these settings disabled on this profile. To create a new HTTP profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New HTTP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type exch_oa_http. 5. Optional: If you want to enable the X-Forwarded-For header for accurate logging, check the Custom box for Insert X-Forwarded-For, and from the list, select Enabled. See Optional: Using X-Forwarded-For to log the client IP address in IIS 7.0 and 7.5, on page 1-11 for detailed information, including modifications to IIS to accurately log the client IP address. 6. Modify any of the settings as applicable for your network. We recommend you do not configure compression or RAM Cache for this profile. F5 Deployment Guide 1-32

Creating the TCP profile Creating the Client SSL profile 7. Click the Finished button. Next, we create a TCP profile. In our example, we leave all the options at their default settings. You can configure these options as appropriate for your network. To create a new TCP profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the Protocol menu, select TCP. 4. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_oa_tcp. 6. Modify any of the settings as applicable for your network. See the online help for more information on the configuration options. In our example, we leave the settings at their default levels. 7. Click the Finished button. The next step is to create an SSL profile. This profile contains the SSL certificate and Key information for offloading the SSL traffic. To create a new Client SSL profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the SSL menu, select Client. The Client SSL Profiles screen opens. 4. In the upper right portion of the screen, click the Create button. The New Client SSL Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_oa_clientssl. 6. In the Configuration section, click a check in the Certificate and Key Custom boxes. 7. From the Certificate list, select the name of the Certificate you imported in the Importing keys and certificates section. 8. From the Key list, select the key you imported in the Importing keys and certificates section. 1-33

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 9. Click the Finished button. Creating the OneConnect profile Next, we create a OneConnect profile. It is important that you only use a OneConnect profile if you are using Basic Authentication. If you are using NTLM authentication, do not configure a OneConnect profile, and continue to the next procedure. To create a new OneConnect profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the Other menu, select OneConnect. 4. In the upper right portion of the screen, click the Create button. The New OneConnect Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_oa_oneconnect. 6. Modify any of the settings as applicable for your network. See the online help for more information on the configuration options. In our example, we leave the settings at their default levels. 7. Click the Finished button. Creating the virtual server The final task is to create a virtual server for Outlook Anywhere. To create the virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type exch_oa_virtual. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use 10.133.20.203. 6. In the Service Port box, type 443, or select HTTPS from the list. 7. From the Configuration list, select Advanced. The Advanced configuration options appear. F5 Deployment Guide 1-34

8. In the Configuration section, from the Protocol Profile list, select the profile you created in the Creating the TCP profile section. In our example, we select exch_oa_tcp. 9. If you are using Basic Authentication and created a OneConnect profile, from the OneConnect Profile list, select the profile you created in the Creating the OneConnect profile section. In our example, we select exch_oa_oneconnect. 10. From the HTTP Profile list, select the HTTP profile you created in the Creating the HTTP profile section. In our example, we select exch_oa_http. 11. From the SSL Profile (Client) list, select the SSL profile you created in the Creating the Client SSL profile section. In our example, we select exch_oa_clientssl. 12. In the Resources section, from the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select exch_oa_pool. 13. From the Default Persistence Profile list, select the persistence profile you created in the Creating the persistence profile section. In our example, we select exch_oa_persist. 14. Click the Finished button. This completes the BIG-IP LTM configuration for Outlook Anywhere. 1-35

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Configuring the BIG-IP LTM system for the ActiveSync component of Client Access Exchange ActiveSync is a synchronization protocol based on HTTP and XML that is designed to work over a cellular or wireless Internet connection. Exchange ActiveSync can synchronize e-mail messages, contacts, calendar, and task data. By deploying BIG-IP LTM in front of ActiveSync-enabled servers, you gain the advantages of intelligent load distribution, SSL/TLS offloading, and ease of certificate management. For more information on ActiveSync, see the Microsoft documentation at http://technet.microsoft.com/en-us/library/aa998357(exchg.80).aspx. To configure the BIG-IP LTM system for ActiveSync, you need to complete the following tasks: Importing keys and certificates Creating the HTTP health monitor Creating the pool Creating profiles Creating the virtual server Importing keys and certificates The first step is to import a certificate and key for Outlook Anywhere. To import the certificate and key, follow the procedure Importing keys and certificates, on page 5, using the certificate and key for ActiveSync. Creating the HTTP health monitor The next task is to create a health monitor for the devices running Outlook Anywhere. To configure a health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. The Monitors screen opens. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type exch_activesync_http. 4. From the Type list, select http The HTTP Monitor configuration options appear. F5 Deployment Guide 1-36

5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout. In our example, we use a Interval of 30 and a Timeout of 91. The rest of the configuration settings are optional. 6. Click the Finished button. The new monitor is added to the Monitor list. Creating the pool The next step in this configuration is to create a pool on the BIG-IP LTM system for the devices running ActiveSync. To create the ActiveSync pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. 3. In the Name box, enter a name for your pool. In our example, we use exch_activesync_pool. 4. In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select exch_activesync_http. 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 6. In the New Members section, make sure the New Address option button is selected. 7. In the Address box, add the first server to the pool. In our example, we type 10.133.20.55 8. In the Service Port box, type the service number you want to use for this device, or specify a service by choosing a service name from the list. In our example, we type 80. 9. Click the Add button to add the member to the list. 10. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps once for the remaining server, 10.133.20.56. 11. Click the Finished button. 1-37

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Creating profiles The next task is to create the profiles for ActiveSync. In our example, we create four new profiles. Creating the persistence profile The first profile we create is a persistence profile. You can choose the persistence method the best suits your configuration. In our example, we use cookie persistence. To create a new cookie persistence profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, click Persistence. The Persistence Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New Persistence Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type exch_activesync_cookie. 5. From the Persistence Type list, select cookie. The configuration options for cookie persistence appear. 6. Modify any of the settings as applicable for your network. See the online help for more information on the configuration options. 7. Click the Finished button. Creating the HTTP profile Next, we create an HTTP profile. The HTTP profile for ActiveSync is the same as the HTTP profile you created for Outlook Web Access (including the Redirect Rewrite setting). While you can use the same HTTP profile, we recommend you create a new one. If you did not configure an HTTP profile for Outlook Web Access, follow the Creating an HTTP profile procedure on page 10, using a unique name for ActiveSync. To create a new HTTP profile for ActiveSync 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New HTTP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type exch_activesync_http. F5 Deployment Guide 1-38

Creating the TCP profile Creating the Client SSL profile 5. From the Parent Profile list, select the name of the profile you created in Creating an HTTP profile, on page 10. In our example, we select exch_owa_http. 6. Optional: If you want to enable the X-Forwarded-For header for accurate logging, check the Custom box for Insert X-Forwarded-For, and from the list, select Enabled. See Optional: Using X-Forwarded-For to log the client IP address in IIS 7.0 and 7.5, on page 1-11 for detailed information, including modifications to IIS to accurately log the client IP address. 7. Modify any of the settings as applicable for your network. 8. Click the Finished button. Next, we create a TCP profile. In our example, we leave all the options at their default settings. You can configure these options as appropriate for your network. To create a new TCP profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the Protocol menu, select TCP. 4. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_activesync_tcp. 6. Modify any of the settings as applicable for your network. See the online help for more information on the configuration options. In our example, we leave the settings at their default levels. 7. Click the Finished button. The next step is to create an SSL profile. This profile contains the SSL certificate and Key information for offloading the SSL traffic. To create a new Client SSL profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the SSL menu, select Client. The Client SSL Profiles screen opens. 1-39

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 4. In the upper right portion of the screen, click the Create button. The New Client SSL Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_activesync_clientssl. 6. In the Configuration section, click a check in the Certificate and Key Custom boxes. 7. From the Certificate list, select the name of the Certificate you imported in the Importing keys and certificates section. 8. From the Key list, select the key you imported in the Importing keys and certificates section. 9. Click the Finished button. Creating the virtual server The final task is to create a virtual server for ActiveSync. To create the virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type exch_activesync_virtual. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use 10.133.20.204. 6. In the Service Port box, type 443, or select HTTPS from the list. 7. From the Configuration list, select Advanced. 8. In the Configuration section, from the Protocol Profile list, select the profile you created in the Creating the TCP profile section. In our example, we select exch_activesync_tcp. 9. From the HTTP Profile list, select the HTTP profile you created in the Creating the HTTP profile section. In our example, we select exch_activesync_http. 10. From the SSL Profile (Client) list, select the SSL profile you created in the Creating the Client SSL profile section. In our example, we select exch_activesync_clientssl. 11. In the Resources section, from the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select exch_activesync_pool. F5 Deployment Guide 1-40

12. From the Default Persistence Profile list, select the persistence profile you created in the Creating the persistence profile section. In our example, we select exch_activesync_cookie. 13. Click the Finished button. This completes the BIG-IP LTM configuration for ActiveSync. 1-41

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Configuring the BIG-IP LTM to support Outlook Web Access, Outlook Anywhere, and Active Sync using a single virtual server For most deployments, F5 recommends creating a separate virtual server for Outlook Web Access, Outlook Anywhere (RPC-over-HTTP), and ActiveSync on Client Access Servers. By maintaining a separate virtual server for each component, you can manage each service largely independently from one another. For instance, you may wish to have different pool membership, load balancing methods, or custom monitors for Outlook Web Access and Outlook Anywhere. If those services are each associated with a different virtual server, granular management becomes easier. In some cases, however, you may find it desirable or necessary to combine multiple functions on the same virtual server; for instance, you may wish to have a single fully-qualified domain name (FQDN) and associated SSL certificate for all client access methods. Note You may use the same FQDN and SSL certificate for IMAP4 and POP3 access, even though they are on different virtual servers, because neither of those services share the same TCP port (443) as Outlook Web Access, Outlook Anywhere, and ActiveSync. In the following procedures, we demonstrate methods for combining functionality on a single virtual server, using an irule to identify and treat each traffic type individually. The examples shown only provide the basic functionality required for each service. If you would like to customize the irule to provide additional services, such as customized event logging, please refer to the irules documentation, forums, and CodeShare examples on DevCentral. Because most tasks in this section are identical to those in previous sections, we detail only those that are unique when using a single virtual server. There are two options, each described in the following sections. See each section for more specific details: Using one pool for all three services with no WebAccelerator, on page 1-43 Follow the procedures in this section if you want to use a single FQDN for all three services, a single pool and are not using the WebAccelerator. Using different pools for each service and using the WebAccelerator, on page 1-45 Follow the procedures in this section if you want to use a single FQDN for all three services, multiple pools, and are using the WebAccelerator. F5 Deployment Guide 1-42

Using one pool for all three services with no WebAccelerator You should use this example if the following conditions are true: 1. You want to use a single FQDN for Outlook Web Access, Outlook Anywhere, and ActiveSync. 2. You want to use the same BIG-IP LTM pool of Client Access Servers for all three services. 3. You do not have a Web Accelerator module licensed and configured on your BIG-IP LTM, or you do not wish to use a Web Accelerator policy for Outlook Web Access. In the following sections, we refer to the procedures from Configuring the BIG-IP LTM system for the Outlook Web Access component of Client Access, on page 1-4, but calling out the places where the configuration differs. Configuring Outlook Web Access servers to support SSL offloading Configuring the BIG-IP LTM system Importing certificates and keys Creating the HTTP monitor You must complete this step on each Client Access server that will be a member of your pool. You must also configure every Client Access server in the pool to support Outlook Anywhere as described at http://technet.microsoft.com/en-us/library/bb123741.aspx, and ActiveSync as described at http://technet.microsoft.com/en-us/library/bb124234.aspx. In all cases, the External URL configured for each service must use an identical FQDN. The following notes apply to the configuration of the BIG-IP LTM. To import certificates and keys, follow the procedure Importing keys and certificates, on page 1-5. Make sure that the key and certificate you import correspond to the FQDN that you configured for the three HTTP-based Exchange services. To create the HTTP monitor, follow the procedure Creating the HTTP health monitor, on page 1-6. You may wish to assign a name to the monitor that indicates it is not just for a single service on the Client Access servers, but for all HTTP-enabled services. In our example, we name the monitor exch_cas_http. 1-43

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Creating the pool Creating profiles Creating the irules To create the pool, follow the procedure Creating the pool, on page 1-7. Note that the pool must contain members that have Outlook Web Access, Outlook Anywhere, and ActiveSync all enabled and configured correctly. You may wish to name the pool to indicate its use; in our example, we use exch_http_pool. First, you should not create a cookie persistence profile for this configuration. To create HTTP, TCP and Client SSL profiles, use the following procedures: HTTP: Creating an HTTP profile, on page 1-10 TCP: Creating the TCP profile, on page 1-13 Creating a Client SSL profile, on page 1-13; You may wish to name them appropriately. In our example, we use exch_http_opt, exch_tcp_opt, and exch_https_client, respectively. If you are using the functionality found in the Redirect and Appending irules, follow the procedures found in Creating the irules, on page 1-14. Explanations of each irule precede each procedure. For this configuration, you must create an additional irule which changes persistence methods based on the service being accessed. When using a single virtual server for Outlook Web Access, Outlook Anywhere, and ActiveSync, you need to use an irule to separate out the traffic that supports cookie persistence (Outlook Web Access and ActiveSync) from that which does not (Outlook Anywhere) and assign appropriate persistence methods. The following example creates a persistence irule that uses correct persistence methods for each access type. This irule assumes the use of a single pool for all three services, and no Web Accelerator HTTP class policy. To create the persistence irule 1. On the Main tab, expand Local Traffic, and then click irules. 2. In the upper right portion of the screen, click the Create button. 3. In the Name box, enter a name for your irule. In our example, we use exch_owa_persist. 4. In the Definition section, copy and paste the following irule: when HTTP_REQUEST { if { [HTTP::header "User-Agent"] contains "MSRPC" } { persist uie [HTTP::header "Authorization"] 3600 } else { persist cookie F5 Deployment Guide 1-44

} } 5. Click the Finished button. Creating the virtual servers For this configuration, you create two virtual servers: HTTP To create the HTTP virtual server that redirects to HTTPS, follow the procedure To create the HTTP virtual server, on page 1-16 exactly as directed, except that you may wish to name the in a manner similar to the other objects you have created (in our example exch_virtual_http), and select the appropriate objects you created in this section. HTTPS To create the HTTPS virtual server, follow the procedure To create the HTTPS virtual server, on page 1-18. Give the virtual server a unique name. In Step 10, in addition to adding the appending irule, also select the persistence irule you just created in the preceding procedure. The Persistence irule should be placed below the appending irule in the Enabled box. In Step 12, rather than selecting a custom persistence profile, select cookie. This concludes this section. If you are using a redundant BIG-IP LTM configuration, see Synchronizing the BIG-IP configuration if using a redundant system, on page 1-56. Using different pools for each service and using the WebAccelerator You should use this example if the following conditions are true: 1. You want to use a single FQDN for Outlook Web Access, Outlook Anywhere, and ActiveSync. 2. You want to use a different BIG-IP LTM pool of Client Access Servers for each of the three services. 3. You have a Web Accelerator module licensed and configured on your BIG-IP LTM, and you wish to use a Web Accelerator policy to accelerate Outlook Web Access. In the following sections, we refer to the procedures from Configuring the BIG-IP LTM system for the Outlook Web Access component of Client Access, on page 1-4, but calling out the places where the configuration differs. 1-45

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Configuring Client Access servers to support SSL offloading Configuring the BIG-IP LTM system Importing certificates and keys Creating the HTTP monitors To configure the Client Access servers that will be providing Outlook Web Access to support SSL offloading, you must first follow Microsoft's instructions at technet.microsoft.com/en-us/library/bb885060.aspx. You must also configure these servers to use an external URL containng your desired FQDN. You must also enable Outlook Anywhere on any Client Access servers that will be providing that service, and set the external URL to include the same FQDN as Outlook Web Access. Lastly, configure ActiveSync on any Client Access servers that will be providing that functionality, and set the external URL to inlcude the same FQDN as Outlook Web Access and Outlook Anywhere. The following notes apply to the configuration of the BIG-IP LTM. To import certificates and keys, follow the procedure Importing keys and certificates, on page 1-5. Make sure that the key and certificate you import correspond to the FQDN that you configured for the three HTTP-based Exchange services. In this case, we recommend you create three HTTP monitors, one for each service, using the following procedures: Outlook Web Access: Creating the HTTP health monitor, on page 1-6. Outlook Anywhere: Creating the HTTP health monitor, on page 1-29 Creating the HTTP health monitor, on page 1-36. Creating the pools Creating profiles Create three pools, one for each service, using the following procedures: Outlook Web Access: Creating the pool, on page 1-7 Outlook Anywhere: Creating the pool, on page 1-29 ActiveSync: Creating the pool, on page 1-37 First, you should not create a cookie persistence profile for this configuration. To create HTTP, TCP and Client SSL profiles, use the following procedures: HTTP: Creating an HTTP profile, on page 1-10 TCP: Creating the TCP profile, on page 1-13 F5 Deployment Guide 1-46

Creating the HTTP Class profile Creating a Client SSL profile, on page 1-13; You may wish to name them appropriately. To create the HTTP Class profile, follow the procedure Creating an HTTP Class profile, on page 1-23. Creating the irules If you are using the functionality found in the Redirect and Appending irules, follow the procedures found in Creating the irules, on page 1-14. Explanations of each irule precede each procedure. For this configuration, you must create an additional irule which changes persistence methods based on the service being accessed. When using a single virtual server for OWA, Outlook Anywhere, and ActiveSync, you will need to use an irule to separate out the traffic that supports cookie persistence (Outlook Web Access and ActiveSync) from that which does not (Outlook Anywhere) and assign appropriate persistence methods. This example creates a persistence irule that uses correct persistence methods for each access type. This irule assumes the use of three pools for the three services, and the Web Accelerator HTTP class policy. To create the persistence irule 1. On the Main tab, expand Local Traffic, and then click irules. 2. In the upper right portion of the screen, click the Create button. 3. In the Name box, enter a name for your irule. In our example, we use exch_owa_persistence. 4. In the Definition section, copy and paste the following irule: when HTTP_REQUEST { if { [HTTP::header "User-Agent"] contains "MSRPC" } { persist uie [HTTP::header "Authorization"] 3600 pool exch_oa_pool } elseif { [HTTP::uri] contains "Microsoft-Server-ActiveSync" } { persist cookie pool exch_activesync_pool } else { persist cookie pool exch_owa_pool HTTP::class select exch07-class } } 5. Click the Finished button. 1-47

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Creating the virtual servers For this configuration, you create two virtual servers: HTTP To create the HTTP virtual server that redirects to HTTPS, follow the procedure To create the HTTP virtual server, on page 1-16 exactly as directed, except that you may wish to name the in a manner similar to the other objects you have created (in our example exch_virtual_http), and select the appropriate objects you created in this section. HTTPS To create the HTTPS virtual server, follow the procedure To create the HTTPS virtual server, on page 1-18. Give the virtual server a unique name. In Step 10, in addition to adding the appending irule, also select the persistence irule you just created in the preceding procedure. The Persistence irule should be placed below the appending irule in the Enabled box. In Step 12, rather than selecting a custom persistence profile, select cookie. This concludes this section. If you are using a redundant BIG-IP LTM configuration, see Synchronizing the BIG-IP configuration if using a redundant system, on page 1-56. F5 Deployment Guide 1-48

Configuring the BIG-IP LTM system for the POP3 and IMAP4 components of Client Access POP3 and IMAP4 enable a variety of clients to connect to the Exchange server. These include Outlook, Outlook Express, and third-party clients such as Eudora. F5's BIG-IP LTM can be configured to serve secure versions of these protocols, known as POP3S and IMAPS respectively, with no required changes to the Exchange Server configuration and with all SSL processing performed on the LTM device. For more information about how to manage POP3 and IMAP4 in Exchange 2007, see Managing POP3 and IMAP4 on Microsoft TechNet. Configuring the BIG-IP system for IMAP4 Importing keys and certificates Creating the TCP health monitor This section includes procedures for configuring the BIG-IP LTM system for the IMAP4 service. The first step is to import a certificate and key for IMAP. To import the certificate and key, follow the procedure Importing keys and certificates, on page 5, using the certificate and key for IMAP4. The first step is to set up a health monitor for the IMAP4 service. This procedure is optional, but very strongly recommended. For this configuration, we create a simple TCP health monitor, based off the default TCP monitor. Although the monitor in the following example is quite simple, you can configure optional settings such as Send and Receive Strings to make the monitor much more specific. To configure a TCP health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. The Monitors screen opens. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type exch_imap4. 4. From the Type list, select TCP. The TCP Monitor configuration options appear. 1-49

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout (for example, the default setting has an interval of 5 and an timeout of 16). In our example, we use a Interval of 30 and a Timeout of 91. 6. In the Send String and Receive Rule sections, you can add an optional Send String and Receive Rule specific to the device being checked. 7. Click the Finished button. The new monitor is added to the Monitor list. Creating the pool The next step in this configuration is to create a pool on the BIG-IP LTM system for the IMAP4 service. A BIG-IP pool is a set of devices grouped together to receive traffic according to a load balancing method. To create the pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. Note: For more (optional) pool configuration settings, from the Configuration list, select Advanced. Configure these settings as applicable for your network. 3. In the Name box, enter a name for your pool. In our example, we use exch_imap4. 4. In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select exch_imap4. 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 6. For this pool, we leave the Priority Group Activation Disabled. 7. In the New Members section, make sure the New Address option button is selected. 8. In the Address box, add the first server to the pool. In our example, we type 10.133.20.55. 9. In the Service Port section, type 143. 10. Click the Add button to add the member to the list. 11. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps once for the remaining server, 10.133.20.56. F5 Deployment Guide 1-50

12. Click the Finished button. Creating profiles For this configuration, we create a TCP and a SSL profile. To create a new TCP profile based on the default TCP profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the Protocol menu, select TCP. 4. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_tcp. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. See the online help for more information on the configuration options. 7. Click the Finished button. The next step in this configuration is to create an SSL profile. This profile contains the SSL certificate and Key information for offloading the SSL traffic. To create a new Client SSL profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the SSL menu, select Client. The Client SSL Profiles screen opens. 4. In the upper right portion of the screen, click the Create button. The New Client SSL Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type imap4_clientssl. 6. In the Configuration section, click a check in the Certificate and Key Custom boxes. 7. From the Certificate list, select the name of the Certificate you imported in the Importing keys and certificates section. 8. From the Key list, select the key you imported in the Importing keys and certificates section. 9. Click the Finished button. 1-51

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers For more information on SSL certificates, or creating or modifying profiles, see the BIG-IP documentation. Creating the virtual server Next, we configure a virtual server on the BIG-IP LTM system that references the pool and profiles you just created. To create a virtual server for SSL-enabled IMAP4 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type exch_imap4. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use 10.133.20.200. 6. In the Service Port section, type 993 (the standard SSL IMAP4 port). 7. In the Configuration section, from the TCP Profile (Client) list, select the name of the profile you created in the Creating profiles section. In our example, we select exch_tcp. 8. From the SSL Profile (Client) list, select the SSL profile you created in the To create a new Client SSL profile section. In our example, we select imap4_clientssl. 9. In the Resources section, from the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select exch_imap4. 10. Click the Finished button. Configuring the BIG-IP system for POP3 Importing keys and certificates This section includes procedures for configuring the BIG-IP LTM system for the POP3 service. The first step is to import a certificate and key for POP3. To import the certificate and key, follow the procedure Importing keys and certificates, on page 5, using the certificate and key for POP3. F5 Deployment Guide 1-52

Creating the TCP health monitor The first step is to set up a health monitor for the POP3 service. This procedure is optional, but very strongly recommended. For this configuration, we create a simple TCP health monitor, based off the default TCP monitor. To configure a TCP health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. The Monitors screen opens. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type exch_pop3. 4. From the Type list, select TCP. The TCP Monitor configuration options appear. 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout (for example, the default setting has an interval of 5 and an timeout of 16). In our example, we use a Interval of 30 and a Timeout of 91. 6. In the Send String and Receive Rule sections, you can add an optional Send String and Receive Rule specific to the device being checked. 7. Click the Finished button. The new monitor is added to the Monitor list. Creating the pool The next step in this configuration is to create a pool on the BIG-IP LTM system for the POP3 service. A BIG-IP pool is a set of devices grouped together to receive traffic according to a load balancing method. To create the pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. Note: For more (optional) pool configuration settings, from the Configuration list, select Advanced. Configure these settings as applicable for your network. 3. In the Name box, enter a name for your pool. In our example, we use exch_pop3. 1-53

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 4. In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select exch_pop3. 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 6. For this pool, we leave the Priority Group Activation Disabled. 7. In the New Members section, make sure the New Address option button is selected. 8. In the Address box, add the first server to the pool. In our example, we type 10.133.20.55 9. In the Service Port section, type 110. 10. Click the Add button to add the member to the list. 11. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps once for the remaining server, 10.133.20.56. 12. Click the Finished button. Creating profiles For this configuration, we create a TCP and a SSL profile. To create a new TCP profile based on the default TCP profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the Protocol menu, select TCP. 4. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_tcp. 6. Modify any of the settings as applicable for your network. See the online help for more information on the configuration options. In our example, we leave the settings at their default levels. 7. Click the Finished button. For more information on creating or modifying profiles, or applying profiles in general, see the BIG-IP documentation. The next step in this configuration is to create an SSL profile. This profile contains the SSL certificate and Key information for offloading the SSL traffic. F5 Deployment Guide 1-54

To create a new Client SSL profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the SSL menu, select Client. The Client SSL Profiles screen opens. 4. In the upper right portion of the screen, click the Create button. The New Client SSL Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type pop3s_clientssl. 6. In the Configuration section, click a check in the Certificate and Key Custom boxes. 7. From the Certificate list, select the name of the Certificate you imported in the Importing keys and certificates section. 8. From the Key list, select the key you imported in the Importing keys and certificates section. 9. Click the Finished button. For more information on SSL certificates, or creating or modifying profiles, see the BIG-IP documentation. Creating the virtual server Next, we configure a virtual server on the BIG-IP LTM system that references the pool and profiles you just created. To create a virtual server for IMAP4 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type exch_pop3. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use 10.133.20.200. 6. In the Service Port section, type 995. 7. In the Configuration section, from the TCP Profile (Client) list, select the name of the profile you created in the Creating profiles section. In our example, we select exch_tcp. 1-55

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 8. From the SSL Profile (Client) list, select the SSL profile you created in the To create a new Client SSL profile section. In our example, we select pop3s_clientssl. 9. In the Resources section, from the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select exch_pop3. 10. Click the Finished button. Synchronizing the BIG-IP configuration if using a redundant system If you are using a redundant BIG-IP configuration, the final step is to synchronize the configuration to the peer BIG-IP device. To synchronize the configuration using the Configuration utility 1. On the Main tab, expand System. 2. Click High Availability. The Redundancy screen opens. 3. On the Menu bar, click ConfigSync. 4. Click the Self --> Peer button. The configuration synchronizes with its peer. F5 Deployment Guide 1-56

Configuring the FirePass controller for Exchange Server 2007 This section of the Deployment Guide shows you how to configure the F5 FirePass controller for secure remote access to Microsoft Exchange Server 2007, including Outlook Web Access (OWA). F5 s FirePass controller is the industry leading SSL VPN solution that enables organizations of any size to provide ubiquitous secure access for employees, partners and customers to applications such as Microsoft Exchange Server 2007, while significantly lowering support costs associated with legacy client-based VPN solutions. For more information on the Microsoft Exchange Server, see http://www.microsoft.com/exchange/default.mspx For more information on the FirePass controller, see http://www.f5.com/products/firepass/. Prerequisites and configuration notes The following are prerequisites for this section: The FirePass controller should be running version 6.0 or later. This deployment was tested using Microsoft Exchange Server 2007, load balanced by a BIG-IP LTM system. All of the configuration procedures in this document are performed on the FirePass controller. This configuration uses previously defined Active Directory groups to provide authentication and simple user maintenance. For information on how to configure Active Directory groups, consult the proper documentation. This Deployment Guide is written to the scenario outlined in the following section. It is meant as a template; modify the configuration as necessary for your deployment. Configuration scenario For the scenario used in this Deployment Guide, the Microsoft Exchange deployment, along with an Active Directory instance, resides behind a BIG-IP system. A group on the FirePass controller is given three access methods for reading Microsoft Exchange/Outlook Web Access email: Through an Outlook Web Access Portal Favorite on the FirePass device. Through the Network Access adapter, with a locally installed Microsoft Outlook client. 1-57

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Through the Mobile Email feature, which provides lightweight, pure HTML access to Exchange mailboxes using IMAP/POP3 and SMTP. This Deployment Guide describes how to configure the FirePass controller to allow secure remote access to the Exchange device(s), using Active Directory for authentication. In our deployment, the FirePass device and the Exchange deployment use a common Active Directory Domain Controller. This guide also contains procedures on configuring some endpoint security features, including antivirus checks. To configure the FirePass controller for allowing secure remote access to the Microsoft Exchange Servers deployment, use the following procedures: Connecting to the BIG-IP device Creating groups on the FirePass controller Configuring auto-logon Configuring Outlook Web Access through the FirePass device Configuring Mobile Email for HTML-based access to email Configuring Network Access to the Exchange server Configuring Endpoint security Connecting to the FirePass controller To perform the procedures in this Deployment Guide you must have administrative access to the FirePass controller. To access the Administrative console, in a browser, type the URL of the FirePass controller followed by /admin/, and log in with the administrator s user name and password. Once you are logged on as an administrator, the Device Management screen of the Configuration utility opens. From here, you can configure and monitor the FirePass controller Creating groups on the FirePass controller In this configuration, we configure two types of groups on the FirePass controller, Resource and Master groups. Master groups contain user information, including details about authentication methods. Resource groups contain information about applications (resources) that are available to FirePass controller users. F5 Deployment Guide 1-58

Creating a Resource group Resource groups allow you to preconfigure specific applications and access by group, and assign the group to a master group or an individual user. For this configuration, we create a single resource group for employees. Tip Creating the Master Group If you already have a resource group configured on the FirePass controller for employees, you can use that group and this procedure. To configure a resource group 1. From the navigation pane, click Users, expand Groups, and then click Resource Groups. 2. Click the Create new group button. The Group Management - Create New Group screen opens. 3. In the New group name box, type a name for your group and click the Create button. In our example we type employees_email. The new group appears in the Resource Groups table. FirePass controller master groups are composed of users, authentication methods, and security and policy information. The next task is to create a Master group that will use the resource group we just created. To create a new Master Group 1. From the Administrative Console navigation pane, click Users, expand Groups, and click the Create new group button. The Group Management Create New Group screen opens. 2. In the New group name box, type the name of your group. In our example we type exchangead. 3. In the Users in group box, select External. 4. From the Authentication method list, select Active Directory. 5. In the Copy settings from list, make sure Do not copy is selected (see Figure 1.15). 1-59

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 6. Click the Create button. The General tab of the new Master Group displays. Figure 1.15 Creating a new Master Group 7. Click the Resource Groups tab. The Resource Groups screen opens. 8. From the Available box, select the name of the Resource group you created in the Creating a Resource group section. In our example, we select employees_email. 9. Click the Add button to move the group to the Selected box, and click the Update button. The Resource group is now associated with the Master group. Configuring the Master group for Active Directory authentication The next step is to configure the Master group to use Active Directory authentication. Important The FirePass controller has a number of different authentication methods to choose from; use the method applicable to your configuration. However, this guide only contains instructions on configuration Active Directory authentication. See the online help or FirePass documentation for more information on configuring other authentication methods. To configure the FirePass Master group to use Active Directory authentication 1. From the navigation pane, click Users, expand Groups, and then click Master Groups. 2. Click the name of the Master group you created in the Creating the Master Group section. In our example, we select exchangead. F5 Deployment Guide 1-60

3. Click the Authentication tab. 4. In the Configure Active Directory Settings section, configure the appropriate settings for your Active Directory deployment. Type the fully qualified domain name in the Domain name box, and IP addresses or DNS names for the Kerberos (Domain Controller) and WINS servers in their respective boxes (see Figure 1.16). 5. Click the Save Settings button. 6. You can optionally click Test Saved Settings to test the Active Directory authentication. Figure 1.16 Active Directory Authentication settings 7. Click Select Domain Group. The Active Directory Authentication screen opens. Important: Be sure you have entered the Domain admin name and password and saved the settings before clicking Select Domain Group. 8. From the list, select the Active Directory Domain group the user must belong to in order to authenticate, and click the Select Group button (see Figure 1.17). 9. Click the Save Settings button again. You can also click the Test Saved Settings button to test the configuration. 1-61

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Figure 1.17 Selecting the Active Directory Domain Group Configuring auto-logon The FirePass allows auto-logon (single sign-on) to sites supporting basic or NTLM authentication with user's FirePass credentials. In our scenario, we configure this option to allow single sign-on (SSO). To configure SSO/NTLM for auto-login 1. From the navigation pane, click Portal Access. 2. Under Web Applications, click Master Group Settings. 3. From the Master Group list at the top of the page, select the Master Group you created in the Creating the Master Group section. In our example, we select exchangead. The configuration settings for the Master group open. 4. To ensure members of the group only have access to the administrator-configured Favorites, make sure that the check box under Access limitation is checked. 5. In the NTLM and Basic Auth Proxy section, click a check in the Auto-login to Basic and NTLM auth protected sites using FirePass user credentials box. The NTLM and Basic Auth domain boxes display. 6. In the NTLM Auth Domain (optional) box, you can type the default Domain to be used in conjunction with the auto-login support. 7. In the Basic Auth Domain (optional) box, you can type the default Domain to be used in conjunction with the auto-login support. When specified, this value is prepended to the user name in the during Basic authentication (for example MYDOMAIN\username). F5 Deployment Guide 1-62

8. Click the Update button. Figure 1.18 Configuring NTLM Master Group Settings Configuring Outlook Web Access through the FirePass device For organizations who want an added layer of security for their Outlook Web Access deployment, want to require antivirus or other pre-logon checks, or do not want to make Outlook Web Access directly accessible from the Internet, the FirePass can be configured to render Outlook Web Access inside the FirePass user window. To configure Outlook Web Access through the FirePass 1. From the navigation pane, click Users, expand Groups, and then click Resource Groups. 2. From the Resource Groups table, find the row with the name of the Resource group you created in the Creating a Resource group section (employee_email in our example). In this row, from the Portal access column, click Edit (see Figure 1.19). The Web Applications section of the Resource Group page opens. 1-63

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Figure 1.19 The Resource groups table 3. Under Web Application Favorites, click Add New Favorite. The Favorite options display. 4. Type a name for the Favorite. In our example, we type Outlook Web Access. This Favorite link only displays for members of the employee_email group. 5. From the Web Application Type box, select Microsoft Outlook Web Access. 6. In the URL box, type the URL used to access the Outlook Web Access. If you are using a BIG-IP system in front of the deployment, this URL should point to the virtual server address. In our example, we type http://webmail.company.com/. 7. Configure the rest of the settings as applicable to your deployment (see Figure 1.20). 8. Click the Add New button. The new Favorite is added to the list, and will appear in the Portal Access Favorite section when the end user s logs onto the FirePass device. F5 Deployment Guide 1-64

Figure 1.20 Adding a Web Application Favorite to the Resource group Configuring Mobile Email for HTML-based access to email As an alternative (or in addition to) using Outlook Web Access, you can use the FirePass controller s Mobile Email feature as a lightweight and extremely secure way of viewing Microsoft Exchange email. To configure mobile access 1. From the navigation pane, click Portal Access and then click Mobile E-Mail. 2. Under Corporate mail account, click a check in the Enable corporate mail account box. 3. In the Account Name box, type a name for this email account. In our example, we type Exchange Server. 4. In the Mail Server box, type the name or IP address of the Exchange server. In our example, we type exchange1. 5. In the Type box, select IMAP. 6. In the IMAP Folders box, type the folders that should be displayed. A user can add to this list independently. Adding the folders is performed to avoid the common confusion created by Exchange servers that display non-email items such as contacts, calendar, etc, 1-65

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers as empty folders. In our example, we type Inbox,Drafts,Notes,Sent Items. In the Sent Folder box, we type Sent Items. In the Deleted Items box, we type Deleted Items. 7. From the Login Information box, choose the setting appropriate for your configuration. In our example, we select User supplies display and login information during the first logon. 8. In the Outgoing Mail Server box, type the name or IP address of your outgoing mail server. 9. Click the Update button. 10. Configure the rest of the options as applicable for your deployment, making sure to click the appropriate Update button if you make changes. Configuring Network Access to the Exchange server For remote users with an Outlook client on their PC, the FirePass can be configured to grant access to the corporate network to communicate directly with the Exchange server. To configure Network access to the Exchange Server 1. From the navigation pane, click Network Access, and then click Global Settings. 2. From the Add new IP Address Pool section, in the Name box, type a name for this pool of IP addresses. 3. In the IP Address box, type the Network address for this pool. In our example, we type 10.10.101.0. Important: Using Network Access requires you have one internal IP address for each concurrent user, so make sure this Network address can handle all possible concurrent users. Warning: To prevent routing problems, ensure the Network address pool does not contain the FirePass device s IP address. 4. In the Mask box, type the appropriate subnet mask. In our example, we type 255.255.255.0. 5. Click the Add button. In our example, this creates enough addresses for 254 users. 6. Leave the Use NAPT to Access LAN box checked. 7. Click the Apply these rules now button. The IP address pool is now configured. 8. From the navigation pane, click Resources. The Network Access Resource screen opens. F5 Deployment Guide 1-66

9. In the Connection Name box, type a name for the connection. This is the name the end user sees in the Favorites list. In our example, we type internal exchange. 10. You can optionally configure split tunneling. To configure split tunneling, click a check in the Use split tunneling box. The LAN and DNS address space boxes display. Configure these options as applicable for your deployment. 11. Leave the Enable Client for Microsoft Networks checked. The Enable File and Printer Sharing for Microsoft Networks setting is optional. 12. If you want the FirePass device to perform GZIP compression, click a check in the Use gzip compression box. 13. Click the Update button. 14. In the Configure IP Address Assignment section, make sure there is a check in the Assign IP address dynamically using IP address pool (lowest priority: Enabled by default) box. 15. From the Select IP Address Pool list, select the pool you created in step 2, and click the Update button. Configuring Endpoint security Creating a pre-logon sequence One of the strong security features of the FirePass controller is the ability to set endpoint security on a extremely granular level. For this Deployment Guide, we illustrate how to configure a pre-logon sequence for inspections before a user logs on. For more information on endpoint security, see the FirePass documentation or the online help. The pre-logon sequence allows administrators to create one or more sequences of inspections for items such as installed antivirus programs or OS patch levels. For this Deployment Guide, we configure a Windows Antivirus Checker. To configure a pre-logon sequence 1. From the navigation pane, click Users, expand Endpoint Security, and click Pre-Logon Sequence. 2. In the New Sequence section at the bottom of the page, type a name for the sequence in the Create New Sequence box. In our example, we type exchangebasic. 3. From the Based on list, select template: Collect information with no pre-logon actions. 4. Click the Create button. The new sequence appears in the Select Sequence to Use table. 1-67

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers 5. In the row of the sequence you just created, click the Edit button. Warning - Do not click the radio button next to the sequence yet. If you click the radio button, the Edit link will be replaced with the View link, and you are not able to edit the sequence. The Pre-Logon Sequence Editor opens. 6. Move the curser between Sequence Start and Logon Allowed Page. An add [+] link appears on the arrow (see the circle marked 1 in Figure 1.21). Click the add link. The Change Sequence panel appears on the right. 7. Click the Check for Antiviruses option button, and click the Apply Changes button. The Edit Action panel opens. Note: The Check for Antiviruses is an optional feature on the FirePass controller. If your device does not have this license, you will not see this option. 8. Under Inspectors, click Windows Antivirus Checker. The Endpoint Inspector Details page opens in a new window. 9. Configure these options as applicable for your deployment. For more information, click Help. 10. Click the Update button. 11. In the Sequence pane, find AV installed, and click the associated Logon Denied Page link (see the circle marked 2 in Figure 1.21). The End Page Properties pane appears on the right. 12. From the Type box, select Logon Allowed Page. This allows a user to logon if they have an antivirus checker installed. You can optionally type a message for failed logons. 13. Optional: You can click the Logon Allowed Page or Logon Denied Page links for the other options to produce a custom message when a user is denied access. You can also change the actions taken as a result of the virus checker s findings. For example, you might still want to allow a user to login if there is virus checking software installed, but not currently running. In our example, we click Logon Denied Page next to Virus Detected, and type a message informing the user there is a virus on their computer, and they cannot log in. 14. When you are finished, click Back to Console in the upper right corner of the screen (see the circle marked 3 in the following figure). You return to the Pre-Logon Sequence main page. 15. From the Select Sequence to Use section, click the option button next to the sequence you just created. In our example, we click exchangebasic. 16. Click the Apply button. F5 Deployment Guide 1-68

1 3 2 Figure 1.21 The Pre-Logon Sequence Editor Conclusion The FirePass controller is now configured to allow secure remote access to Exchange-based email. Remember that the procedures in this Deployment Guide are specific to the scenario described in Configuration scenario, on page 57. Use this guide as a template, and modify the configuration as applicable to your deployment. 1-69

Deploying F5 Devices with Microsoft Exchange Server 2007 Client Access Servers Appendix A: Backing up and restoring the BIG-IP LTM system configuration We recommend saving your BIG-IP configuration before you begin this configuration. When you save the BIG-IP configuration, it collects the following critical data and compress it into a single User Configuration Set (UCS) file: BIG-IP configuration files BIG-IP license and passwords SSL certificates SSH keys Saving and restoring the BIG-IP configuration The Configuration Management screen allows you to save and restore all configuration files that you may edit to configure a BIG-IP LTM system. These configuration files are called a User Configuration Set (UCS). The Configuration Management screen contains sections for saving and restoring a configuration. The list boxes in these sections display only files in the /usr/local/ucs directory. If you want to save or restore files from another directory, you must type the full path in the box. To save the BIG-IP configuration using the Configuration utility 1. In the navigation pane, click System Admin. The User Administration screen displays. 2. Click the Configuration Management tab. The Configuration Management screen displays. 3. In the Save Current Configuration section, type the path where you want your configuration file saved or choose a path from the list box. If no path is specified, the BIG-IP saves files to /usr/local/ucs. The BIG-IP appends the extension.ucs to file names without it. 4. Click the Save button to save the configuration file. To restore a BIG-IP configuration 1. In the navigation pane, click System Admin. The User Administration screen displays. 2. Click the Configuration Management tab. The Configuration Management screen displays. 3. In the Restore a Configuration section, choose the configuration file you want to restore from the list box, or type the path where your configuration files were saved. F5 Deployment Guide 1-70

1-71 4. Click the Restore button. To check the status of the restoration, click the View Log button. You should wait a few moments for the log file to start generating before you click View Log. Repeated clicking of this button will update your screen with the most current log file information until the restoration is complete.

2 Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Configuring the BIG-IP LTM system for deployment with Exchange 2007 Edge Transport Servers Configuring the Message Security Module with Exchange 2007 Edge Transport Servers Configuring the BIG-IP Global Traffic Manager with Exchange 2007 Edge Transport Servers

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers This chapter gives you step-by-step procedures for configuring F5 products for deployment with the Edge Transport Server component of Exchange Server 2007. In Exchange 2007, the Edge Transport server role is usually deployed in your organization's perimeter network on stand-alone servers. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow, which provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange organization. Edge Transport servers also include anti-spam and antivirus features, which provide services to block viruses and spam, or unsolicited commercial e-mail, at the network perimeter. For more information on the Edge Transport Server role, see http://www.microsoft.com/technet/prodtechnol/exchange/2007/edge.ms px?wt.svl=2007resources For more information on Microsoft Exchange Server 2007, see http://www.microsoft.com/exchange/default.mspx. For more information on F5 products and features, see http://www.f5.com/products/. Prerequisites and configuration notes The following are prerequisites and configuration notes for this deployment: This guide is written for the Edge Transport Server component of Microsoft Exchange Server 2007. This chapter contains procedures on configuring multiple F5 products and/or modules. To perform certain procedures, you must own the appropriate product or licensed the relevant module. These sections are clearly marked. All of the configuration procedures in this document are performed on F5 devices. For information on how to deploy or configure Microsoft Exchange Server 2007, consult the appropriate Microsoft documentation. Configuration example As Edge Transport Servers are most often located on or near the perimeter of an organization's networks, it is possible to deploy Edge Transport servers in more than one datacenter. Any or all of those Edge Transport servers may be involved in relaying mail. 2-1

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers In the following deployment, the BIG-IP LTM system provides local traffic management and uses SMTP health monitors to check the availability of the Edge Transport servers. We also use the Message Security Module (MSM) to provide the first line of defense in the fight against SPAM. MSM can eliminate up to 70% of unwanted email before letting the Edge Transport servers handle the rest. We also enable the GTM module in two data centers, set up active monitoring of the status of Local Traffic Manager virtual servers that are in front of Edge Transport server pools, establish a DNS record for the mail service, and build policies which direct incoming email appropriately. Figure 2.1 Logical configuration example The example in Figure 2.1 is a logical representation of this deployment. Your configuration may be dramatically different than the one shown. This deployment guide is broken up into the following sections Configuring the BIG-IP LTM system for deployment with Exchange 2007 Edge Transport Servers, on page 2-3 Configuring the Message Security Module with Exchange 2007 Edge Transport Servers, on page 2-10 Configuring the BIG-IP Global Traffic Manager with Exchange 2007 Edge Transport Servers, on page 2-19 F5 Deployment Guide for Microsoft Exchange Server 2007 2-2

Configuring the BIG-IP LTM system for deployment with Exchange 2007 Edge Transport Servers To configure the BIG-IP and Edge Transport servers for integration, you need to complete the following procedures: Connecting to the BIG-IP device Creating the health monitor Creating the pool Creating a tcp profile Creating the virtual server Synchronizing the BIG-IP configuration if using a redundant system Tip We recommend you save your existing BIG-IP configuration before you begin the procedures in this Deployment Guide. To save your BIG-IP configuration, see Appendix A: Backing up and restoring the BIG-IP LTM system configuration, on page 2-30. The BIG-IP LTM system offers both web-based and command line configuration tools, so that users can work in the environment that they are most comfortable with. This Deployment Guide contains procedures to configure the BIG-IP LTM system using the BIG-IP web-based Configuration utility only. If you are familiar with using the bigpipe command line interface you can use the command line to configure the BIG-IP device; however, we recommend using the Configuration utility. Connecting to the BIG-IP device Use the following procedure to access the BIG-IP web-based Configuration utility using a web browser. To connect to the BIG-IP LTM system using the Configuration utility 1. In a browser, type the following URL: https://<administrative IP address of the BIG-IP device> A Security Alert dialog box appears, click Yes. The authorization dialog box appears. 2. Type your user name and password, and click OK. The Welcome screen opens. 2-3

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Once you are logged onto the BIG-IP LTM system, the Welcome screen of the new Configuration utility opens. From the Configuration utility, you can configure and monitor the BIG-IP LTM system, as well as access online help, download SNMP MIBs and Plug-ins, and even search for specific objects. Creating the health monitor The first step is to set up a health monitor for the Edge Transport Servers. This procedure is optional, but very strongly recommended. For this configuration, we create a SMTP health monitor, based off the default SMTP monitor. To configure a SMTP health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. The Monitors screen opens. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type exch_et_smtp. 4. From the Type list, select SMTP. The SMTP Monitor configuration options appear. You can optionally select Advanced from the Configuration list for more options. 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout (for example, the default setting has an interval of 5 and an timeout of 16). In our example, we use a Interval of 30 and a Timeout of 91. 6. In the Domain box, type the domain name to check. In our example, we type exch.f5.com 7. Click the Finished button (see Figure 2.2). The new monitor is added to the Monitor list. F5 Deployment Guide for Microsoft Exchange Server 2007 2-4

Figure 2.2 Creating the SMTP Monitor Creating the pool The next step in this configuration is to create a pool on the BIG-IP LTM system for the Edge Transport Servers. A BIG-IP pool is a set of devices grouped together to receive traffic according to a load balancing method. To create the pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. Note: For more (optional) pool configuration settings, from the Configuration list, select Advanced. Configure these settings as applicable for your network. 3. In the Name box, enter a name for your pool. In our example, we use exch_et_pool. 4. In the Health Monitors section, select the name of the monitor you created in the Creating the health monitor section, and click the Add (<<) button. In our example, we select exch_et_smtp. 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 6. For this pool, we leave the Priority Group Activation Disabled. 7. In the New Members section, make sure the New Address option button is selected. 2-5

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers 8. In the Address box, add the first server to the pool. In our example, we type 10.133.20.53 9. In the Service Port section, select SMTP from the list, or type 25. 10. Click the Add button to add the member to the list. 11. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps once for the remaining server, 10.133.20.54. 12. Click the Finished button (see Figure 2.3). Figure 2.3 Creating the Edge Transport Server pool Creating a tcp profile BIG-IP version 9.0 and later uses profiles. A profile is an object that contains user-configurable settings, with default values, for controlling the behavior of a particular type of network traffic, such as HTTP connections. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient. F5 Deployment Guide for Microsoft Exchange Server 2007 2-6

Although it is possible to use the default profiles, we strongly recommend you create new profiles based on the default parent profiles. Creating new profiles allows you to easily modify the profile settings specific to this deployment, and ensures you do not accidentally overwrite the default profile. For this configuration, the only profile we create is a TCP profile. In our example, we leave all the options at their default settings. You can configure these options as appropriate for your network. To create a new TCP profile based on the default TCP profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the Protocol menu, select TCP. 4. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type exch_et_tcp. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. For more information on creating or modifying profiles, or applying profiles in general, see the BIG-IP documentation. Creating the virtual server Next, we configure a virtual server on the BIG-IP LTM system that references the pool and profile you just created. To create a virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type exch_et_virtual. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use 10.133.20.200. 2-7

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers 6. In the Service Port section, select SMTP from the list, or type 25. Figure 2.4 Adding the Edge Transport virtual server 7. In the Configuration section, select Advanced from the list. The Advanced configuration options appear. 8. from the Protocol Profile (Client) list, select the name of the profile you created in the Creating a tcp profile section. In our example, we select exch_et_tcp (see Figure 2.4). 9. In the Resources section, from the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select exch_et_pool (see Figure 2.5). 10. Click the Finished button. F5 Deployment Guide for Microsoft Exchange Server 2007 2-8

Figure 2.5 Resources section of the Add Virtual Server screen Synchronizing the BIG-IP configuration if using a redundant system If you are using a redundant BIG-IP configuration, the final step is to synchronize the configuration to the peer BIG-IP device. To synchronize the configuration using the Configuration utility 1. On the Main tab, expand System. 2. Click High Availability. The Redundancy screen opens. 3. On the Menu bar, click ConfigSync. 4. Click the Self --> Peer button. The configuration synchronizes with its peer. 2-9

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Configuring the Message Security Module with Exchange 2007 Edge Transport Servers The Message Security Module (MSM) identifies and blocks unwanted emails at the edge of your network. You configure MSM to block known and malicious spam senders, and keep them from filling your network with unwanted email. Blocking unwanted email at the edge of your network minimizes the resource load on your network and associated devices like Exchange Server 2007. MSM includes a real-time subscription to Secure Computing TrustedSource, and email filtering capabilities for the BIG-IP system. TrustedSource is an industry-leading system for evaluating the safety of email sources, and for scoring the reputation of the IP addresses from which email originates. We recommend that you use MSM as a spam volume-control solution in addition to using the existing, content-based, email filtering solutions that are already installed on your network, like those provided with Exchange 2007 Edge Transport servers. This combination provides more complete protection for your network than either solution alone. For more information on the Message Security Module, see the documentation available on Ask F5. Prerequisites and configuration notes The following are prerequisites and configuration notes specific to the Message Security Module: You must have purchased the Message Security Module. For more information about purchasing the Message Security Module, contact your sales representative. MSM is available with BIG-IP LTM version 9.4 and later. We assume you have already installed and licensed the Message Security Module. For more information on installing and licensing MSM, see the MSM documentation available on Ask F5. You must have command line access to the Root directory of the BIG-IP system. This means that you must be assigned the Administrator role with access to the Root directory of the system. Accessing the Configuration utility To perform the tasks necessary to configure the BIG-IP Message Security Module, you first access the BIG-IP system web-based Configuration utility. F5 Deployment Guide for Microsoft Exchange Server 2007 2-10

To access the Configuration utility 1. In a browser, type the following URL: https://<administrative IP address of the BIG-IP system> A Security Alert dialog box appears. 2. Accept the certificate. The authorization dialog box appears. 3. Type your user name and password, and then click OK. The Configuration utility opens displaying the Welcome screen. Configuring MSM to manage traffic to your Edge Transport Servers The BIG-IP Message Security Module installation creates a data group named MSM_config, and adds the following three variables and default attributes to the data group: trusted_pool:good_mail suspect_pool:maybe_mail quarantine_pool:quarantine_mail These variables correspond to the IP address reputation scores that TrustedSource assigns to the sources requesting connection to your network (as shown in Table 1 on page 2-11). The default value for each variable is the name of a pool of mail servers to which MSM directs a specified kind of traffic, as shown in Table 1. Variable in MSM_config trusted_pool suspect_pool quarantine_pool Default value good_mail (This is the name of the pool of mail servers to which MSM load balances mail from trusted sources.) maybe_mail (This is the name of the pool of mail servers to which MSM load balances mail from suspect sources. That is, mail that you want your existing email filtering systems to scan.) quarantine_mail (This is the name of the pool of mail servers to which MSM load balances mail that you want to quarantine on your network for possible manual analysis.) Table 1 Default values of three variables in MSM_config 2-11

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Creating the pools You can create the three pools described in Table 1, or you can use existing pools to manage your email traffic. In our example, create two new pools, and we change the name of the good_mail to the name of the pool we created for the Exchange 2007 Edge Transport servers in Creating the pool, on page 2-5. If you want to use other existing pools, you need to follow the procedure Modifying the names of variables in the MSM_config data group, on page 2-13 The following procedure provides step-by-step instructions for creating the pools that the MSM_config data group references by default. If you decide to create these pools, we recommend that you create at least the maybe_mail and quarantine_mail pools. For example, if you want all email that is sent to your system to be sent to your existing email filtering applications, you do not need to create a pool to which MSM directs trusted email traffic. Instead, you can use the maybe_mail pool as an attribute for both the trusted_pool and suspect_pool variables of the MSM_config data group. For instructions on making this modification, see Modifying the names of variables in the MSM_config data group, on page 2-13. To create load balancing pools 1. On the Main tab, expand Local Traffic, and click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. 3. To display more (optional) pool configuration settings, select Advanced from the Configuration list. You can configure the additional settings as applicable for your network. 4. In the Name box, type a name of for this pool. In our examle, we type maybe_mail, the name of the pool referenced by the suspect_pool variable. 5. Select a health monitor appropriate for your configuration. 6. From the Load Balancing Method list, select your preferred load balancing method. (It is important to note that different load balancing methods yield optimal results for different network configurations.) 7. When you create the pool to which the system sends trusted email, do not change the Priority Group Activation. This pool uses the default, Disabled. When you create the other pools, select the option that is appropriate for your network. 8. In the New Members section, make sure the New Address option button is selected. 9. In the Address box, type the IP address of the first email server that you want to add to this pool, for example, 10.10.100.151. 10. In the Service Port box, type the service port that you want to use for this pool, or select a service port from the list. F5 Deployment Guide for Microsoft Exchange Server 2007 2-12

11. Click the Add button to add the member to the list. 12. Repeat steps 8-11 for each email server that you want to add to this pool. 13. Click the Finished button. 14. Repeat steps 2-13 to create a pool for each of the other categories of email that you want the system to filter. You must make sure your pool names match the pool referenced by the variables, or you must modify the name of the variables in the MSM_config data group, as shown in the following section. In our example, we create one additional pool named quarantine_mail. Modifying the names of variables in the MSM_config data group As described earlier in Configuring MSM to manage traffic to your Edge Transport Servers, on page 2-11, the BIG-IP Message Security Module installation creates a data group named MSM_config, and adds the following three variables and default attributes to the data group: trusted_pool:good_mail suspect_pool:maybe_mail quarantine_pool:quarantine_mail In our example, we want trusted mail to be sent to the Exchange 2007 Edge Transport server pool we already created, so we change the string record for trusted_pool to use exch_et_pool. If the other pools you created have different names than the pool names in these three strings, you must modify the string records in the MSM_config data group. Note that the pool names are the names following the colons in the strings, for example, in the string, suspect_pool:maybe_mail, the pool name is maybe_mail. 2-13

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers The following procedure describes how to modify MSM_config. Figure 2.6 shows the screen that you use to modify MSM_config. Figure 2.6 Modifying the variable names in the MSM_config data group To modify the MSM_config data group 1. On the Main tab, expand Local Traffic, and then click irules. The irules screen opens. 2. On the menu bar, click Data Group List. The Data Groups screen opens. 3. In the Name column, click MSM_config. The MSM_config Properties screen opens. 4. In the Records area, modify the string records that represent the load balancing pools that handle the email on your system. a) In the String Records list, select the string that you want to modify to match the pool you created, and then click the Edit button. The string displays in the String box. b) Change good_mail to the name of the pool you created in Creating the pool, on page 2-5. In our example, we change it to be trusted_pool:exch_et_pool. Click the Add button (Figure 2.7 shows what our modified data group looks like). c) Repeat steps 4a and 4b for each of the strings that you want to modify that identifies a pool that you created. Remember that the following three string records must exactly match the names of the pools you created: F5 Deployment Guide for Microsoft Exchange Server 2007 2-14

trusted_pool:<pool_name> This is the name of the pool that you created to which the system load balances trusted email connections. For example: trusted_pool:exch_et_pool suspect_pool:<pool_name> This is the name of the pool that you created to which the system load balances moderately scored email connections. For example: suspect_pool:maybe_mail quarantine_pool:<pool_name> This is the name of the pool that you created to which the system load balances poorly scored email connections. For example: quarantine_pool:quarantine_mail Figure 2.7 Modified MSM_config data group 5. Modify the strings that represent the threshold values in the MSM_config data group. a) In the String Records list, select the string that you want to modify, and then click the Edit button. The string displays in the String box. b) Modify the string, and then click the Add button. The modified string displays in the String box. 2-15

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers The four strings that determine which IP address reputation scores force connections to which load balancing pools on your system are shown below with the default value for each string. You can modify any of these strings: trusted:-50 suspect:25 refuse:80 quarantine:50 6. Click the Finished button. 7. After creating or updating the data group, you must force MSM to re-initialize the class data. To do this: a) Open an SSH client and log in to the BIG-IP system as an administrator. b) Run the following command from the command line: # MSM_init This loads the MSM data class and initializes the new values. Configuring MSM to accept all connections By default, the BIG-IP Message Security Module drops connections from sources that have a TrustedSource IP address reputation score in the +81 through +140 range. However, you can configure MSM to route all connections to your network. With this configuration, MSM continues to collect statistics on connections in the +81 through +140 range. For statistical purposes, MSM classifies these connections as dropped connections. This enables you to evaluate the statistics and determine how you want to customize the MSM configuration for your network. To do this, you modify the no_drop variable in the MSM_config data group. By default, the no_drop variable is set to 0 (zero) which means that the system drops all connections with a TrustedSource IP address reputation score in the +81 through +140 range. When you set the no_drop variable to 1 (one) the system load balances all connections with a TrustedSource IP address reputation score in the +81 through +140 range to the quarantine_pool. To configure MSM to accept all connections 1. On the Main tab, expand Local Traffic, and then click irules. The irules screen opens. 2. On the menu bar, click Data Group List. The Data Groups screen opens. 3. In the Name column, click MSM_config. The MSM_config Properties screen opens. F5 Deployment Guide for Microsoft Exchange Server 2007 2-16

4. Select the no_drop string record, and then click the Edit button. The string displays in the String box. 5. Change the attribute to 1 (one), and then click the Add button. The string displays in the String box. 6. Click the Finished button. Now MSM collects statistics on all connections without dropping any connections. 7. After creating or updating the data group, you must force MSM to re-initialize the class data. To do this: a) Open an SSH client and log in to the BIG-IP system as an administrator. b) Run the following command from the command line: # MSM_init This loads the MSM data class and initializes the new value that you set for the no_drop string record. Modifying the virtual server The next step is to modify the virtual server you created in Creating the virtual server, on page 2-7 to reference the irule that the BIG-IP Message Security Module installation process creates. Important If your system is already configured to handle SMTP traffic, you do not have to create a new virtual server for this purpose, but you must configure your existing SMTP virtual server by performing steps 7-10, following. To create an SMTP virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. From the Virtual Server list, click the name of the virtual server you created in Creating the virtual server, on page 2-7. In our example, we select exch_et_virtual. 3. From the Configuration list, select Advanced. 4. From the Statistics Profile list, and select MSM_reputation. (This is the Statistics profile that the MSM installation process created.) 5. Click the Update button. 6. On the menu bar, click Resources. 7. In the irules section, click the Manage button. 2-17

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers 8. From the irules Available list, select MSM_reputation, and click the Add (<<) button to move the irule to the Enabled list. (This is the irule that the MSM installation process created.) 9. Click the Finished button. The Message Security module configuration is now complete. F5 Deployment Guide for Microsoft Exchange Server 2007 2-18

Configuring the BIG-IP Global Traffic Manager with Exchange 2007 Edge Transport Servers The Edge Transport role for Microsoft Exchange 2007 provides inbound and outbound SMTP connectivity between an Exchange organization and other mail services, including all other Internet email users. More information on the Edge Transport server role may be found at http://www.microsoft.com/technet/prodtechnol/exchange/2007/edge.ms px?wt.svl=2007resources Most often located on or near the perimeter of an organization's networks, it is possible to deploy Edge Transport servers in more than one datacenter. Any or all of those Edge Transport servers may be involved in relaying mail. Traditional methods of providing high availability to public-facing SMTP mail relays involve using a combination of simple round-robin DNS and multiple MX (mail exchange) DNS records that statically list two or more delivery locations, with fixed priority levels. Those methods do not provide true load balancing, do not permit dynamic redirection based on performance, and make it difficult to perform maintenance or cope with localized outages in predictable and controllable ways. Using F5's Global Traffic Manager (GTM) allows mail administrators to define policies which take into account real-time availability and performance of all Edge Transport servers, plan and easily initiate local maintenance outages without disrupting service, and remain highly-available even in the event of a disaster. Configuring a self IP address on the BIG-IP LTM The first task in this configuration is to create a unique self IP address on the BIG-IP LTM system for use by the GTM. You need a unique self IP address for each redundant pair of BIG-IP LTM devices in this configuration, so if you have multiple pairs of BIG-IP LTMs you need a unique self IP for each one. The IP address you choose, and the VLAN to which you assign it, must be accessible by any clients that will be performing DNS queries against the GTM. It may be a private IP address if a Network Address Translation (NAT) device, such as a BIG-IP LTM, a firewall, or a router, is providing a public address and forwarding DNS traffic to the listener. To create a self IP address 1. On the Main tab, expand Network, and then click Self IPs. The Self IP screen opens. 2. Click the Create button. The new Self IP screen opens. 2-19

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers 3. In the IP Address box, type an IP address in the appropriate VLAN (the VLAN you choose in step 5). In our example, we type 10.133.20.70. 4. In the Netmask box, type the corresponding subnet mask. In our example, we type 255.255.255.0. 5. From the VLAN list, select the appropriate VLAN. 6. Click the Finished button. The new self IP address appears in the list. Creating a Listener on the GTM The next task is to create a listener on the BIG-IP GTM system. A listener instructs the Global Traffic Manager to listen for network traffic destined for a specific IP address. In our case, this specific IP address is the self IP address on the LTM system we just created. To create a listener on the GTM system 1. On the Main tab of the navigation pane, expand Global Traffic and then click Listeners. The main listeners screen opens. 2. Click the Create button. 3. In the Destination box, type the self IP address you created in Configuring a self IP address on the BIG-IP LTM, on page 2-19. In our example, we type 10.133.20.70 (see Figure 2.8). 4. Leave the VLAN Traffic list set to All VLANs. 5. Click the Finished button. 6. Repeat this procedure for any additional self IP addresses you configured in the Configuring a self IP address on the BIG-IP LTM section. Figure 2.8 Creating a new listener F5 Deployment Guide for Microsoft Exchange Server 2007 2-20

Creating data centers on the GTM system The next step is to create data centers on the GTM system for each real-world location that will host globally load balanced Edge Transport servers. A data center defines the group of Global Traffic Managers, Local Traffic Managers, host systems, and links that share the same subnet on the network. In our example, we created a Seattle data center and a New York data center. To create a new Datacenter on the GTM system 1. On the Main tab of the navigation pane, expand Global Traffic and click Data Centers. The main screen for data centers opens. 2. Click the Create button. The New Data Center screen opens. 3. In the Name box, type a name for this datacenter. In our example, we type Seattle DC. 4. In the Location box, type a location that describes the physical location of the data center. In our example, we type Seattle, Washington. 5. In the Contact box, type the name of the person responsible for managing the network at the data center. In our example, we type admin@f5seattledatacenter.com. 6. Make sure the State list remains at Enabled (see Figure 2.9). 7. Click the Finished button. 8. Repeat this procedure for each of your data centers. In our example, we repeat the procedure once for our New York data center. Figure 2.9 Creating a new GTM data center 2-21

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Creating the monitor The next task is to create a monitor on the GTM system. Monitors verify connections on pools and virtual servers and are designed to check the status of a pool or virtual server on an ongoing basis, at a set interval. If a pool or virtual server being checked does not respond within a specified timeout period, or the status of a pool or virtual server indicates that performance is degraded, then the Global Traffic Manager can redirect the traffic to another resource. In our example, we create a SMTP monitor, which issues standard Simple Mail Transport Protocol (SMTP) commands to ensure that the BIG-IP LTM virtual server, which contains the Edge Transport server pool, is available. You can configure a monitor most appropriate for your configuration. Although it is possible to use the default monitor, we recommend creating a new monitor based off the default monitor, which enables you to configure specific options. To create a bigip health monitor 1. On the Main tab of the navigation pane, expand Global Traffic and then click Monitors. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the monitor. In our example, we type gtm_smtp 4. From the Type list, select SMTP. 5. Configure the options as applicable for your deployment. In our example, we leave the options at their default levels. 6. Click the Finished button. The new monitor is added to the list. Creating Servers for the data center The next task is to create a GTM Server for the data centers. A server defines a specific system on the network. In this deployment, the GTM servers are the BIG-IP LTM systems we configured earlier in this guide. To create a GTM server 1. On the Main tab of the navigation pane, expand Global Traffic and click Servers. The main screen for servers opens. 2. Click the Create button. The New Server screen opens. 3. In the Name box, type a name that identifies the Local Traffic Manager. In our example, we type Seattle_BIG-IP. F5 Deployment Guide for Microsoft Exchange Server 2007 2-22

4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant) depending on your configuration. In our example, we select BIG-IP System (Redundant). 5. From the Address List section, in the Address box, type the self IP address of the BIG-IP LTM device, and then click the Add button. In our example, we type 10.133.20.227. 6. If you selected BIG-IP System (Redundant) in Step 4, from the Peer Address List section, in the Address box, type the self IP address of the redundant BIG-IP LTM device, and then click the Add button. Note: Do not use a floating IP address of the redundant pair. Do not use the administrative interface of the either member of a redundant pair. 7. From the Data Center list, select the name of the data center you created in the Creating data centers on the GTM system section. In our example, we select Seattle DC. 8. In the Health Monitors section, from the Available list, select the name of the monitor you created in the Creating the monitor section, and click the Add (<<) button. In our example, we select gtm_smtp. 9. In the Resources section, from the Virtual Server Discovery list, choose an option. We recommend Enabled (No Delete). With this option, the GTM will discover all the virtual servers you have configured on the LTM(s) via icontrol, and will update, but not delete them. 10. Click the Finished button (see Figure 2.10). 2-23

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Figure 2.10 Creating a GTM server Creating a GTM pool The next task is to create a pool on the GTM device that contains the BIG-IP LTM virtual server. To create a pool on the GTM 1. On the Main tab of the navigation pane, expand Global Traffic and click Pools (located under Wide IPs). 2. Click the Create button. The New Pool screen opens. F5 Deployment Guide for Microsoft Exchange Server 2007 2-24

3. In the Name box, type a name for the pool. In our example, we type Seattle_pool. 4. In the Health Monitors section, from the Available list, select the name of the monitor you created in the Creating the monitor section, and click the Add (<<) button. In our example, we select gtm_smtp. 5. In the Load Balancing Method section, choose the load balancing methods from the lists appropriate for your configuration. In our example, we select Global Availability, Round Robin, and Return to DNS, in that order. 6. In our example, we leave the Fallback IP box blank. 7. In the Member List section, from the Virtual Server list, select the virtual server you created in Creating the virtual server, on page 2-7, and click the Add button. Note that you must select the virtual server by IP Address and port number combination. In our example, we select 10.133.20.200:25. If you have additional virtual servers for the Edge Transport servers configured on the BIG-IP LTM system, repeat this step. 8. Click the Finished button. Figure 2.11 Creating a pool on the GTM 2-25

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Creating a wide IP on the GTM The next task is to create a wide IP on the GTM system. A wide IP is a mapping of a fully-qualified domain name (FQDN) to a set of virtual servers that host the domain s content. To create a wide IP on the GTM system 1. On the Main tab of the navigation pane, expand Global Traffic and click Wide IPs. 2. Click the Create button. The New Wide IP screen opens. 3. In the Name box, type a name for the Wide IP. In our example, we type mail.example.com. 4. In our example, we are not using any irules, so we skip the irule section. Configure as appropriate for your deployment. 5. In the Pools section, from the Load Balancing Method list, select a load balancing method. In our example, we select Global Availability. Global Availability instructs the GTM to select the first pool in the wide IP until it becomes unavailable, at which point it selects the next pool until the first pool becomes available again. In our example, the GTM sends all incoming email to the first-listed pool, Seattle_pool. If that pool is unavailable, all incoming email is sent to the next-listed pool, NewYork_pool. If you wish to distribute incoming email among multiple pools, select another method, such as Ratio. Consult the online documentation or the product manual for more details about load balancing methods. 6. From the Pool List section, from the Pool list, select the name of the pool you created in the Creating a GTM pool section, and then click the Add button. In our example, we select Seattle_pool. Repeat this step for any additional pools. In our example, we repeat one time for the NewYork_pool. 7. All other settings are optional, configure as appropriate for your deployment. 8. Click the Finished button (see Figure 2.12). F5 Deployment Guide for Microsoft Exchange Server 2007 2-26

Figure 2.12 Creating a new Wide IP on the GTM system The next task is to add the newly-created Wide IP as an MX record in your DNS system. If using the GTM as your primary DNS system, this is done through the ZoneRunner utility. Configuring the Wide IP as an MX record using ZoneRunner The final task in this configuration is to configure the Wide IP as an MX record in a DNS system. In our example, we are using the GTM system as our primary DNS, and use ZoneRunner to add the Wide IP as an MX record. The ZoneRunner utility is an advanced feature of the Global Traffic Manager. We highly recommend that you become familiar with the various aspects of BIND and DNS before you use this feature. For in-depth information, we recommend the following resources: DNS and BIND, 4th edition, Paul Albitz and Cricket Liu The IETF DNS documents, RFC 1034 and RFC 1035 2-27

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers The Internet Systems Consortium web site, http://www.isc.org/index.pl?/sw/bind/ For information on adding the required MX record to other DNS servers, for instance BIND or Microsoft Windows 2007 DNS Service, consult the appropriate product documentation. To add the Wide IP as an MX record using ZoneRunner 1. On the Main tab of the navigation pane, expand Global Traffic and click ZoneRunner. 2. Click the Create button. The New Resource Record screen opens. 3. From the View list, select a view. In our example, we select external. 4. From the Zone list, select the appropriate zone. In our example, we select example.com 5. In the Name box, type a name for the Resource Record. Make sure the domain for which you are creating an MX record is shown, and note that it must end with a period. 6. In the TTL box, type a number of seconds. In our example, we type 500 (which is the default TTL for our zone). 7. From the Type list, select MX. 8. In the Preference box, type 10. Preference is a numeric value for the preference of this mail exchange host relevant to all other mail exchange hosts for the domain. Lower numbers indicate a higher preference, or priority. In a traditional DNS configuration, you would create multiple MX records with different priorities; however, since you're using GTM to provide true wide-area load balancing, it is only necessary to create a single record in this case. 9. In the Mail Server, enter the name of the Wide IP that you created in Creating a wide IP on the GTM. Make sure that this name also ends with a period. In our example, we type mail.example.com. 10. Click the Finished button (see Figure 2.13). F5 Deployment Guide for Microsoft Exchange Server 2007 2-28

Figure 2.13 Creating a new Resource Record using ZoneRunner This concludes the BIG-IP GTM configuration. For more information on the BIG-IP GTM, see the GTM documentation. 2-29

Deploying F5 and Microsoft Exchange Server 2007 Edge Transport Servers Appendix A: Backing up and restoring the BIG-IP LTM system configuration We recommend saving your BIG-IP configuration before you begin this configuration. When you save the BIG-IP configuration, it collects the following critical data and compress it into a single User Configuration Set (UCS) file: BIG-IP configuration files BIG-IP license and passwords SSL certificates SSH keys Saving and restoring the BIG-IP configuration The Configuration Management screen allows you to save and restore all configuration files that you may edit to configure a BIG-IP LTM system. These configuration files are called a User Configuration Set (UCS). The Configuration Management screen contains sections for saving and restoring a configuration. The list boxes in these sections display only files in the /usr/local/ucs directory. If you want to save or restore files from another directory, you must type the full path in the box. To save the BIG-IP configuration using the Configuration utility 1. In the navigation pane, click System Admin. The User Administration screen displays. 2. Click the Configuration Management tab. The Configuration Management screen displays. 3. In the Save Current Configuration section, type the path where you want your configuration file saved or choose a path from the list box. If no path is specified, the BIG-IP saves files to /usr/local/ucs. The BIG-IP appends the extension.ucs to file names without it. 4. Click the Save button to save the configuration file. To restore a BIG-IP configuration 1. In the navigation pane, click System Admin. The User Administration screen displays. 2. Click the Configuration Management tab. The Configuration Management screen displays. 3. In the Restore a Configuration section, choose the configuration file you want to restore from the list box, or type the path where your configuration files were saved. F5 Deployment Guide for Microsoft Exchange Server 2007 2-30

2-31 4. Click the Restore button. To check the status of the restoration, click the View Log button. You should wait a few moments for the log file to start generating before you click View Log. Repeated clicking of this button will update your screen with the most current log file information until the restoration is complete.

3 Deploying F5 and Microsoft Exchange Server 2007 Mailbox Servers with CCR

Deploying F5 and Microsoft Exchange Server 2007 Mailbox Servers with CCR This chapter gives you step-by-step configuration procedures for configuring F5 products for deployment with the Mailbox server Cluster Continuous Replication (CCR) component of Exchange Server 2007. With Exchange Server 2007, Microsoft has introduced a feature known as Cluster Continuous Replication (CCR) to provide higher availability to Mailbox role servers. An extension of Microsoft's Cluster Services, CCR enables the continuous and asynchronous updating of a second copy of a mailbox server database. CCR can be configured in either one- or two-data center topologies. The two-datacenter scenario, where a primary datacenter and a disaster recovery datacenter are geographically separated, provides the highest level of availability. More information about CCR, including requirements and Exchange Server configuration, can be found at http://technet.microsoft.com/en-us/library/bb124521.aspx For more information on Microsoft Exchange Server 2007, see http://www.microsoft.com/exchange/default.mspx. For more information on F5 products and features, see http://www.f5.com/products/. Prerequisites and configuration notes The following are prerequisites and configuration notes for this deployment: This guide is written for the Mailbox Server with CCR component of Microsoft Exchange Server 2007. Each node in the CCR Mailbox cluster will share public and private IP subnets. You must deploy your BIG-IP devices within your network to optimize traffic. All of the configuration procedures in this document are performed on the F5 devices. For information on how to deploy or configure Microsoft Exchange Server 2007, consult the appropriate Microsoft documentation. 1

Deploying F5 and Microsoft Exchange Server 2007 Mailbox Servers with CCR Configuring the WAN optimization module First, we configure the BIG-IP WAN optimization module (WOM). The WAN optimization module allows you to encrypt and accelerate data between BIG-IP devices, accelerate applications across the WAN, and much more. One of the options for initially configuring the WAN optimization module is Dynamic Discovery. The benefit of dynamic discovery is that it reduces configuration complexity. However, when dynamic discovery is used, the BIG-IP currently disables isession routing in order to prevent inadvertent routing loops. In our environment, dynamic discovery is allowed, but care was taken to ensure isession routing was enabled. In this section, we assume you have already configured basic settings such as VLANs and Self-IP address on your BIG-IP systems. If you have not, see the BIG-IP documentation for specific instructions. Note The following procedure is only necessary when initially configuring the BIG-IP WOM. If you have already performed the initial configuration, continue with Creating the isession profile, on page 3-4. To configure the WOM module 1. On the Main tab of the local BIG-IP system, expand WAN Optimization, and then click Configuration. The Local Endpoint Configuration screen opens. 2. In the IP Address box, type the BIG-IP self IP address you provisioned for isession endpoint in the data center. 3. Make sure the Create isession Virtual Server list is set to Yes. 4. Click the Save button. 5. In the Advertised Routes Configuration section, click the Create button. The Advertised Route is the local subnet that the local endpoint advertises to all configured remote endpoints to which it is connected. 6. In the Alias box, type an alias for this route. This is optional. In our example, we type exchange2010-ccr. 7. In the Subnet Address box, type the appropriate subnet address. In our example, we type 10.133.21.0. 8. In the Netmask box, type the associated netmask. In our example, we type 255.255.255.0. 9. Make sure the Enabled box is checked. 10. Click the Finished button. 11. In the Dynamic Discovery section, we leave the default settings. F5 Deployment Guide 2

. 12. Repeat this entire procedure on the remote endpoint BIG-IP system, using the appropriate BIG-IP self IP address in step 2, and the appropriate Advertised Route information. Figure 3.1 The WAN optimization configuration After performing this procedure on both BIG-IP systems, you connect your two BIG-IP systems together via an isession tunnel by identifying each remote endpoint. If dynamic discovery was left on (as in step 11), you only perform the following procedure on one of the BIG-IP systems. If you did not, you must repeat this procedure on the remote BIG-IP system. To configure the remote endpoints 1. On the Main tab of the local BIG-IP system, expand WAN Optimization, and then click Configuration. 2. On the Menu bar, click Remote Endpoints. 3. Click the Create button. 4. From the Remote Endpoint list, select Advanced. 5. In the IP Address box, type the IP address you provisioned for remote isession endpoint. 6. Important: From the Routing list, select Enabled. 7. Click Finished. 3

Deploying F5 and Microsoft Exchange Server 2007 Mailbox Servers with CCR 8. If you disabled dynamic discovery in the previous procedure, you must repeat this procedure on the remote BIG-IP system. Figure 4 Configuring the remote endpoint Ensuring that isession routing is enabled As mentioned previously, if Dynamic Discovery is enabled, the BIG-IP system automatically sets remote endpoint routing to disabled. We want to ensure remote endpoint routing is enabled (as in step 6 above). Important We recommend you check that routing is enabled after anytime the BIG-IP system reboots or hotfix/upgrade installations, as routing may revert to Disabled to avoid any routing loops. To ensure that isession routing is enabled 1. On the Main tab of the local BIG-IP system, expand WAN Optimization, and then click Configuration. 2. On the Menu bar, click Remote Endpoints. 3. Click the IP address of the appropriate endpoint. 4. From the Routing list, make sure that Enabled is selected. If it is not, select Enabled from the list. 5. Click the Update button. 6. Repeat this procedure on the remote BIG-IP system. Creating the isession profile In this procedure, we create an isession profile. The isession profile tells the system how to optimize traffic. F5 Deployment Guide 4

To create the isession profile 1. On the Main tab, expand Local Traffic, and then click Profiles. 2. On the Menu bar, from the Services menu, select isession. 3. Click the Create button. 4. In the Name box, type a name for this profile. In our example, we type exchange-ccr-isession. 5. In our example, we leave all settings at the default levels, which results in data transfers that are optimized using both adaptive compression and deduplication. 6. Click the Finished button. 7. Repeat this on the Remote BIG-IP WAN Optimization module. Creating the WAN Optimization policy The next task is to create the WAN optimization policy. For this configuration, we create a new optimization policy for the CCR. To create a new WAN Optimization policy 1. On the Main tab, expand WAN Optimization, and then click Configuration. 2. On the Menu bar, click Optimization Policies. 3. Click the Create button. The Common Application Optimization Policies page opens. 4. Click the Create Custom Policy button. The New Optimization Policy wizard opens. 5. Type a name for this virtual server. In our example, we type exhange-ccr-local. 6. Select No for the question asking if this is an isession endpoint tunnel terminating virtual server. 7. In the IP address/netmask section, select Network. Type the IP Address and Netmask for the remote network where the CCR member servers are located. 8. From the What kind of application would you like to optimize? list, select CIFS. 9. From the Will clients be connecting to this virtual server over a LAN list, select Yes. 10. Encrypting the tunneled data is optional. In our example, we select Yes. 11. In the VLAN section, from the Available list, select the appropriate VLANs and click the Add (<<) button. 5

Deploying F5 and Microsoft Exchange Server 2007 Mailbox Servers with CCR 12. In the Profile Settings section, from the isession Profile box, select the profile you created in Creating the isession profile, on page 4. 13. Click the Finished button. 14. Repeat this on the remote BIG-IP WOM, but in Step 7, use the IP address and Netmask for the local network where the CCR devices are located. Your CCR replication traffic in either direction is now optimized and encrypted. F5 Deployment Guide 6

7

4 Deploying F5 and Microsoft Exchange Server 2007 Hub Transport Servers

Deploying F5 and Microsoft Exchange Server 2007 Hub Transport Servers This chapter gives you step-by-step configuration procedures for configuring F5 products for deployment with the Hub Transport Server component of Exchange Server 2007. The Hub Transport role of Microsoft Exchange Server 2007 is responsible for handling all mail flow within an organization, applies transport rules, applies journaling policies, and delivers messages to a recipient's mailbox. More information about the Hub Transport Server role can be found at http://technet.microsoft.com/en-us/library/aa998616.aspx For more information on Microsoft Exchange Server 2007, see http://www.microsoft.com/exchange/default.mspx. For more information on F5 products and features, see http://www.f5.com/products/. Prerequisites and configuration notes The following are prerequisites and configuration notes for this deployment: This chapter is written for the Hub Transport server component of Microsoft Exchange Server 2007. All of the configuration procedures in this document are performed on the F5 devices. For information on how to deploy or configure Microsoft Exchange Server 2007, consult the appropriate Microsoft documentation. 4-1

Deploying F5 and Microsoft Exchange Server 2007 Hub Transport Servers Configuring the WAN optimization module with Hub Transport Servers First, we configure the WAN optimization module (WOM). The WAN optimization module allows you to encrypt and accelerate data between BIG-IP devices, accelerate applications across the WAN, and much more. One of the options for initially configuring the WAN optimization module is Dynamic Discovery. The benefit of dynamic discovery is that it reduces configuration complexity. However, when dynamic discovery is used, the BIG-IP currently disables isession routing in order to prevent inadvertent routing loops. In our environment, dynamic discovery is allowed, but care was taken to ensure isession routing was enabled. In this section, we assume you have already configured basic settings such as VLANs and Self-IP address on your BIG-IP systems. If you have not, see the BIG-IP documentation. Note The following procedure is only necessary when initially configuring the BIG-IP WOM. If you have already performed the initial configuration, continue with Creating the isession profile, on page 4-4. To configure the WOM module 1. On the Main tab of the local BIG-IP system, expand WAN Optimization, and then click Configuration. The Local Endpoint Configuration screen opens. 2. In the IP Address box, type the BIG-IP self IP address you provisioned for isession endpoint in the data center. 3. Make sure the Create isession Virtual Server list is set to Yes. 4. Click the Save button. 5. In the Advertised Routes Configuration section, click the Create button. The Advertised Route is the local subnet that the local endpoint advertises to all configured remote endpoints to which it is connected. 6. In the Alias box, type an alias for this route. This is optional. In our example, we type exchange2010-hub. 7. In the Subnet Address box, type the appropriate subnet address. In our example, we type 10.133.20.0. 8. In the Netmask box, type the associated netmask. In our example, we type 255.255.255.0. 9. Make sure the Enabled box is checked. 10. Click the Finished button. 11. In the Dynamic Discovery section, we leave the default settings. F5 Deployment Guide for Microsoft Exchange Server 2007 4-2

12. Repeat this entire procedure on the remote endpoint BIG-IP system, using the appropriate BIG-IP self IP address in step 2, and the appropriate Advertised Route information. After performing this procedure on both BIG-IP systems, you connect your two BIG-IP systems together via an isession tunnel by identifying each remote endpoint. If dynamic discovery was left on (as in step 11), you only perform the following procedure on one of the BIG-IP systems. If you did not, you must repeat this procedure on the remote BIG-IP system. To configure the remote endpoints Ensuring that isession routing is enabled 1. On the Main tab of the local BIG-IP system, expand WAN Optimization, and then click Configuration. 2. On the Menu bar, click Remote Endpoints. 3. Click the Create button. 4. From the Remote Endpoint list, select Advanced. 5. In the IP Address box, type the IP address you provisioned for remote isession endpoint. 6. Important: From the Routing list, select Enabled. 7. Click Finished. 8. If you disabled dynamic discovery in the previous procedure, you must repeat this procedure on the remote BIG-IP system. As mentioned previously, if Dynamic Discovery is enabled, the BIG-IP system automatically sets remote endpoint routing to disabled. We want to ensure remote endpoint routing is enabled (as in step 6 above). Important We recommend you check that routing is enabled after anytime the BIG-IP system reboots or hotfix/upgrade installations, as routing may revert to Disabled to avoid any routing loops. To ensure that isession routing is enabled 1. On the Main tab of the local BIG-IP system, expand WAN Optimization, and then click Configuration. 2. On the Menu bar, click Remote Endpoints. 3. Click the IP address of the appropriate endpoint. 4. From the Routing list, make sure that Enabled is selected. If it is not, select Enabled from the list. 5. Click the Update button. 6. Repeat this procedure on the remote BIG-IP system. 4-3

Deploying F5 and Microsoft Exchange Server 2007 Hub Transport Servers Creating the isession profile In this procedure, we create an isession profile. The isession profile tells the system how to optimize traffic. To create the isession profile 1. On the Main tab, expand Local Traffic, and then click Profiles. 2. On the Menu bar, from the Services menu, select isession. 3. Click the Create button. 4. In the Name box, type a name for this profile. In our example, we type exchange-hub-isession. 5. From the Deduplication row, click the Custom box, and from the list, select Disabled. 6. In our example, we leave all rest of the settings at the default levels. 7. Click the Finished button. 8. Repeat this on the Remote BIG-IP WAN Optimization module. Creating the WAN Optimization policy The next task is to create the WAN optimization policy. To create a new WAN Optimization policy 1. On the Main tab, expand WAN Optimization, and then click Configuration. 2. On the Menu bar, click Optimization Policies. 3. Click the Create button. The Common Application Optimization Policies page opens. 4. Click the Create Custom Policy button. The New Optimization Policy wizard opens. 5. Type a name for this virtual server. In our example, we type exchange-hub-local. 6. Select No for the question asking if this is an isession endpoint tunnel terminating virtual server. 7. In the IP address/netmask section, select Network. Type the IP Address and Netmask for the remote network where the DAG member servers are located. 8. In the What kind of application would you like to optimize? box, type 25. 9. From the Will clients be connecting to this virtual server over a LAN list, select Yes. F5 Deployment Guide for Microsoft Exchange Server 2007 4-4

10. Encrypting the tunneled data is optional. In our example, we select Yes. 11. In the VLAN section, from the Available list, select the appropriate VLANs and click the Add (<<) button. 12. In the Profile Settings section, from the isession Profile box, select the profile you created in Creating the isession profile, on page 4. 13. Click the Finished button. 14. Repeat this on the remote BIG-IP WOM, but in Step 7, use the IP address and Netmask for the local network where the DAG member servers are located. This completes the BIG-IP WOM configuration. 4-5