Microsoft Exchange Server 2016 (BIG-IP v11 - v13: LTM, APM, AFM)

Welcome to the F5 and Microsoft Exchange 2016 deployment guide. Use this document for guidance on configuring the BIG-IP system version 11 and later to provide additional security, performance, and availability for Exchange Server 2016 Mailbox servers.

When configured according to the instructions in this guide, whether using an iApp template or manually, the BIG-IP system performs as a reverse proxy for Exchange Mailbox servers, and also performs functions such as load balancing, compression, encryption, caching, and pre-authentication.

Why F5?

F5 offers a complete suite of application delivery technologies designed to provide a highly scalable, secure, and responsive Exchange deployment.

• The BIG-IP LTM can balance load and ensure high-availability across multiple Mailbox servers using a variety of load balancing methods and priority rules.

• Terminating HTTPS connections at the BIG-IP LTM reduces CPU and memory load on Mailbox Servers, and simplifies TLS/SSL certificate management for Exchange 2016.

• The BIG-IP Access Policy Manager (APM), F5's high-performance access and security solution, can provide pre-authentication, single sign-on, and secure remote access to Exchange HTTP-based client access services.

• The BIG-IP Advanced Firewall Manager (AFM), F5's high-performance, stateful, full-proxy network firewall designed to guard data centers against incoming threats that enter the network can help secure and protect your Exchange deployment.

• The BIG-IP LTM TCP Express feature set ensures optimal network performance for all clients and servers, regardless of operating system and version.

• The LTM provides content compression features which improve client performance.

Products and versions

Important: Make sure you are using the most recent version of this deployment guide, available at http://f5.com/pdf/deployment-guides/microsoft-exchange-2016-dg.pdf For previous versions of this and other guides, see the Deployment guide Archive tab on f5.com: https://f5.com/solutions/deployment-guides/archive-608

Introduction

This document provides guidance for using the updated, downloadable BIG-IP iApp Template to configure the Mailbox server role of Microsoft Exchange Server, as well as instructions on how to configure the BIG-IP system manually. This iApp template was developed for use with Exchange Server 2016.

You can configure the BIG-IP system to support any combination of the following services supported by Mailbox servers: Outlook Web App (which includes the HTTP resources for Exchange Control Panel), Exchange Web Services, Outlook Anywhere (RPC over HTTP, including the Offline Address Book), ActiveSync, Autodiscover, POP3, IMAP4, and MAPI over HTTP.

For more information on the Exchange 2016 see:.https://technet.microsoft.com/en-us/library/jj150491(v=exchg.160).aspx

For more information on the F5 devices in this guide, see http://f5.com/products/big-ip/.

You can also see the BIG-IP deployment guide for SMTP services at: http://f5.com/pdf/deployment-guides/f5-smtp-dg.pdf.

You can also visit the Microsoft page of F5’s online developer community, DevCentral, for Microsoft forums, solutions, blogs and more: http://devcentral.f5.com/Microsoft/.

To provide feedback on this deployment guide or other F5 solution documents, contact us at solutionsfeedback@f5.com.

What is F5 iApp?

F5 iApp is a powerful set of features in the BIG-IP system that provides a new way to architect application delivery in the data center. iApp includes a holistic, application-centric view of how applications are managed and delivered inside, outside, and beyond the data center. The iApp template for Microsoft Exchange Server acts as the single-point interface for building, managing, and monitoring the Exchange 2016 client access role.

For more information on iApp, see the White Paper F5 iApp: Moving Application Delivery Beyond the Network: http://f5.com/pdf/white-papers/f5-iapp-wp.pdf.

Skip ahead

If you are already familiar with the Exchange iApp, you can skip directly to the relevant section after reading the prerequisites:

• Configuring the BIG-IP system for Microsoft Exchange using the iApp template if using the iApp template, or

• Appendix C: Manual configuration tables if configuring the BIG-IP system manually.

Prerequisites and configuration notes

Use this section for important items you need to know about and plan for before you begin this deployment. Not all items will apply in all implementations, but we strongly recommend you read all of these items carefully.

General BIG-IP system prerequisites

• For this deployment guide, the BIG-IP system must be running version 11.4.1 or later. If you are using a previous version of the BIG-IP system, see the Deployment Guide index on F5.com. This guide does not apply to previous versions.

• Most of the configuration guidance in this document is performed on F5 devices. We provide a summary of Exchange configuration steps for reference only; for complete information on how to deploy or configure the components of Microsoft Exchange Server, consult the appropriate Microsoft documentation. F5 cannot provide support for Microsoft products.

• If deploying BIG-IP APM features, you must fully license and provision APM before starting the iApp template.

• This document provides guidance on using the Exchange iApp template. Additionally, for users familiar with the BIG-IP system, there are manual configuration tables at the end of this guide. Because of the complexity of this configuration, we strongly recommend using the iApp to configure the BIG-IP system.

iApp template prerequisites and notes

• This document provides guidance on using the F5 supplied Warning To run the Microsoft Exchange iApp template, you must be logged into the BIG-IP system as a user that is assigned the admin role. For more information on roles on the BIG-IP system, see the BIG-IP User Accounts chapter of the BIG-IP TMOS: Concepts guide.

• BIG-IP APM v12.0 and later now supports the MAPI over HTTP transport protocol (introduced in Exchange 2013 SP1 and included in 2016 http://technet.microsoft.com/en-us/library/dn635177(v=exchg.150).aspx). If you are using BIG-IP APM v11.x, the iApp template does not support this new protocol. See Manually configuring MAPI over HTTP in Exchange for manual instructions on configuring the BIG-IP system for MAPI over HTTP for the 11.x versions.

• If you have existing, manually created Node objects on the BIG-IP system and given these nodes a name, you cannot use the IP addresses for those nodes when configuring the iApp. You must first manually delete those nodes and re-add them without a name, or delete the nodes and let the iApp automatically create them.

• For some configuration objects, such as profiles, the iApp allows you to import custom objects you created outside the template. This enables greater customization and flexibility. If you have already started the iApp template configuration and then decide to you want to create a custom profile, you can complete the rest of the template as appropriate and then re-enter the template at a later time to select the custom object. Otherwise you can exit the iApp immediately, create the profile, and then restart the iApp template from the beginning.

• Be sure to see Troubleshooting for troubleshooting tips and important configuration changes for specific situations.

SSL certificate and key prerequisites and notes

• If you are using the BIG-IP system to offload SSL or for SSL Bridging, we assume you have already obtained an SSL certificate and key, and it is installed on the BIG-IP LTM system. To configure your Mailbox servers to support SSL offloading, you must first follow the most recent Microsoft documentation.

• We generally recommend that you do not re-encrypt traffic between your BIG-IP APM and BIG-IP LTM because both BIG-IP systems must process the SSL transactions. However, if you choose to re-encrypt, we strongly recommend you use a valid certificate (usually SAN-enabled) rather than the default, self-signed certificate for the Client SSL profile on your BIG-IP LTM system. If not re-encrypting traffic, you do not need a certificate on your BIG-IP LTM.

• This template currently only supports the use of a single DNS name and corresponding certificate and key for all services, or multiple DNS names using a SAN-enabled certificate and key.

• If using a single virtual server for all HTTP-based client access services as recommended, you must obtain the Subject Alternative Name (SAN) certificate (or wildcard certificate, see the next paragraph) and key from a 3rd party certificate authority that supports SAN certificates, and then import it onto the BIG-IP system. While the BIG-IP system supports using a wildcard certificate to secure Exchange deployments using multiple FQDNs, for increased security, F5 recommends using SAN certificate(s) where possible. Additionally, some older mobile devices are incompatible with wildcard certificates. Consult your issuing Certificate Authority for compatibility information. Note: For more information on SAN certificates, see Subject Alternative Name (SAN) SSL Certificates.

BIG-IP Access Policy Manager prerequisites and notes

• If you are deploying BIG-IP APM, make sure to see Exchange Hybrid Autodiscover, free/busy lookups, and remote mailbox moves/migrations fail when APM is deployed for an important iRule you must add to the configuration.

• If you want to display the computer type (public/shared vs private) and light version (Use the light version of Outlook Web App) options for OWA on the APM logon page via the BIG-IP APM, you must run the following PowerShell command on one of your Mailbox Servers (only one): Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -LogonPageLightSelectionEnabled $true -LogonPagePublicPrivateSelectionEnabled $true

• If you are deploying the iApp template for APM and smart card authentication for Outlook Web App, you must be using Kerberos authentication. This only applies to Outlook Web App (OWA).

• If you are using BIG-IP APM, the following table shows the Exchange Server (Mailbox Server) settings:

1 Exchange Server 2010 and 2013 SP1 and later only. See the following link for more information on default authentication methods for Exchange Server 2010:http://technet.microsoft.com/en-us/library/bb331973.aspx

2 You must change the default Forms logon format from Domain\username to just username. More information is available later in this guide.

3 Outlook Anywhere is disabled by default in Exchange 2010; you must enable it before you can use it. You can optionally configure BIG-IP APM v11.3 and later for NTLM authentication for Outlook Anywhere. See page 50.

4 MAPI-over-HTTP requires BIG-IP v12.0 or later for APM

When deploying APM, server authentication settings for the OWA and Outlook protocols are determined by client-side authentication selections made in the iApp. For example, selecting Basic client authentication for Outlook clients causes NTLM SSO to be applied to server-side requests, while selecting NTLM client authentication results in Kerberos single sign-on.

Important: The values in the following table are only examples, use the values appropriate for your configuration.

In our example, we use the following conventions.

For more information, see:

• Summary of SRV records on Wikipedia: http://en.wikipedia.org/wiki/SRV_record

• Specification for SRV records (RFC2782): http://tools.ietf.org/html/rfc2782

• Microsoft KB article on SRV records and the Autodiscover service: http://support.microsoft.com/kb/940881

• Understanding the Autodiscover Service (including SCP information): http://technet.microsoft.com/en-us/library/bb124251.aspx

Configuring the iApp for Exchange Hybrid deployments

This solution supports using BIG-IP APM for secure access to hybrid deployment of Exchange 2016. A hybrid deployment means an environment that has deployed Exchange on-premise and Office 365, and those two components have been configured to communicate with each other (as described in https://technet.microsoft.com/en-us/library/jj200581(v=exchg.150).aspx).

In a hybrid scenario, the BIG-IP is located between the Exchange Web Services and the Office 365 infrastructure, and F5 provides seamless access to the on-premise Exchange components in a secure fashion without causing failures for the hybrid-related traffic. The iApp template (v1.0.2 and later) now includes the question Would you like to bypass APM for hybrid services? on page 18. Select Yes for hybrid deployments. This will prevent failures in federated requests for Autodiscover and free/busy information, as well as remote moves and migrations between your Exchange organization and Exchange Online.

iApp Deployment Scenarios

The iApp greatly simplifies configuring the BIG-IP system for Microsoft Exchange 2016 client access roles. Before beginning the Application template, you must make a decision about the scenario in which you are using BIG-IP system for this deployment. The iApp presents the following three deployment options. You choose one of these options when you begin configuring the iApp.

• Local BIG-IP system load balances and optimizes traffic

• Local LTM receives HTTP-based traffic forwarded by a remote APM

• Local APM secures and forwards traffic to a remote LTM

Local BIG-IP system load balances and optimizes traffic

You can select this scenario to manage, secure, and optimize client-generated mailbox traffic using the BIG-IP system. This is the traditional role of the BIG-IP LTM and should be used in scenarios where you are not deploying BIG-IP Access Policy Manager (APM) on a separate BIG-IP system. In this scenario, you can optionally the BIG-IP APM to secure HTTP-based virtual servers on this system.

You would not select this option if you intend to deploy a separate APM that provides secure remote access to HTTP-based services.

The traffic flow for this scenario is:

1. All Exchange Mailbox traffic goes to the BIG-IP system.

2. You can use the following optional modules if they are licensed and provisioned on you BIG-IP system:

   • BIG-IP Access Policy Manager (APM) The BIG-IP APM module provides secure access and proxied authentication (pre-authentication) for HTTP-based Mailbox services: Outlook Web App, Outlook Anywhere, ActiveSync, and Autodiscover). The BIG-IP APM presents a login page to end users that takes the place of the forms-based login page normally presented by Outlook Web App. Users provide credentials through the BIG-IP APM form; the BIG-IP APM then authenticates the user to Active Directory.

   • BIG-IP Advanced Firewall Manager (AFM) The BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network firewall designed to guard data centers against incoming threats that enter the network on the most widely deployed protocols.

    

3. The BIG-IP LTM load balances and optimizes the Exchange client traffic to the Mailbox servers, including the services which are not HTTP-based: POP3, and IMAP4.

Local LTM receives HTTP-based traffic forwarded by a remote APM

You can select this scenario to configure BIG-IP LTM with a single virtual server that receives Exchange HTTP-based traffic that has been forwarded by a separate BIG-IP APM. The virtual server can also accommodate direct Exchange client traffic, e.g. internal clients that do not use the BIG-IP APM, and non-HTTP traffic that is not handled by BIG-IP APM such as POP3 and IMAP4.

This scenario would be used together with the following scenario, in which you configure a separate BIG-IP APM to send traffic to this BIG-IP LTM device.

1. Traffic comes in from the BIG-IP APM as described in the next scenario.

2. The BIG-IP LTM receives HTTP-based Exchange client traffic from a separate BIG-IP APM, or directly received the non HTTP-based traffic.

3. If you have internal Exchange clients, all Mailbox traffic from the internal clients goes directly to the BIG-IP LTM.

4. The BIG-IP LTM load balances and optimizes the traffic to the Mailbox servers, including the services which are not HTTP-based: POP3, and IMAP4.

Note: While this scenario can accommodate internal clients, we do not recommend using this virtual server in that way. We strongly recommend creating a second instance of the iApp on this BIG-IP LTM for the direct traffic/internal users. You must use a unique virtual server IP address; all of the other settings can be identical. Once both iApps have been created, you would configure Split DNS (use the same domain name, but different zones and IP addresses for internal and external clients). For more information about Split DNS, refer to your DNS documentation.

Local APM secures and forwards traffic to a remote LTM

You can select this scenario to configure the BIG-IP system as a BIG-IP APM that will use a single virtual server to provide proxy authentication (pre-authentication) and secure remote access to Exchange 2016 HTTP-based services without requiring the use of an F5 Edge Client. When you select this deployment scenario, the BIG-IP APM presents a login page to end users that takes the place of the forms-based login page normally presented by Outlook Web App. Users provide credentials through the BIG-IP APM form; the BIG-IP APM then authenticates the user to Active Directory. The BIG-IP system will only forward connections after a user has authenticated successfully. The traffic is then sent to another BIG-IP running LTM which provides advanced load balancing, monitoring and optimizations for HTTP-based client access services.

This scenario would be used together with the previous scenario, in which you configure a separate BIG-IP LTM to receive traffic from this BIG-IP APM device.

Note: While this scenario can accommodate internal clients, we do not recommend using this virtual server in that way. We strongly recommend creating a second instance of the iApp on this BIG-IP LTM for the direct traffic/internal users. You must use a unique virtual server IP address; all of the other settings can be identical. Once both iApps have been created, you would configure Split DNS (use the same domain name, but different zones and IP addresses for internal and external clients). For more information about Split DNS, refer to your DNS documentation.

1. HTTP-based Mailbox traffic goes to the BIG-IP APM, which provides proxy authentication and secure remote access.
2. After authentication, the BIG-IP APM sends the traffic to a separate BIG-IP LTM for intelligent traffic management.

Guidance specific to each deployment scenario is contained later in this document.

Preparation worksheets

For each section of the iApp Template, you need to gather some information, such as Mailbox server IP addresses and domain information. The worksheets do not contain every question in the template, but rather include the information that is helpful to have in advance. Use the worksheet(s) applicable to your configuration. More information on specific template questions can be found on the individual pages. You might find it useful to print these tables and then enter the information.

Configuring the BIG-IP system for Microsoft Exchange using the iApp template

Use this section for guidance on configuring the BIG-IP system using the iApp template. If you plan to configure the system manually, see Appendix C: Manual configuration tables.

Downloading and importing the new iApp

The first task is to download and import the new Exchange Server 2016 iApp template.

1. To download and import the iApp
2. Open a web browser and go to https://support.f5.com/kb/en-us/solutions/public/k/11/sol11100442.html.
3. Follow the instructions to download the Microsoft Exchange iApp to a location accessible from your BIG-IP system.
4. Extract (unzip) the f5.microsoft_exchange_2016.tmpl file. The latest version is in the Release Candidate directory.
5. Log on to the BIG-IP system web-based Configuration utility.
6. On the Main tab, expand iApp, and then click Templates.
7. Click the Import button on the right side of the screen.
8. Click a check in the Overwrite Existing Templates box.
9. Click the Browse button, and then browse to the location you saved the iApp file.
10. Click the Upload button. The iApp is now available for use.

Upgrading an Application Service from previous version of the iApp template

If you configured your BIG-IP using a previous version of the Microsoft Exchange 2016 iApp template, we strongly recommend you upgrade the iApp template to the most recent version. Check https://support.f5.com/kb/en-us/solutions/public/k/11/sol11100442.html.

When you upgrade to the current template version, the iApp retains all of your settings for use in the new template. In some new versions, you may notice additional questions, or existing questions asked in different ways, but your initial settings are always saved.

1. To upgrade an Application Service to the current version of the template
2. From the Main tab of the BIG-IP Configuration utility, expand iApp and then click Application Services.
3. Click the name of your existing f5.microsoft_exchange_2016 application service from the list.
4. On the Menu bar, click Reconfigure.
5. At the top of the page, in the Template row, click the Change button to the right of the list.
6. From the Template list, select f5.microsoft_exchange_2016..
7. Review the questions in the new template, making any necessary modifications. Use the iApp walkthrough section of this guide for information on specific questions.
8. Click Finished.

Getting started with the Exchange iApp template

To begin the Exchange iApp Template, use the following procedure.

1. To start the iApp template
2. Log on to the BIG-IP system.
3. On the Main tab, expand iApp, and then click Application Services.
4. Click Create. The Template Selection page opens.
5. In the Name box, type a name. In our example, we use Exchange-2016_.
6. From the Template list, select f5.microsoft_exchange_2016.. The new Microsoft Exchange template opens.

Advanced options

If you select Advanced from the Template Selection list at the very top of the template, you see Device and Traffic Group options for the application. This feature is a part of the Device Management configuration. This functionality extends the existing High Availability infrastructure and allows for clustering, granular control of configuration synchronization and granular control of failover. To use the Device and Traffic Group features, you must have already configured Device and Traffic Groups before running the iApp. For more information on Device Management, see the product documentation.

1. Device Group
   To select a Device Group, clear the Device Group check box and then select the appropriate Device Group from the list.
2. Traffic Group
   To select a Traffic Group, clear the Traffic Group check box and then select the appropriate Traffic Group from the list.

Inline help

At the bottom of the Welcome section, the iApp template asks about inline help text.

1. Do you want to see inline help?
   Select whether you want to see informational and help messages inline throughout the template, or if you would rather hide this inline help. If you are unsure, we recommend having the iApp display all inline help. Important and critical notes are always shown, no matter which selection you make.

   • Yes, show inline help text
     Select this option to see all available inline help text.

   • No, do not show inline help
     If you are familiar with this template, or with the BIG-IP system in general, select this option to hide the inline help text.

Deployment Scenarios

Choose the option that best describes how you plan to use the BIG-IP system you are currently configuring. The scenario you select determines the questions that appear in the iApp. The scenarios were described in iApp Deployment Scenarios.

1. Which scenario describes how you will use the BIG-IP system?
   Choose the scenario that best describes the way you plan to use this BIG-IP system. Guidance for each scenario is contained in a separate section of this document. Click the link to go to the relevant section of the guide for the scenario you plan to deploy.

   • Local BIG-IP system load balances and optimizes traffic
     Select this scenario to manage, secure, and optimize client-generated Exchange Mailbox traffic using the BIG-IP system. This is the traditional role of the LTM and should be used when you are not deploying APM on a separate BIG-IP system. In this scenario, if you have fully licensed and provisioned BIG-IP APM you have the option of using it to provide proxy authentication for HTTP-based services on this system. Do not select this option if you intend to deploy a separate BIG-IP APM that will provide secure remote access to Exchange HTTP-based services. For this role, go to Configuring the BIG-IP LTM to load balance and optimize Mailbox traffic.

   • Local LTM receives HTTP-based traffic forwarded by remote BIG-IP APM
     Select this scenario to configure BIG-IP LTM with a single virtual server that receives Exchange HTTP-based traffic that has been forwarded by an BIG-IP APM. The virtual server can also accommodate direct traffic, for example internal clients that do not use the BIG-IP APM, and non-HTTP traffic that is not handled by BIG-IP APM such as POP3 and IMAP4. For this role, go to Configuring the local LTM to receive HTTP-based traffic forwarded by a remote APM.

   • Local APM secures and forwards traffic to a remote LTM
     Select this role to configure the BIG-IP system as a BIG-IP APM that will use a single HTTPS (port 443) virtual server to provide proxy authentication and secure remote access to Exchange HTTP-based services without requiring the use of an F5 Edge Client. The traffic will be forwarded to another BIG-IP running LTM which provides advanced load balancing, monitoring and optimizations for those services. For this role, go to Configuring a local APM to secure and forward traffic to a remote LTM.

Configuring the BIG-IP LTM to load balance and optimize Mailbox traffic

If you chose the first scenario, Local BIG-IP system load balances and optimizes traffic, use this section for guidance on configuring the iApp. Again, do not chose this option if you will deploy a separate BIG-IP APM to provide secure remote access to HTTP-based services.

Analytics

This section of the template asks questions about Analytics. The Application Visibility Reporting (AVR) module allows you to view statistics specific to your Microsoft Exchange implementation. AVR is available on all BIG-IP systems v11 and later, however you must have the AVR provisioned for this option to appear. Note that this is only for application visibility reporting, you can view object-level statistics from the BIG-IP without provisioning AVR.

Important: Enabling Analytics may adversely affect overall system performance. If you choose to enable Analytics, we recommend gathering statistics for a set time period, such as one week, and then re-entering this template and disabling Analytics while you process the data.

If you plan on using AVR for analytics, we recommend creating a custom Analytics profile. To create a new profile, from the Main tab, select Profiles and then click Analytics. Click New and then configure the profile as applicable for your configuration. See the online help or product documentation for specific instructions. To select the new profile, you need to restart or reconfigure the iApp template.

1. Do you want to enable Analytics for application statistics?
   Select whether you want to enable AVR for Analytics for HTTP-based services. Note that Analytics does not always properly report the HTTP methods of Outlook Anywhere.

   • No, do not enable Analytics
     Select this option if you do not want to use Analytics, and then continue with BIG-IP Access Policy Manager.

   • Yes, enable Analytics using AVR
     If you choose to enable Analytics, select Yes from the list, and then answer the following questions.

     1. Use the default Analytics profile or select a custom profile?
        If you decide to use AVR, you must decide whether to use the default Analytics profile, or create a new one. As mentioned previously, we recommend creating a new profile to get the most flexibility and functionality out of AVR. If you have already started the iApp template configuration and then decide to create a new Analytics profile, you must exit the iApp, create the profile, and then restart the iApp template.

        • Select a custom Analytics profile
          Select this option if you have already created a custom Analytics profile for Exchange Server.

          1. Which Analytics profile do you want to use?
             From the list, select the appropriate Analytics profile.

             • Use default profile
               Select this option if you have not yet created a custom Analytics profile for Microsoft Exchange. We do not recommend using the default profile.

BIG-IP Access Policy Manager

This section in this scenario asks about BIG-IP APM. To use APM, it must be fully licensed and provisioned before starting the template. If you are not deploying BIG-IP APM, continue with the next section. As mentioned in the prerequisites, if you are deploying APM, you must have configured the BIG-IP system for DNS and NTP; see Configuring DNS and NTP settings for instructions.

1. Provide secure authentication to HTTP-based client access services with BIG-IP APM?
   Specify whether you want to deploy BIG-IP APM to provide proxy authentication and secure remote access for HTTP-based client Access services.

   • No, do not provide secure authentication using BIG-IP APM
     Select this option if you do not want to use the BIG-IP APM at this time. You can always reconfigure the iApp template at a later date should you decide to add BIG-IP APM functionality.

   • Yes, provide secure authentication using BIG-IP APM
     Select this option if you want to use the BIG-IP APM to provide proxy authentication and secure remote access for your Exchange deployment.

     1. Would you like to create a new Access Profile, or use an existing Access Profile?
        Choose whether you want the system to create a new BIG-IP APM Access Profile, or if you have already created a custom Access Profile outside the template. If you are unsure, select Create a new Access Profile.

        • Select the Access profile you created from the list
          If you have previously created an Access profile for your Exchange implementation, select the existing profile you created from the list. Continue with the next section.

        • Create a new Access profile
          Select this option if you have not created a custom Access profile, and want the system to create one.

          1. Would you like to create a new AAA server, or use an existing AAA server?
             Choose whether you want the system to create a new BIG-IP APM AAA Server object, or if you have already created a custom AAA Server outside the template. The AAA server contains information about your Active Directory implementation. If you are unsure, select Create a new AAA Server.

             • Select the AAA Server you created from the list
               If you have previously created an AAA Server for your Exchange implementation, select the existing object you created from the list. Because additional information about the AAA Server is used elsewhere in this template, only AAA Servers configured to use a pool of Domain Controllers appear in the list.

               1. What is the FQDN of your Active Directory domain for your Exchange users?
                  Specify the FQDN of the Active Directory deployment for your Exchange users. This is the FQDN for your entire domain, such as example.com, rather than the FQDN for any specific host. Continue with the What text should appear in the user access logon prompt question on the following page.

             • Create a new AAA Server
               Select this option if you have not created a custom AAA Server, and want the system to create one.

               1. What is the FQDN of your Active Directory domain for your Exchange users?
                  Specify the FQDN of the Active Directory deployment for your Exchange users. This is the FQDN for your entire domain, such as example.com, rather than the FQDN for any specific host.

               2. Which Active Directory servers in your domain can this BIG-IP system contact?
                  Specify both the FQDN and IP address of each Active Directory server you want the BIG-IP APM to use for servicing authentication requests. Click Add to include additional servers.

               3. Does your Active Directory domain allow anonymous binding?
                  Select whether anonymous binding is allowed in your Active Directory environment.

                  • Yes, anonymous binding is allowed
                    Select this option if anonymous binding is allowed. No further information is required. For details, on allowing anonymous binding, see https://technet.microsoft.com/en-us/library/cc816788(v=ws.10).aspx.

                  • No, credentials are required for binding
                    If credentials are required for binding, you must specify an Active Directory user name and password for use in the AAA Server.

                    1. Which Active Directory user with administrative permissions do you want to use?
                       Type a user name with administrative permissions.

                    2. What is the password associated with that account?
                       Type the associated password.

               4. How do you want to handle health monitoring for this pool?
                  Specify whether you want the template to create a new LDAP monitor or a new ICMP monitor, or if you select an existing monitor. For more accurate monitoring, we recommend using an LDAP monitor.

                  • Select an existing monitor for the Active Directory pool
                    Select this option if you have already created a health monitor (only monitors with a Type of LDAP or External can be used) for the Active Directory pool that will be created by the template. If you want to create a health monitor, but have not already done so, you must exit the template and create the object before it becomes available from the list. The iApp allows you to select monitors that are a part of another iApp Application Service. If you select a monitor that is a part of another Application Service, be aware that any changes you make to the monitor in the other Application Service will apply to this Application Service as well.

                    1. Which monitor do you want to use?
                       From the list, select the LDAP or External monitor you created to perform health checks for the Active Directory pool created by the template. Only monitors that have a Type value of LDAP or External appear in this list. Continue with the "What text should appear in the user access logon prompt" question on this page.

                  • Use a simple ICMP monitor for the Active Directory pool
                    Select this option if you only want a simple ICMP monitor for the Active Directory pool. This monitor sends a ping to the servers and marks the server UP if the ping is successful. Continue with the "What text should appear in the user access logon prompt" question on this page.

                  • Create a new LDAP monitor for the Active Directory pool
                    Select this option if you want the template to create a new LDAP monitor for the Active Directory pool. You must answer the following questions:

                    1. What is the Common Name of a user account that can search Active Directory?
                       Specify the Common Name of an Active Directory user name for the monitor to use when attempting to log on as a part of the health check. This should be a user account created specifically for this health monitor, and must be set to never expire. ADSI editor, an administration tool for Active Directory LDAP administration, is useful for determining the correct Common Name (cn). You can also use the Get-ADUser command in PowerShell to display the properties of the user account. Do not include cn= in this field.

                    2. What is the associated password?
                       Specify the password associated with the Active Directory user name.

                    3. What is the LDAP tree for this user account?
                       Specify the LDAP tree for the user account. As noted in the inline help, ADSI editor, an tool for Active Directory LDAP administration, is useful for determining the correct LDAP tree value. For example, if the user name is ‘user1’ which is in the organizational unit ‘Exchange Users’ and is in the domain ‘exchange.example.com’, the LDAP tree would be: ou=Exchange Users, dc=Exchange, dc=example, dc=com.

                    4. Does your Active Directory domain require a secure protocol for communication?
                       Specify whether your Active Directory implementation requires SSL or TLS for communication, or does not require a secure protocol. This determines the port the health monitor uses.

                       • No, a secure protocol is not required
                         Select this option if your Active Directory domain does not require a secure protocol.

                       • Yes, SSL communication is required
                         Select this option if your Active Directory domain requires SSL communication. The health check uses port 636 as the Alias Service Port.

                       • Yes, TLS communication is required
                         Select this option if your Active Directory domain requires TLS communication. The health check uses port 389 as the Alias Service Port.

                        

                    5. How many seconds between Active Directory health checks?
                       Specify how many seconds the system should use as the health check Interval for the Active Directory servers. We recommend the default of 10 seconds.

          2. What text should appear in the user access logon prompt?
             Type the text you want users to see above the user name and password prompts when logging on to the BIG-IP APM. By default, this includes the HTML tag to insert a line break between 'Secure Logon' and 'for F5 Networks'. Warning If the text you want to appear includes the characters &, ", or ', you must use proper encoding: & for &, "e; for ", and ' for '.

          3. Would you like to bypass APM for hybrid services?
             Choose whether you want to bypass BIG-IP APM for hybrid services. Select Yes if your Exchange environment is federated with Exchange Online, and you have deployed BIG-IP APM in front of your on-premise Exchange servers. This will prevent failures in federated requests for Autodiscover and free/busy information, as well as remote moves and migrations between your Exchange organization and Exchange Online.
             • No, do not bypass APM for Hybrid services
               Select this option if you do not need to bypass APM for hybrid services. Continue with the next question.
             • Yes, bypass APM for Hybrid services
               Select this option to bypass APM for hybrid services. This prevents federated requests for Autodiscover and free/busy information, and remote moves and migrations between Exchange and Exchange online from failing.

          4. Which APM logging profile do you want to use?
             This question only appears if you are using BIG-IP version 12.0 or later
             BIG-IP version 12.0 allows you to attach a logging profile to your BIG-IP APM configuration. If you created an APM logging profile for this configuration, you can select it from the list. The default profile is named default-log-setting. For more information on APM logging, see the APM documentation for v12.0 and later.

Application Firewall Manager (BIG-IP AFM)

This entire section only appears if you have licensed and provisioned BIG-IP AFM

This section gathers information about BIG-IP Advanced Firewall Manager, if you want to use it to protect the Exchange deployment. For more information on BIG-IP AFM, see http://support.f5.com/kb/en-us/products/big-ip-afm.html, and then select your version.

1. Do you want to use AFM network firewall and IP Intelligence to protect your application?
   Choose whether you want to use BIG-IP AFM, F5's network firewall with IP intelligence, to secure this Exchange deployment. If you choose to use BIG-IP AFM, you can restrict access to the Exchange virtual server(s) to a specific network or IP address. See the BIG-IP AFM documentation for specific details on configuring AFM.

   • No, do not use network firewall and IP Intelligence
     Select this option if you do not want to enable BIG-IP AFM at this time. You can always re-enter the template at a later date to enable BIG-IP AFM. Continue with the next section.

   • Select an existing AFM policy from the list
     If you already created a BIG-IP AFM policy for this implementation, select it from the list. Continue with c.
     

   • Yes, use network firewall and IP Intelligence
     Select this option if you want to enable BIG-IP AFM using F5's recommended configuration.

     1. Do you want to forbid access to your application from specific networks or IP addresses?
        Choose whether you want to restrict access to the Exchange implementation via the BIG-IP virtual server.

        • No, do not forbid client addresses (allow all) By default, the iApp configures the AFM to accept traffic destined for the Exchange virtual server(s) from all sources. If you do not have a need to restrict access to the virtual server, leave this option selected and then continue with b.
          

        • Yes, forbid specific client addresses
          Select this option if you want to restrict access to the Exchange virtual server(s) by IP address or network address.

          1. What IP or network addresses should be allowed to access your application?
             Specify the IP address or network access that should be allowed access to the Exchange virtual server(s). You can specify a single IP address, a list of IP addresses separated by spaces (not commas or other punctuation), a range of IP addresses separated by a dash (for example 192.0.2.10-192.0.2.100), or a single network address, such as 192.0.2.200/24.

   • How should the system control connections from networks suspected of malicious activity?
     The BIG-IP AFM uses an IP intelligence database to categorize IP addresses coming into the system. Choose what you want the system to do for sources that are attempting to access the Exchange virtual server(s) with a low reputation score. For more information, see the BIG-IP AFM documentation. Important: You must have an active IP Intelligence license for this feature to function. See https://f5.com/products/modules/ip-intelligence-services for information.

     • Accept all connections and log nothing
       Select this option to allow all sources, without taking into consideration the reputation score or logging anything.

     • Reject connections from IP addresses with poor reputations
       Select this option to reject access to the Exchange virtual server(s) from any source with a low reputation score.

     • Accept all connections but log those from suspicious networks
       Select this option to allow access to the Exchange virtual server(s) from sources with a low reputation score, but add an entry for it in the logs. By default, IP Intelligence events are logged to Security > Event Logs > Network > IP Intelligence. We recommend creating a remote logging profile for IP Intelligence events.

   • Would you like to stage a policy for testing purposes?
     Choose whether you want to stage a firewall policy for testing purposes. A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules. You must already have a policy on the system in order to select it.

     • Do not apply a staging policy
       Select this option if you do not want to apply a logging profile at this time. You can always re-enter the template at a later date to add a logging profile. Continue with the next question.

     • Select an existing policy from the list
       If you have already created a firewall policy for this implementation, select it from the list. Only policies that already exist on the system appear in the list. To create a new policy, on the Main tab, click Security > Network Firewall > Policies. Specific instructions for creating a firewall policy is outside the scope of this iApp and deployment guide.

   • Which logging profile would you like to use?
     Choose whether you or not you want to use a logging profile for this AFM implementation. You can configure the BIG-IP system to log detailed information about BIG-IP system Network Firewall events and store those logs on the BIG-IP system or a remote logging server (supports servers like syslog and Splunk). If you want to use a logging profile, we recommend creating one outside this template. The list only contains profiles with Network Firewall enabled.

     • Do not use a logging profile
       Select this option if you do not want to use a logging profile at this time. You can always re-enter the template at a later date to add a logging profile. Continue with the next question.

     • Select an existing logging profile from the list
       If you have already created a logging profile for this implementation, select it from the list. You must create a profile before it is available in the list. To create a logging profile, on the Main tab, click Security > Event Logs > Logging Profiles. Specific instructions for creating a logging profile is outside the scope of this iApp and deployment guide. See the online help or the About Local Logging with the Network Firewall chapter of the BIG-IP Network Firewall: Policies and Implementations guide for more information.

Tell us about your deployment

In this section, the iApp gathers general information about your Mailbox Server deployment. Remember, you must import an SSL certificate and key that correspond to all fully-qualified DNS names that you are using for OWA, Outlook Anywhere, Autodiscover, ActiveSync, POP3, or IMAP4 traffic. Any certificate that you obtain with multiple names must be in SAN (Subject Alternative Name) or wildcard format, not SNI (Server Name Indication) format.

1. Will incoming traffic arrive at this BIG-IP system encrypted or unencrypted?
   This question does not appear if you chose to deploy APM in the previous section. If you selected to deploy APM, continue with the re-encrypt question (a) under Encrypted.
   Select whether any of the HTTP-based, POP3 and IMAP4 traffic will be encrypted or not when it arrives on this system. In nearly all cases for this deployment scenario, it will be encrypted (it would not be encrypted, for example, if you selected one of the other scenarios/roles for this iApp, and elected to offload SSL/TLS traffic at a separate BIG-IP APM). Note that the BIG-IP system does not offload the encryption used for RPC; the answer to this question should be based on the other client access protocols you intend to deploy.

   • Encrypted
     If you chose Encrypted in the previous question, additional questions appear.

     1. Do you want to re-encrypt this traffic to your Mailbox Servers?
        If want the BIG-IP system to offload SSL processing from the Mailbox servers, select Do not re-encrypt (SSL Offload) from the list. Offloading SSL on the BIG-IP system can extend Exchange Server server capacity.

        • Do not re-encrypt (SSL Offload)
          Select this option if you want to offload SSL processing onto the BIG-IP system. If you choose SSL Offload, you must have followed the instructions from Microsoft for configuring the Mailbox servers for offload.

          1. Which Client SSL profile do you want to use?
             The iApp can create a new Client SSL profile, or if you have created a Client SSL profile which contains the appropriate SSL certificate and key for your Exchange implementation, you can select it from the list.

             • Select the Client SSL profile you created from the list
               If you manually created a Client SSL profile, select it from the list, and then continue with #2.

             • Create a new Client SSL profile
               Select this option if you want the iApp to create a new Client SSL profile.

               1. Which SSL certificate do you want to use?
                  Select the SSL certificate you imported onto the BIG-IP system for decrypting client connections. If you have not yet imported a certificate, you can leave the default selections and reconfigure this iApp after obtaining the certificates. The deployment will not function correctly until you have selected the correct certificates here. Note: Any certificate that you obtain with multiple names must be in SAN (Subject Alternative Name) format, not SNI (Server Name Indication) format. For more information on SAN certificates, see Subject Alternative Name (SAN) SSL Certificates.

               2. Which SSL key do you want to use?
                  Select the associated key from the list.

        • Re-encrypt (SSL Bridging)
          Select this option if your implementation requires encrypted traffic to the Mailbox servers. The BIG-IP system unencrypts, then re-encrypts the traffic headed for the Mailbox servers.

          1. Which Client SSL profile do you want to use?
             The iApp can create a new Client SSL profile, or if you have created a Client SSL profile which contains the appropriate SSL certificate and key for your Exchange implementation, you can select it from the list.

             • Select the Client SSL profile you created from the list
               If you manually created a Client SSL profile, select it from the list, and then continue with #2. Note: Any certificate that you obtain with multiple names must be in SAN (Subject Alternative Name) format, not SNI (Server Name Indication) format. For more information on SAN certificates, see Subject Alternative Name (SAN) SSL Certificates.

             • Create a new Client SSL Profile
               Select this option if you want the iApp to create a new Client SSL profile.

               1. Which SSL certificate do you want to use?
                  Select the SSL certificate you imported onto the BIG-IP system for decrypting client connections. If you have not yet imported a certificate, you can leave the default selections and reconfigure this iApp after obtaining the certificates. The deployment will not function correctly until you have selected the correct certificates here.

               2. Which SSL key do you want to use?
                  Select the associated key from the list.

          2. Which Server SSL profile do you want to use?
             Select whether you want the iApp to create an F5 recommended Server SSL profile, or if you want to choose a Server SSL profile you already created. Important: If you are configuring SSL Bridging and using BIG-IP version 11.4.x, you must see When using SSL Bridging and BIG-IP version 11.4.x, pool members may be marked down or you may experience connection resets and TLS errors logged to the Mailbox servers.

             • Select the Server SSL profile you created from the list If you have previously created a Server SSL profile for your Exchange implementation, from the list, select the existing Server SSL profile you created.

             • Create a new Server SSL profile
               Select this option if you want the iApp to create a new Server SSL profile. The F5 recommended Server SSL profile uses the serversslparent profile. For information about the ciphers used in the Server SSL profile, see http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html. Continue with #2 on the next page.

   • Unencrypted
     Select this option if Mailbox traffic is arriving at this BIG-IP system unencrypted (typically because you configured to offload SSL/TLS traffic at the BIG-IP APM that is sending traffic to this device).

     1. Do you want to encrypt the traffic to your Mailbox Servers?
        If you want the BIG-IP system to offload SSL processing from the Mailbox servers, select Do not encrypt (SSL Offload) from the list. Offloading SSL on the BIG-IP system can extend Exchange Server server capacity.

        • Do not encrypt (SSL Offload) 
          Select this option if you do not want the BIG-IP system to encrypt the traffic destined for the Mailbox servers. The BIG-IP system does not modify the traffic, and you can continue with the next question.

        • Encrypt (SSL Bridging)
          Select this option if your implementation requires encrypted traffic to the Mailbox servers. If you choose this option, the BIG-IP system encrypts the traffic headed for the Mailbox servers.

          1. Which Server SSL profile do you want to use?
             Select whether you want the iApp to create an F5 recommended Server SSL profile, or if you want to choose a Server SSL profile you already created. Important: If you are configuring SSL Bridging and using BIG-IP version 11.4.x, you must see When using SSL Bridging and BIG-IP version 11.4.x, pool members may be marked down or you may experience connection resets and TLS errors logged to the Mailbox servers.

             • Select the Server SSL profile you created from the list If you have previously created a Server SSL profile for your Exchange implementation, select the existing Server SSL profile you created from the list.

             • Create a new Server SSL profile
               Select this option if you want the iApp to create a new Server SSL profile. The default, F5 recommended Server SSL profile uses the serverssl parent profile. For information about the ciphers used in the Server SSL profile, see http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html.

2. Which intermediate certificate do you want to use?
   Choose whether or not you want to use an intermediate certificate (also called intermediate certificate chains or chain certificates) in this deployment. These certificates are used to help systems which depend on SSL certificates for peer identification. These certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown. In order to use an intermediate certificate in this deployment, you must have manually imported it onto the BIG-IP system.

   • Do not use an intermediate certificate
     Select this option if you do not want to use an intermediate certificate in this deployment, or have not yet imported the certificate onto the system but want to exit the template to import it and then restart the template.

   • Select the intermediate certificate you imported from the list If you imported an intermediate certificate for this Exchange implementation, select the certificate you imported from the list.

3. How should the system optimize client-side TCP connections to the BIG-IP LTM?
   Select how the system should optimize client-side TCP connections. The iApp uses your selection to configure the proper TCP optimization settings on the TCP profile.

   • Optimize TCP connections for WAN clients
     Select this option if most Exchange server clients are coming into your Exchange environment over a Wide Area Network.

   • Optimize TCP connections for LAN clients
     Select this option if most Exchange server clients are coming into your Exchange environment over a Local Area Network.

4. Where will your BIG-IP virtual servers be in relation to your Mailbox Servers?
   Select whether your BIG-IP virtual servers are on the same subnet as your Mailbox servers, or on different subnets. This setting is used to determine the SNAT (secure NAT) and routing configuration.

   • Same subnet for BIG-IP virtual servers
     Select this option if the BIG-IP virtual servers and the Mailbox servers are on the same subnet. In this case SNAT is configured on the BIG-IP virtual server and you must specify the number of concurrent connections.

     1. What is the maximum number of concurrent users you expect per Mailbox Server?
        Select whether you expect more or fewer than 6,000 concurrent users to each Mailbox server. This answer is used to determine what type of SNAT (secure network address translation) that system uses. A SNAT is an object that maps the source client IP address in a request to a translation address defined on the BIG-IP device. Note: For specific information on SNAT Pools, including why we chose 6,000 concurrent users per server, see Maximum number of concurrent users: SNAT Pool guidance.

        • Fewer than 6000
          Select this option if you expect fewer than 6,000 concurrent users per Mailbox server. With this option, the system applies SNAT Auto Map, which doesn’t require any additional IP addresses, as the system uses an existing self IP address for translation.

        • More than 6000
          Select this option if you expect more than 6,000 users at one time to each server. With this option, the iApp creates a SNAT Pool (or you can choose one you created), for which you need one IP address for each 6,000 users you expect.

          1. Create a new SNAT pool or use an existing one?
             Select whether you want the system to create a new SNAT Pool, or if you have already created a SNAT pool for this implementation.

             • Select the SNAT pool you created from the list
               If you have previously created a SNAT Pool for your Exchange implementation, select it from the list.

             • Create a new SNAT Pool
               If you have not created a custom SNAT pool, select this option for the iApp to create a new one.

               1. Which IP addresses do you want to use for the SNAT Pool?
                  Specify one otherwise unused IP address for every 6,000 concurrent connections, or fraction thereof. Click Add for more rows. Important: : If you choose more than 6,000 users, but do not specify enough SNAT pool addresses, after the maximum connection limit of 6,000 concurrent users per server is reached, new requests fail.

   • Different subnet for BIG-IP virtual servers and Mailbox Servers
     If the BIG-IP virtual servers and Web Interface servers are on different subnets, the following question appears asking how routing is configured.

     1. How have you configured routing on your Mailbox Servers?
        Select whether the Mailbox servers use this BIG-IP system’s Self IP address as their default gateway.

        • Mailbox Servers do NOT use BIG-IP as their default gateway
          Select this option if the Mailbox servers do not use the BIG-IP system as their default gateway. If the servers do not usethe BIG-IP as their default gateway, SNAT is configured on the BIG-IP virtual server and you must select the expected number of concurrent users in the next question.

          1. What is the maximum number of concurrent users you expect per Mailbox Server?
             Select whether you expect more or fewer than 6,000 concurrent users to each Mailbox server. This answer is used to determine what type of SNAT (secure network address translation) that system uses. A SNAT is an object that maps the source client IP address in a request to a translation address defined on the BIG-IP device. Note: For specific information on SNAT Pools, including why we chose 6,000 concurrent users per server, see Maximum number of concurrent users: SNAT Pool guidance.

             • Fewer than 6000
               Select this option if you expect fewer than 6,000 concurrent users per Mailbox server. With this option, the system applies SNAT Auto Map, which doesn’t require any additional IP addresses, as the system uses an existing self IP address for translation.

             • More than 6000
               Select this option if you expect more than 6,000 users at one time to each server. With this option, the iApp creates a SNAT Pool (or you can choose one you created), for which you need one IP address for each 6,000 users you expect.

               1. Create a new SNAT pool or use an existing one?
                  Select whether you want the system to create a new SNAT Pool, or if you have already created a SNAT pool for this implementation.

                  • Select the SNAT pool you created from the list
                    If you have previously created a SNAT Pool for your Exchange implementation, select it from the list.

                  • Create a new SNAT Pool
                    If you have not created a custom SNAT pool, select this option for the iApp to create a new one.

                    1. Which IP addresses do you want to use for the SNAT Pool?Specify one otherwise unused IP address for every 6,000 concurrent connections, or fraction thereof. Click Add for more rows. Important: If you choose more than 6,000 users, but do not specify enough SNAT pool addresses, after the maximum connection limit of 6,000 concurrent users per server is reached, new requests fail.

        • Mailbox Servers use the BIG-IP as their default gateway
          Select this option if the Mailbox servers use the BIG-IP system as their default gateway. In this scenario, no additional configuration is necessary to ensure correct server response handling.

5. Do you want to use a single IP address for all Mailbox Server connections?
   Select whether you want to use a single IP address for all Mailbox server connections, or separate IP addresses for the different services. If you chose a single IP address, the iApp creates a single virtual server for all of the Mailbox services. If you choose different addresses, the BIG-IP creates individual virtual servers for each service. There are advantages to each method:

   • Single IP address 
     With a single IP address, you can combine multiple functions on the same virtual server; for instance, you may wish to have a single fully-qualified domain name (FQDN) and associated SSL certificate for all HTTP-based Mailbox methods. You only need to provision a single IP address for the virtual server. If you want the services to have unique DNS names despite sharing an IP address, you need to obtain an SSL certificate that supports Subject Alternative Names or a wildcard certificate. For detailed information on SAN certificates, see Subject Alternative Name (SAN) SSL Certificates.

   • Different IP addresses for different services
     By maintaining a separate virtual server for each component, you can manage each service independently from one another. For instance, you may wish to have different pool membership, load balancing methods, or custom monitors for Outlook Web App and Outlook Anywhere. If each of those services are associated with a different virtual server, granular management becomes easier. You need to provision an available IP address for each virtual server, and obtain a valid SSL certificate with a unique subject name for each service.

6. How are you distributing the client access service protocols between servers?
   Select whether all your Mailbox services are handled by the same servers, or if each service is handled by a unique set of servers. This iApp creates separate pools and monitors for each service regardless of this setting. However, if you use the same set of servers for all services, you only have to specify the server IP addresses once.

   • All services will be handled by the same set of Mailbox Servers Choose this option if you are using the same servers for all of your Exchange client access services.

   • Each service will be handled by a unique set of Mailbox Servers
     Choose this option if you are using different sets of Mailbox servers for each client access service.

Tell us about which services you are deploying

In this section, the iApp gathers information about which client access services you are deploying. Some questions only appear depending on your answers to previous questions. These contingencies are noted at the beginning of the question description.

1. Do you want to customize the server pool settings?
   Select whether you want to customize the BIG-IP load balancing pools for Mailbox services, or use the F5 recommended settings.

   • Use settings recommended by F5
     If you don't have a specific reason to customize the pool settings, leave this question set to this setting and continue with #2.

   • Customize pool settings
     If you need to modify individual pool options, select Customize pool settings and answer the following options that appear:

     1. Which load balancing method do you want to use?
        Select the load balancing method you want to use. We recommend the default, Least Connections (member). See the BIG-IP documentation for a description of each method. If you chose a node-based load balancing method, such as Ratio (Node), and use a Ratio or Connection Limit (both optional), you must see Adding Ratio or Connection Limit information to the nodes if using a node-based load balancing methodafter completing the template.

     2. Do you want to give priority to specific groups of servers?
        Select whether you want to enable Priority Group Activation to send traffic first to groups of servers you specify. The BIG-IP system load balances traffic according to the priority number you assign to each server.

        • Do not use Priority Group Activation
          Select this option if you do not want to enable Priority Group Activation.

        • Use Priority Group Activation
          Select this option if you want to enable Priority Group Activation. You will need to add a priority number in the Priority box to each server . A higher number indicates higher priority. Traffic is only sent to the servers with the highest priority, unless the number of available servers in that priority group falls below the value you specify as the minimum in the following question. The BIG-IP system then sends traffic to the group of servers with the next highest priority, and so on. See the BIG-IP documentation for more details.

          1. What is the minimum number of active members in a group?
             Specify the minimum number of servers that must be active to continue sending traffic to the priority group. If the number of active servers falls below this minimum, traffic will be sent to the group of servers with the next highest priority group number.

     3. Do you want the BIG-IP system to queue TCP requests?
        Select whether you want the BIG-IP system to queue TCP requests. TCP request queuing provides the ability to queue connection requests that exceed the capacity of connections for a pool, as determined by the connection limit. Consequently, instead of dropping connection requests that exceed the capacity of a pool, TCP request queuing enables those connection requests to reside within a queue according to defined conditions until capacity becomes available. For more information on TCP Request Queuing, see the Preventing TCP Connection Requests From Being Dropped chapter in the BIG-IP Local Traffic Manager: Implementations
        guide, available on AskF5. Important: TCP Request Queuing is an advanced feature and should be used only if you understand how it will affect your deployment, including application behavior and BIG-IP performance. If you enable TCP Request Queuing, you must have a Connection Limit set on at least one of the nodes when configuring the Address/Port for the Mailbox Server nodes.

        • Do not queue TCP requests
          Select this option if you do not want the BIG-IP system to queue TCP requests.

        • Queue TCP requests
          Select this option if you want to enable TCP request queuing on the BIG-IP system.

          1. What is the maximum number of TCP requests for the queue?
             Type the maximum number of requests you want to queue. We do not
             recommend using 0, which means unlimited and is only constrained by available memory.

          2. How many milliseconds should requests remain in the queue?
             Type a number of milliseconds for the TCP request timeout value.

2. What IP address do you want to use for your virtual servers?
   This question appears only if you selected Single IP address for all connections in the previous section.
   Specify a valid IP address to use for the BIG-IP virtual server. This virtual server address is used for all client access services. The BIG-IP system intelligently directs traffic to the appropriate service using an iRule created by the template.

3. Do you want to add any iRules to this combined virtual server?
   If you chose to customize pool settings, you have the option of adding existing iRules to the virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For more information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx.
   Important: Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment. If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button.

4. Are you deploying Outlook Web App (includes ECP)?
   Select whether you are deploying Outlook Web App at this time. This includes the Exchange Control Panel (ECP).

   • No
     Select this option if you are not deploying OWA at this time. You can always reconfigure the template later to add OWA.

   • Yes
     Select this option if you are deploying OWA at this time.

     1. Which type of authentication do Outlook Web App clients use?
        This question only appears if you selected to use BIG-IP APM and for the iApp to create a new Access profile
        Choose whether your outlook Web App clients are using Forms-based authentication or Smart Card authentication. You must be using BIG-IP APM version 11.3 or later for Smart Card authentication support for OWA.

        • Outlook Web App clients use Forms-based authentication
          Select this option if your Outlook Web App clients are using Forms-based authentication.

          1. Which type of authentication have you configured on the Outlook Web App virtual directory?
             Select whether you have configured Outlook Web App to use Windows authentication or Forms-based authentication. Note that this selection is only for OWA, and not for Outlook clients. If you choose Windows authentication, the question asking about showing the OWA logon options do not appear. Showing the OWA logon options is only supported when doing server-side Forms authentication.

             • Outlook Web App is configured for Forms-based authentication
               Select this option if your OWA implementation uses forms-based authentication. You must answer the following question.

               1. Would you like to display the OWA computer type and light version options on the APM logon page?
                  Choose whether you want to display the computer type (public/shared vs private) and light version (Use the light version of Outlook Web App) options for OWA on the APM logon page.

                  • No, do not display the OWA logon options
                    Select this option if you do not want to display the OWA logon options on the APM logon page.

                  • Yes, display the OWA logon options Note that in Exchange 2016, you must enable the logon page options by running a specific PowerShell command in the Exchange Management Shell prior to logging into OWA. See Powershell command for enabling the OWA logon options Note: For the blind and low vision experience to function correctly when accessing OWA with Internet Explorer 11, the OWA site must be added to the Compatibility View websites list. Consult Microsoft documentation for more information.

             • Outlook Web App is configured for Windows authentication
               Select this option if your Outlook Web App implementation uses Windows authentication. You must answer the following question.

               1. What should the timeout be for inactive OWA sessions (in minutes)?
                  Type the number of minutes you want to pass before idle Outlook Web App sessions timeout. The default is 480 minutes (8 hours).

             • Outlook Web App clients use Smart Card authentication
               Select this option if your OWA clients use Smart Card authentication and you are using BIG-IP APM v11.3 or later.

               1. Which certificate from a CA trusted by this BIG-IP system for client-side processing of smart card authentication do you want to use?
                  This question does not appear if you are using an existing Client SSL profile and iApp v1.0.2rc1
                  Select the certificate you imported onto the BIG-IP system that is from a Certificate Authority and is trusted by the BIG-IP system for client-side processing of smart card authentication. This certificate must already be imported onto the system before you can select it.

               2. What should the timeout be for inactive OWA sessions (in minutes)?
                  Type the number of minutes you want to pass before idle Outlook Web App sessions timeout. The default is 480 minutes (8 hours).

     2. Should BIG-IP APM restrict EAC access to members of the Exchange Organization Management Security Group?
        This question only appears if you selected to provide secure authentication with BIG-IP APM.
        Select whether you want the BIG-IP APM to restrict Exchange Administration Center (EAC) access to members of Exchange 2016's Organizational Management group. The BIG-IP APM module queries Active Directory group membership for the user making the request to EAC. If the user is not a member of the Organization Management group, the BIG-IP APM policy denies access.

        • No, do not restrict EAC access by group membership
          Select this option and the BIG-IP APM will not restrict access to the EAC by group membership.

        • Yes, restrict EAC access by group membership
          Select this option if you want to restrict EAC access to the Organization Management group. This adds an additional layer of security to your Exchange deployment, as the system denies access to the EAC from anyone who is not a member of the Organization Management group.

     3. What IP address do you want to use for the OWA virtual server?
        This question only appears if you selected Different IP addresses for different services in the previous section.
        Specify the IP address the system will use for the Outlook Web App virtual server. Clients will use this IP address to access Outlook Web App.

     4. Do you want to add custom iRules to this virtual server?
        This question only appears if you selected Customize pool settings as well as Different IP addresses for different services in the previous section.
        If you chose to customize pool settings, you have the option of adding existing iRules to this OWA virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For more information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx.If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button. Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment.

     5. What are the IP addresses of your OWA servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
        Specify the IP addresses of your Outlook Web App servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

5. Are you deploying Microsoft Outlook, including EWS and OAB?
   Select whether you are deploying Microsoft Outlook (including EWS and OAB) as a part of your Exchange 2016 deployment. If you are, you must answer the following question about the protocol Outlook uses to connect to Exchange.

   • No, not deploying Microsoft Outlook or EWS
     Select this option if you are not deploying Microsoft Outlook or EWS at this time. You can always reconfigure the template at another time to add Outlook or EWS to the configuration.

   • Yes, deploying EWS only 
     Select this option if you are only deploying Exchange Web Services at this time, and not Outlook Anywhere or Offline Address Book. In this case, the BIG-IP system sends any Offline Address Book traffic to the Exchange Web Services pool. If you are not using OWA/ECP or are using OWA but did not specify that OWA clients use Smart Card authentication, start with step f. If you are deploying for a single IP address for all connections and the same set of Client Access servers, there is no further information required, continue with step 6.

     1. What is the Kerberos Key Distribution Center IP or FQDN?
        Specify the IP address or fully qualified domain name of the Kerberos Key Distribution Center (KDC). If you type an FQDN, the BIG-IP system must be able to resolve the address. Otherwise, use the IP address.

     2. What is the name of the Kerberos Realm?
        Specify the name of the Kerberos Realm. While this name should be in all capital letters, the iApp automatically turns any lower case letters to capital.

     3. What is the user name for the Active Directory delegation account you created?
        Specify the user name for the Active Directory delegation account you created. This account must be correctly configured in Active Directory for Kerberos delegation. See Appendix E: Active Directory and Exchange Server configuration for NTLM details.

     4. What is the associated password?
        Specify the password associated with the account.

     5. How do you want to construct the Kerberos ticket request?
        Select whether you want to use DNS reverse lookups or the Outlook Anywhere Host header to construct the ticket request.

        • Use DNS reverse lookups
          Select this option to use DNS reverse lookups to build the Kerberos ticket request. Note that you must configure a reverse lookup zone containing a PTR record for each Client Access Server on a DNS server that is accessible from this BIG-IP system. Consult your DNS documentation for specific instructions.

        • Use the Outlook Anywhere host header
          Select this option to use the Outlook Anywhere Host header to construct the ticket request. To use the host header value, you must configure IIS Application Pools for Outlook Anywhere, Autodiscover, and Exchange Web Services to run using the previously created Active Directory user account for Kerberos delegation. See Appendix E: Active Directory and Exchange Server configuration for NTLM.

     6. What IP address do you want to use for the Exchange Web Services virtual server?
        This question only appears if you selected Different IP addresses for different services in the previous section.
        Specify the IP address the system will use for the Exchange Web Services virtual server.

     7. Do you want to add custom iRules to this virtual server?
        This question only appears if you selected Customize pool settings as well as Different IP addresses for different services in the previous section.
        If you chose to customize pool settings, you have the option of adding existing iRules to this Exchange Web Services virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For more information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx.If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button. Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment.

     8. What are the IP addresses of your EWS servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
        Specify the IP addresses of your Exchange Web Services servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority. Continue with #6 Are you deploying ActiveSync?

   • Yes, deploying Microsoft Outlook with EWS and OAB
     Select this option if you are deploying Outlook Anywhere, EWS, and OAB at this time.

     1. Which protocol(s) will Microsoft Outlook use to connect to Exchange? Choose which protocols your Microsoft Outlook users are using to connect to the Exchange servers.

        • Outlook clients will use MAPI-over-HTTP
          Select this option if your Outlook clients will use MAPI-over-HTTP only to connect to Exchange.

          1. What IP address do you want to use for the MAPI virtual server?
             This question only appears if you selected Different IP addresses for different services in the previous section.
             Type the IP address you want the system to use for the virtual server for MAPI-over-HTTP.

          2. Do you want to add custom iRules to this virtual server?
             This question only appears if you selected Customize pool settings as well as Different IP addresses for different services in the previous section.
             If you chose to customize pool settings, you have the option of adding existing iRules to this MAPI virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For more information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx. If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button. Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment.

          3. What are the IP addresses of your MAPI servers?
             This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers
             Specify the IP addresses of your MAPI servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

        • Outlook clients will use RPC-over-HTTP
          Select this option if your Outlook clients will use RPC over HTTP, and will not use MAPI over HTTP.

          1. What IP address do you want to use for the Outlook Anywhere virtual server?
             This question only appears if you selected Different IP addresses for different services in the previous section. Specify the IP address the system will use for the Outlook Anywhere virtual server.

        • Outlook clients will use both MAPI-over-HTTP and RPC-over-HTTP
          Select this option if your Outlook clients will use both the RPC-over-HTTP and MAPI-over-HTTP protocols.

          1. What IP address do you want to use for the MAPI virtual server?
             This question only appears if you selected Different IP addresses for different services Type the IP address you want the system to use for the virtual server for MAPI-over-HTTP.

          2. Do you want to add custom iRules to this virtual server?
             This question only appears if you selected Customize pool settings as well as Different IP addresses for different services If you chose to customize pool settings, you have the option of adding existing iRules to this MAPI virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For more information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx.If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button. Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment.

          3. What are the IP addresses of your MAPI servers?
             This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers
             Specify the IP addresses of your MAPI servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

          4. What IP address do you want to use for the Outlook Anywhere virtual server?
             This question only appears if you selected Different IP addresses for different services in the previous section. Type the IP address you want the system to use for the virtual server for Outlook Anywhere.

          5. Do you want to add custom iRules to this virtual server?
             This question only appears if you selected Customize pool settings as well as Different IP addresses for different services If you chose to customize pool settings, you have the option of adding existing iRules to this Outlook Anywhere virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For more information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx.If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button. Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment.

          6. What are the IP addresses of your Outlook Anywhere servers?
             This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers
             Specify the IP addresses of your Outlook Anywhere servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

     2. Which type of authentication do Outlook clients use?
        This question only appears if you chose to deploy BIG-IP APM version 11.3 or later AND if you chose to deploy Microsoft Outlook with EWS and OAB
        Choose whether your Outlook Anywhere clients use Basic or NTLM authentication. Beginning in BIG-IP version 11.3, the iApp supports using NTLM authentication for Outlook Anywhere.

        • Outlook Anywhere clients use Basic Authentication
          Select this option if your Outlook Anywhere clients use Basic Authentication. 
          NOTE: If you specified Outlook Web App clients use Smart Card authentication, you must answer the questions in steps b-f under Outlook clients use NTLM authentication below.

        • Outlook Anywhere clients use NTLM authentication
          Select this option if your Outlook Anywhere clients use NTLM information. You must answer the following questions about your Active Directory implementation. Also see Appendix E: Active Directory and Exchange Server configuration for NTLM for important information and modifications for NTLM. Important: Before completing this section, you must create a user account in the same domain that has been properly configured for Kerberos delegation. You must also create an NTLM Machine Account object on the BIG-IP system to join this system to the Active Directory domain. See Creating an NTLM Machine Account. Note that the Kerberos SSO method is the only SSO method that can be used when the authentication method of the access policy is NTLM.

          1. Which NTLM machine account should be used for Kerberos delegation?
             Select the NTLM Machine Account you created to join the BIG-IP system to the Active Directory domain. If you have not already created an NTLM Machine Account on the BIG-IP system, see Creating an NTLM Machine Account. You must either exit the template now and start over once you have created the NTLM Machine Account, or choose Outlook Anywhere Clients use Basic Authentication from the previous question, and then re-enter the template at a later time.

          2. What is the Kerberos Key Distribution Center IP or FQDN?
             Specify the IP address or fully qualified domain name of the Kerberos Key Distribution Center (KDC). If you type an FQDN, the BIG-IP system must be able to resolve the address. Otherwise, use the IP address.

          3. What is the name of the Kerberos Realm?
             Specify the name of the Kerberos Realm. While this name should be in all capital letters, the iApp automatically turns any lower case letters to capital.

          4. What is the user name for the Active Directory delegation account you created?
             Specify the user name for the Active Directory delegation account you created. This account must be correctly configured in Active Directory for Kerberos delegation. See Appendix E: Active Directory and Exchange Server configuration for NTLM details.

          5. What is the associated password?
             Specify the password associated with the account.

          6. How do you want to construct the Kerberos ticket request?
             Select whether you want to use DNS reverse lookups or the Outlook Anywhere Host header to construct the ticket request.

             • Use DNS reverse lookups
               Select this option to use DNS reverse lookups to build the Kerberos ticket request. Note that you must configure a reverse lookup zone containing a PTR record for each Mailbox Server on a DNS server that is accessible from this BIG-IP system. Consult your DNS documentation for specific instructions.

             • Use the Outlook Anywhere host header
               Select this option to use the Outlook Anywhere Host header to construct the ticket request. To use the host header value, you must configure IIS Application Pools for Outlook Anywhere, Autodiscover, and Exchange Web Services to run using the previously created Active Directory user account for Kerberos delegation. See Appendix E: Active Directory and Exchange Server configuration for NTLM.

     3. What IP address do you want to use for the Exchange Web Services virtual server?
        This question only appears if you selected Different IP addresses for different services in the previous section.
        Type the IP address you want the system to use for the virtual server for Outlook Anywhere.

     4. Do you want to add custom iRules to this virtual server?
        This question only appears if you selected Customize pool settings and Different IP addresses for different services If you chose to customize pool settings, you have the option of adding existing iRules to this EWS virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For more information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx.If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button. Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment.

     5. What are the IP addresses of your EWS servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers
        Specify the IP addresses of your EWS servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

6. Are you deploying ActiveSync?
   Select whether you are deploying ActiveSync at this time.

   • No
     Select this option if you are not deploying ActiveSync at this time. You can always reconfigure the template at another time to add ActiveSync to the configuration.

   • Yes
     Select this option if you are deploying ActiveSync at this time. See iPhones and other iOS devices are displaying invalid certificate messages after deploying the iApp for ActiveSync for important information.

     1. What IP address do you want to use for the ActiveSync virtual server?
        This question only appears if you selected Different IP addresses for different services in the previous section.
        Specify the IP address the system will use for the ActiveSync virtual server.

     2. Do you want to add custom iRules to this virtual server?
        This question only appears if you selected Customize pool settings and Different IP addresses for different services If you chose to customize pool settings, you have the option of adding existing iRules to this ActiveSync virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx.If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button. Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment.

     3. What are the IP addresses of your ActiveSync servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers
        Specify the IP addresses of your Outlook Anywhere servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

7. Are you deploying Autodiscover?
   Select whether you are deploying Autodiscover at this time.

   • No
     Select this option if you are not deploying Autodiscover at this time. You can always reconfigure the template at another time to add Autodiscover to the configuration. Warning To deploy Autodiscover, you must either create an 'SRV' record in DNS or create 'A' records in order for external clients to be able to make use of Autodiscover. If you do not want to use an 'SRV' record, then you must have 'A' records for either 'autodiscover.' or '' that resolve to the IP address you have designated for your Autodiscover virtual server.

     1. What IP address do you want to use for the Autodiscover virtual server?
        This question only appears if you selected Different IP addresses for different services in the previous section.
        Specify the IP address the system will use for the Autodiscover virtual server.

     2. Do you want to add custom iRules to this virtual server?
        This question only appears if you selected Customize pool settings as well as Different IP addresses for different services in the previous section.
        If you chose to customize pool settings, you have the option of adding existing iRules to this Autodiscover virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For iRule information, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx.If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button. Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment.

     3. What are the IP addresses of your Autodiscover servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
        Specify the IP addresses of your Autodiscover servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

8. What version of NTLM authentication does your deployment require?
   This question appears depending on your other selections in the template
   Choose the version of NTLM your Microsoft Exchange deployment requires. Your selection determines the type of BIG-IP APM SSO Configuration object.

   • NTLMv1 authentication
     Select this option if your Exchange implementation is using NTLMv1.

   • NTLMv2 authentication
     Select this option if your Exchange implementation is using NTLMv2.

9. Are you deploying POP3?
   Select whether you are deploying POP3 at this time.

   • No
     Select this option if you are not deploying POP3 at this time. You can always reconfigure the template at another time to add POP3 to the configuration. ImportantYou must enable POP3 on each of your Exchange Mailbox Servers before that service will be available. POP3 is not enabled by default on Exchange Mailbox Servers. If you are offloading SSL, you must configure the Authentication properties for POP3 on each of your Exchange Mailbox Servers to allow logins using plain text. By default, POP3 is configured to only allow secure (encrypted) logins.

     1. What IP address do you want to use for the POP3 virtual server?
        This question only appears if you selected Different IP addresses for different services in the previous section.
        Specify the IP address the system will use for the POP3 virtual server.

     2. What are the IP addresses of your POP3 servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
        Specify the IP addresses of your POP3 servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

10. Are you deploying IMAP4?
    Select whether you are deploying IMAP4 at this time.

    • No
      Select this option if you are not deploying IMAP4 at this time. You can always reconfigure the template at another time to add IMAP4 to the configuration. Important: You must enable IMAP4 on each of your Exchange Mailbox Servers before that service will be available. IMAP4 is not enabled by default on Exchange Mailbox Servers. If you are offloading SSL, you must configure the Authentication properties for IMAP4 on each of your Exchange Mailbox Servers to allow logins using plain text. By default, IMAP4 is configured to only allow secure (encrypted) logins.

      1. What IP address do you want to use for the IMAP4 virtual server?
         This question only appears if you selected Different IP addresses for different services in the previous section.
         Specify the IP address the system will use for the IMAP4 virtual server.

      2. What are the IP addresses of your IMAP4 servers?
         This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers
         Specify the IP addresses of your IMAP4 servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

11. What are the IP Addresses of your Mailbox Servers?
    This question only appears if you selected All services will be handled by a unique set of Mailbox Servers If you chose that each client access service will be handled by the same Mailbox Servers, the iApp asks for the IP addresses of the Mailbox Servers. Type the IP addresses. Click the Add button to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

Server Health Monitors

The last section of the template asks for information about the health checks the iApp will configure for the Mailbox Servers.

1. Do you want to create external monitors for client access services?
   Choose whether you want to use external or standard health monitors to check the availability of the client access services on your Mailbox Servers. External monitors require a mailbox account and password and perform logins to POP3, IMAP4 services (if you are using them).

   • No, do not create external monitors (use standard monitors)
     Select this option if you want to use standard monitors for checking the availability of the client access services. Standard monitors check network connectivity but do not perform actual logins.

   • Yes, create external monitors If you choose external monitors, uses a script to look for the Windows service status of five critical client access services. If you are deploying the iApp for POP3 and/or IMAP4 services, the monitors attempt to login to the service and checks for valid content in the response. Because these monitors attempt to access a specific mailbox, account maintenance and Mailbox status must become a part of your monitoring strategy. For example, if an account used for monitoring is locked or deleted, the monitor will mark the services down for all users. We strongly recommend creating a mailbox account(s) specifically for use in the monitor(s). The accounts for those mailboxes should have no other privileges in the domain and should be configured with passwords that do not expire.

     1. What is the SNMP community string for your Client Access servers?
        Type the SNMP community string for your Client Access servers. Because Microsoft only supports SNMP v2 in their default SNMP service, you must use an SNMP v2 community string. If you require SNMP v3 support, and have configured that using a custom solution on your Exchange servers then you can manually modify the external monitor script created by the iApp. See Modifying the external monitor script file to support SNMP v3.

     2. Which mailbox account should be used for the monitors?
        This question only appears if you are deploying the iApp for POP3 and/or IMAP4
        Type a mailbox account for use in the external monitors. This name corresponds to the account name field in Active Directory (rather than the email address).

     3. What is the password for that mailbox account?
        This question only appears if you are deploying the iApp for POP3 and/or IMAP4
        Type the associated password.

     4. What is the domain name of the user account for the monitors?
        This question only appears if you are deploying the iApp for POP3 and/or IMAP4
        Type the Domain name for the user account. This domain can be entered in either FQDN (mydomain.example.com) or NetBIOS (MYDOMAIN) format.

     5. Do you want to monitor a second mailbox?
        Choose whether you want to monitor a second mailbox. We strongly recommend configuring a second mailbox account to be used by a second set of monitors, using a mailbox that is configured to reside on a different Mailbox server. The BIG-IP LTM will only mark a client access service on a specific server down if both sets of credentials fail. This provides resiliency to accommodate configuration errors with a single account, mailbox, or Mailbox server.

        • Monitor only one mailbox
          Select this option if you do not want the BIG-IP system to monitor a second mailbox. Continue with #3.

        • Monitor a second mailbox (recommended)
          Select this option if you want the BIG-IP system to monitor a second mailbox. You must answer the following:

          1. Which email address do you want to use for the second set of advanced monitors?
             This question only appears if you specified you are deploying Autodiscover and/or Exchange Web Services
             Type the email address associated with the account you are going to monitor (and that you specify below).

          2. Which mailbox account should be used for the second set of monitors?
             This question only appears if you are deploying the iApp for POP3 and/or IMAP4
             Type a mailbox account for use in the second monitors. Again, this name corresponds to the account name field in Active Directory (rather than the email address).

          3. What is the password for that mailbox account?
             This question only appears if you are deploying the iApp for POP3 and/or IMAP4
             Type the associated password.

          4. What is the domain name of the user account for the second set of monitors?
             This question only appears if you are deploying the iApp for POP3 and/or IMAP4
             Type the Domain name for the second user account. This domain can be entered in either FQDN (mydomain.example.com) or NetBIOS (MYDOMAIN) format.

2. Which authentication method have you configured for OWA?
   This question only appears if you specified you are deploying Outlook Web App.
   If you configured the iApp to deploy Outlook Web App at this time, choose the authentication method you have configured for Outlook Web App. The health monitors will be customized to accommodate the authentication method you are using. Important: If you are using APM in this scenario, you must choose Forms-Based. If you are using Forms-Based authentication for OWA, you must change the credential format required for OWA on each Exchange Mailbox Server from the default domain\username format to just username. If you are using NTLMv2, even if you select advanced health monitors in the iApp template, the EAV health checks (the checks that call an external script) will only be simple monitors.

   • OWA uses the default Forms-Based authentication
     Select this option if you are using Forms-based authentication. If you chose Forms-based authentication, the BIG-IP system does not perform an actual login to the service, but checks the availability of the forms-based authentication page.

   • OWA uses Basic or Windows Integrated authentication
     Select this option if you are using Basic/Windows Integrated authentication.

3. How many seconds should pass between health checks?
   This question does not appear if you chose not to create external monitors Specifies how often the system checks the health of the servers. We recommend the default of 30 seconds. The maximum value for the interval is 28,799 seconds.

4. Are you using the same FQDN for all HTTP-based services?
   This question only appears if you specified you are using a single IP address for all connections. If you selected Different IP addresses for different services, continue with #5.
   Select whether you are using one FQDN for all HTTP-based services or separate FQDNs for each service. These values are used for HTTP 1.1-based health monitors.

   • One FQDN for all HTTP services
     Select this option if you are using a single FQDN for all HTTP-based client access services.

     1. What is the FQDN that you use for your HTTP-based client access services?
        Specify the fully qualified domain name you are using for all of the HTTP-based client access services.

        • Different FQDNs for each HTTP service
          Select this option if you are using separate FQDNs for each HTTP-based client access service. Additional questions appear. When you are finished adding the FQDNs, continue with Additional Steps.

          1. What FQDN do you use for the OWA service?
             This question only appears if you specified you are deploying Outlook Web App.
             Specify the fully qualified domain name you use for your Outlook Web App service.

          2. What FQDN do you use for the Outlook Anywhere service?
             This question only appears if you specified you are deploying Outlook Anywhere.
             Specify the fully qualified domain name you use for your Outlook Anywhere service.

          3. What FQDN do you use for the ActiveSync service?
             This question only appears if you specified you are deploying ActiveSync.
             Specify the fully qualified domain name you use for your ActiveSync service.

          4. What FQDN do you use for the Autodiscover service?
             This question only appears if you specified you are deploying Autodiscover.
             Specify the fully qualified domain name you use for your Autodiscover service.

5. What is the FQDN for your OWA service?
   This question only appears if you specified you are using different IP addresses for different services and you are deploying OWA
   Specify the fully qualified domain name you use for your Outlook Web App service.

6. What is the FQDN for your MAPI service?
   This question only appears if you specified you are using different IP addresses for different services and you are deploying MAPI-over HTTP
   Specify the fully qualified domain name you use for your MAPI service.

7. What is the FQDN for your Outlook Anywhere service?
   This question only appears if you specified you are using different IP addresses for different services and you are deploying Outlook Anywhere
   Specify the fully qualified domain name you use for your Outlook Anywhere service.

8. What is the FQDN for your ActiveSync service?
   This question only appears if you specified you are using different IP addresses for different services and are deploying ActiveSync
   Specify the fully qualified domain name you use for your ActiveSync service.

9. What is the FQDN for your Autodiscover service?
   This question only appears if you specified you are using different IP addresses for different services and you are deploying Autodiscover
   Specify the fully qualified domain name you use for your Autodiscover service.

Additional Steps

Review the information in the Additional steps section, and take appropriate action if necessary. All of the notes in Additional Steps are found in the relevant section of this deployment guide.

Finished

Review your answers to the questions. When you are satisfied, click the Finished button. The BIG-IP system creates the relevant objects. Continue with Next steps.

Configuring the local LTM to receive HTTP-based traffic forwarded by a remote APM

If you chose the second scenario, Local LTM receives HTTP-based traffic forwarded by remote BIG-IP APM, use this section for guidance on configuring the iApp. This selection configures BIG-IP LTM with a single virtual server that receives Exchange HTTP-based traffic that has been forwarded by a separate BIG-IP APM. The BIG-IP system can also accommodate non-HTTP traffic that is not handled by BIG-IP APM such as POP3 and IMAP4.

While this virtual server can be used for direct traffic (for example, internal clients that do not use the BIG-IP APM), we do not recommend using this virtual server in that way. For direct traffic, we strongly recommend creating a second instance of the iApp on this BIG-IP LTM for the direct traffic/internal users. You must use a unique virtual server IP address, all of the other settings can be identical. Once both iApps have been created, you would configure Split DNS (use the same domain name, but different zones and IP addresses for internal and external clients). For more information about Split DNS, refer to your DNS documentation.

Analytics

This section of the template asks questions about Analytics. The Application Visibility Reporting (AVR) module allows you to view statistics specific to your Microsoft Exchange implementation. AVR is available on all BIG-IP systems v11 and later, however you must have the AVR provisioned for this option to appear. Note that this is only for application visibility reporting, you can view object-level statistics from the BIG-IP without provisioning AVR.

Important: Enabling Analytics may adversely affect overall system performance. If you choose to enable Analytics, we recommend gathering statistics for a set time period, such as one week, and then re-entering this template and disabling Analytics while you process the data.

If you plan on using AVR for analytics, we recommend creating a custom Analytics profile. To create a new profile, from the Main tab, select Profiles and then click Analytics. Click New and then configure the profile as applicable for your configuration. See the online help or product documentation for specific instructions. To select the new profile, you need to restart or reconfigure the iApp.

1. Do you want to enable Analytics for application statistics?
   Choose whether you want to enable AVR for Analytics.

   • No, do not enable Analytics If you do not want to enable Analytics, leave this list set to No, and continue with the next section.

   • Yes, enable Analytics using AVR If you choose to enable Analytics, select Yes from the list, and then answer the following questions.

     1. Use the default Analytics profile or select a custom profile?
        If you decide to use AVR, you must decide whether to use the default Analytics profile, or create a new one. As mentioned previously, we recommend creating a new profile to get the most flexibility and functionality out of AVR. If you have already started the iApp template configuration and then decide to create a new Analytics profile, you must exit the iApp, create the profile, and then restart the iApp template.

        • Select a custom Analytics profile
          Select this option if you have already created a custom Analytics profile for Exchange Server.

          1. Which Analytics profile do you want to use?
             From the list, select the appropriate Analytics profile.

        • Use default profile
          Select this option if you have not yet created a custom Analytics profile for Microsoft Exchange. We do not recommend using the default profile.

Application Firewall Manager (BIG-IP AFM)

This entire section only appears if you have licensed and provisioned BIG-IP AFM

This section gathers information about BIG-IP Advanced Firewall Manager, if you want to use it to protect the Exchange deployment. For more information on BIG-IP AFM, see http://support.f5.com/kb/en-us/products/big-ip-afm.html, and then select your version.

1. Do you want to use AFM network firewall and IP Intelligence to protect your application?
   Choose whether you want to use BIG-IP AFM, F5's network firewall with IP intelligence, to secure this Exchange deployment. If you choose to use BIG-IP AFM, you can restrict access to the Exchange virtual server(s) to a specific network or IP address. See the BIG-IP AFM documentation for specific details on configuring AFM.

   • No, do not use network firewall and IP Intelligence
     Select this option if you do not want to enable BIG-IP AFM at this time. You can always re-enter the template at a later date to enable BIG-IP AFM. Continue with the next section.

   • Select an existing AFM policy from the list
     If you already created a BIG-IP AFM policy for this implementation, select it from the list. Continue with c.
     

   • Yes, use network firewall and IP Intelligence
     Select this option if you want to enable BIG-IP AFM using F5's recommended configuration.

     1. Do you want to forbid access to your application from specific networks or IP addresses?
        Choose whether you want to restrict access to the Exchange implementation via the BIG-IP virtual server.

        • No, do not forbid client addresses (allow all) By default, the iApp configures the AFM to accept traffic destined for the Exchange virtual server(s) from all sources. If you do not have a need to restrict access to the virtual server, leave this option selected and then continue with b.
          

        • Yes, forbid specific client addresses
          Select this option if you want to restrict access to the Exchange virtual server(s) by IP address or network address.

          1. What IP or network addresses should be allowed to access your application?
             Specify the IP address or network access that should be allowed access to the Exchange virtual server(s). You can specify a single IP address, a list of IP addresses separated by spaces (not commas or other punctuation), a range of IP addresses separated by a dash (for example 192.0.2.10-192.0.2.100), or a single network address, such as 192.0.2.200/24.

   • How should the system control connections from networks suspected of malicious activity?
     The BIG-IP AFM uses an IP intelligence database to categorize IP addresses coming into the system. Choose what you want the system to do for sources that are attempting to access the Exchange virtual server(s) with a low reputation score. For more information, see the BIG-IP AFM documentation. Important: You must have an active IP Intelligence license for this feature to function. See https://f5.com/products/modules/ip-intelligence-services for information.

     • Accept all connections and log nothing
       Select this option to allow all sources, without taking into consideration the reputation score or logging anything.

     • Reject connections from IP addresses with poor reputations
       Select this option to reject access to the Exchange virtual server(s) from any source with a low reputation score.

     • Accept all connections but log those from suspicious networks
       Select this option to allow access to the Exchange virtual server(s) from sources with a low reputation score, but add an entry for it in the logs. By default, IP Intelligence events are logged to Security > Event Logs > Network > IP Intelligence. We recommend creating a remote logging profile for IP Intelligence events.

   • Would you like to stage a policy for testing purposes?
     Choose whether you want to stage a firewall policy for testing purposes. A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules. You must already have a policy on the system in order to select it.

     • Do not apply a staging policy
       Select this option if you do not want to apply a logging profile at this time. You can always re-enter the template at a later date to add a logging profile. Continue with the next question.

     • Select an existing policy from the list
       If you have already created a firewall policy for this implementation, select it from the list. Only policies that already exist on the system appear in the list. To create a new policy, on the Main tab, click Security > Network Firewall > Policies. Specific instructions for creating a firewall policy is outside the scope of this iApp and deployment guide.

   • Which logging profile would you like to use?
     Choose whether you or not you want to use a logging profile for this AFM implementation. You can configure the BIG-IP system to log detailed information about BIG-IP system Network Firewall events and store those logs on the BIG-IP system or a remote logging server (supports servers like syslog and Splunk). If you want to use a logging profile, we recommend creating one outside this template. The list only contains profiles with Network Firewall enabled.

     • Do not use a logging profile
       Select this option if you do not want to use a logging profile at this time. You can always re-enter the template at a later date to add a logging profile. Continue with the next question.

     • Select an existing logging profile from the list
       If you have already created a logging profile for this implementation, select it from the list. You must create a profile before it is available in the list. To create a logging profile, on the Main tab, click Security > Event Logs > Logging Profiles. Specific instructions for creating a logging profile is outside the scope of this iApp and deployment guide. See the online help or the About Local Logging with the Network Firewall chapter of the BIG-IP Network Firewall: Policies and Implementations guide for more information.

Tell us about your deployment

In this section, the iApp gathers general information about your Mailbox Server deployment. Remember, you must import an SSL certificate and key that correspond to all fully-qualified DNS names that you are using for OWA, Outlook Anywhere, Autodiscover, ActiveSync, POP3, or IMAP4 traffic. Any certificate that you obtain with multiple names must be in SAN (Subject Alternative Name) or wildcard format, not SNI (Server Name Indication) format.

1. Will incoming traffic arrive at this BIG-IP system encrypted or unencrypted?
   Select whether any of the HTTP-based, POP3 and IMAP4 traffic will be encrypted or not when it arrives on this system. In nearly all cases for this deployment scenario, it will be encrypted (it would not be encrypted, for example, if you selected one of the other scenarios/roles for this iApp, and elected to offload SSL/TLS traffic at a separate BIG-IP APM). Note that the BIG-IP system does not offload the encryption used for RPC; the answer to this question should be based on the other client access protocols you intend to deploy.

   • Encrypted
     If you chose Encrypted in the previous question, additional questions appear.

     1. Do you want to re-encrypt this traffic to your Mailbox Servers?
        If want the BIG-IP system to offload SSL processing from the Mailbox servers, select Do not re-encrypt (SSL Offload) from the list. Offloading SSL on the BIG-IP system can extend Exchange Server server capacity.

        • Do not re-encrypt (SSL Offload) 
          Select this option if you want to offload SSL processing onto the BIG-IP system. If you choose SSL Offload, you must have followed the Microsoft instructions for configuring the Exchange Server.

          1. Which Client SSL profile do you want to use?
             The iApp can create a new Client SSL profile, or if you have created a Client SSL profile which contains the appropriate SSL certificate and key for your Exchange implementation, you can select it from the list.

             • Select the Client SSL profile you created from the list
               If you manually created a Client SSL profile, select it from the list, and then continue with #2.

             • Create a new Client SSL profile
               Select this option if you want the iApp to create a new Client SSL profile.

               1. Which SSL certificate do you want to use?
                  Select the SSL certificate you imported onto the BIG-IP system for decrypting client connections. If you have not yet imported a certificate, you can leave the default selections and reconfigure this iApp after obtaining the certificates. The deployment will not function correctly until you have selected the correct certificates here. Note: Any certificate that you obtain with multiple names must be in SAN (Subject Alternative Name) format, not SNI (Server Name Indication) format. For more information on SAN certificates, see Subject Alternative Name (SAN) SSL Certificates.

               2. Which SSL key do you want to use? 
                  Select the associated key from the list.

               3. Which intermediate certificate do you want to use?
                  Choose whether or not you want to use an intermediate certificate (also called intermediate certificate chains or chain certificates) in this deployment. These certificates are used to help systems which depend on SSL certificates for peer identification. These certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown. In order to use an intermediate certificate in this deployment, you must have manually imported it onto the BIG-IP system.

                  • Do not use an intermediate certificate
                    Select this option if you do not want to use an intermediate certificate in this deployment, or have not yet imported the certificate onto the system but want to exit the template to import it and then restart the template.

                  • Select the intermediate certificate you imported from the list If you imported an intermediate certificate for this Exchange implementation, select the certificate you imported from the list.

        • Re-encrypt (SSL Bridging)
          Select this option if your implementation requires encrypted traffic to the Mailbox servers. The BIG-IP system unencrypts, then re-encrypts the traffic headed for the Mailbox servers.

          1. Which Client SSL profile do you want to use? 
             The iApp can create a new Client SSL profile, or if you have created a Client SSL profile which contains the appropriate SSL certificate and key for your Exchange implementation, you can select it from the list.

             • Select the Client SSL profile you created from the list
               If you manually created a Client SSL profile, select it from the list, and then continue with #2.

             • Create a new Client SSL profile
               Select this option if you want the iApp to create a new Client SSL profile.

               1. Which SSL certificate do you want to use? 
                  Select the SSL certificate you imported onto the BIG-IP system for decrypting client connections. If you have not yet imported a certificate, you can leave the default selections and reconfigure this iApp after obtaining the certificates. The deployment will not function correctly until you have selected the correct certificates here. Note: Any certificate that you obtain with multiple names must be in SAN (Subject Alternative Name) format, not SNI (Server Name Indication) format. For more information on SAN certificates, see Subject Alternative Name (SAN) SSL Certificates.

               2. Which SSL key do you want to use? 
                  Select the associated key from the list.

          2. Which intermediate certificate do you want to use?
             Choose whether or not you want to use an intermediate certificate (also called intermediate certificate chains or chain certificates) in this deployment. These certificates are used to help systems which depend on SSL certificates for peer identification. These certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown. In order to use an intermediate certificate in this deployment, you must have manually imported it onto the BIG-IP system.

             • Do not use an intermediate certificate
               Select this option if you do not want to use an intermediate certificate in this deployment, or have not yet imported the certificate onto the system but want to exit the template to import it and then restart the template.

             • Select the intermediate certificate you imported from the list If you imported an intermediate certificate for this Exchange implementation, select the certificate you imported from the list.

          3. Which Server SSL profile do you want to use? 
             Select whether you want the iApp to create an F5 recommended Server SSL profile, or if you want to choose a Server SSL profile you already created. Important: If you are configuring SSL Bridging and using BIG-IP version 11.4.x, you must see When using SSL Bridging and BIG-IP version 11.4.x, pool members may be marked down or you may experience connection resets and TLS errors logged to the Mailbox servers.

             • Select the Server SSL profile you created from the list If you have previously created a Server SSL profile for your Exchange implementation, from the list, select the existing Server SSL profile you created.

             • Create a new Server SSL profile
               Select this option if you want the iApp to create a new Server SSL profile. The F5 recommended Server SSL profile uses the serverssl parent profile. For information about the ciphers used in the Server SSL profile, see http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html. Continue with #2.

   • Unencrypted
     Select this option if Mailbox traffic is arriving at this BIG-IP system unencrypted (typically because you configured to offload SSL/TLS traffic at the BIG-IP APM that is sending traffic to this device).

     1. Do you want to encrypt the traffic to your Mailbox Servers?
        If you want the BIG-IP system to offload SSL processing from the Mailbox servers, select Do not encrypt (SSL Offload) from the list. Offloading SSL on the BIG-IP system can extend Exchange Server server capacity.

        • Do not encrypt (SSL Offload) 
          Select this option if you do not want the BIG-IP system to encrypt the traffic destined for the Mailbox servers. The BIG-IP system does not modify the traffic, and you can continue with the next question.

        • Encrypt (SSL Bridging)
          Select this option if your implementation requires encrypted traffic to the Mailbox servers. If you choose this option, the BIG-IP system encrypts the traffic headed for the Mailbox servers.

          1. Which Server SSL profile do you want to use?
             Select whether you want the iApp to create an F5 recommended Server SSL profile, or if you want to choose a Server SSL profile you already created. Important: If you are configuring SSL Bridging and using BIG-IP version 11.4.x, you must see When using SSL Bridging and BIG-IP version 11.4.x, pool members may be marked down or you may experience connection resets and TLS errors logged to the Mailbox servers.

             • Select the Server SSL profile you created from the list If you have previously created a Server SSL profile for your Exchange implementation, select the existing Server SSL profile you created from the list.

             • Create a new Server SSL profile
               Select this option if you want the iApp to create a new Server SSL profile. The default, F5 recommended Server SSL profile uses the serverssl parent profile. For information about the ciphers used in the Server SSL profile, see http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html.

2. Which intermediate certificate do you want to use?
   Choose whether or not you want to use an intermediate certificate (also called intermediate certificate chains or chain certificates) in this deployment. These certificates are used to help systems which depend on SSL certificates for peer identification. These certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown. In order to use an intermediate certificate in this deployment, you must have manually imported it onto the BIG-IP system.

   • Do not use an intermediate certificate
     Select this option if you do not want to use an intermediate certificate in this deployment, or have not yet imported the certificate onto the system but want to exit the template to import it and then restart the template.

   • Select the intermediate certificate you imported from the list If you imported an intermediate certificate for this Exchange implementation, select the certificate you imported from the list.

3. Where will your BIG-IP virtual servers be in relation to your Mailbox Servers?
   Select whether your BIG-IP virtual servers are on the same subnet as your Mailbox servers, or on different subnets. This setting is used to determine the SNAT (secure NAT) and routing configuration.

   • Same subnet for BIG-IP virtual servers
     Select this option if the BIG-IP virtual servers and the Mailbox servers are on the same subnet. In this case SNAT is configured on the BIG-IP virtual server and you must specify the number of concurrent connections.

     1. What is the maximum number of concurrent users you expect per Mailbox Server?
        Select whether you expect more or fewer than 6,000 concurrent users to each Mailbox server. This answer is used to determine what type of SNAT (secure network address translation) that system uses. A SNAT is an object that maps the source client IP address in a request to a translation address defined on the BIG-IP device. Note: For specific information on SNAT Pools, including why we chose 6,000 concurrent users per server, see Maximum number of concurrent users: SNAT Pool guidance.

        • Fewer than 6000
          Select this option if you expect fewer than 6,000 concurrent users per Mailbox server. With this option, the system applies SNAT Auto Map, which doesn’t require any additional IP addresses, as the system uses an existing self IP address for translation.

        • More than 6000
          Select this option if you expect more than 6,000 users at one time to each server. With this option, the iApp creates a SNAT Pool (or you can choose one you created), for which you need one IP address for each 6,000 users you expect.

          1. Create a new SNAT pool or use an existing one?
             Select whether you want the system to create a new SNAT Pool, or if you have already created a SNAT pool for this implementation.

             • Select the SNAT pool you created from the list
               If you have previously created a SNAT Pool for your Exchange implementation, select it from the list.

             • Create a new SNAT Pool
               If you have not created a custom SNAT pool, select this option for the iApp to create a new one.

               1. Which IP addresses do you want to use for the SNAT Pool? Specify one otherwise unused IP address for every 6,000 concurrent connections, or fraction thereof. Click Add for more rows. Important: If you choose more than 6,000 users, but do not specify enough SNAT pool addresses, after the maximum connection limit of 6,000 concurrent users per server is reached, new requests fail.

   • Different subnet for BIG-IP virtual servers and Mailbox Servers
     If the BIG-IP virtual servers and Web Interface servers are on different subnets, the following question appears asking how routing is configured.

     1. How have you configured routing on your Mailbox Servers?
        Select whether the Mailbox servers use this BIG-IP system’s Self IP address as their default gateway.

        • Mailbox Servers do NOT use BIG-IP as their default gateway
          Select this option if the Mailbox servers do not use the BIG-IP system as their default gateway. If the servers do not usethe BIG-IP as their default gateway, SNAT is configured on the BIG-IP virtual server and you must select the expected number of concurrent users in the next question.

          1. What is the maximum number of concurrent users you expect per Mailbox Server?
             Select whether you expect more or fewer than 6,000 concurrent users to each Mailbox server. This answer is used to determine what type of SNAT (secure network address translation) that system uses. A SNAT is an object that maps the source client IP address in a request to a translation address defined on the BIG-IP device. Note: For specific information on SNAT Pools, including why we chose 6,000 concurrent users per server, see Maximum number of concurrent users: SNAT Pool guidance.

             • Fewer than 6000
               Select this option if you expect fewer than 6,000 concurrent users per Mailbox server. With this option, the system applies SNAT Auto Map, which doesn’t require any additional IP addresses, as the system uses an existing self IP address for translation.

             • More than 6000
               Select this option if you expect more than 6,000 users at one time to each server. With this option, the iApp creates a SNAT Pool (or you can choose one you created), for which you need one IP address for each 6,000 users you expect.

               1. Create a new SNAT pool or use an existing one?
                  Select whether you want the system to create a new SNAT Pool, or if you have already created a SNAT pool for this implementation.

                  • Select the SNAT pool you created from the list
                    If you have previously created a SNAT Pool for your Exchange implementation, select it from the list.

                  • Create a new SNAT Pool
                    If you have not created a custom SNAT pool, select this option for the iApp to create a new one.

                    1. Which IP addresses do you want to use for the SNAT Pool? Specify one otherwise unused IP address for every 6,000 concurrent connections, or fraction thereof. Click Add for more rows. Important: : If you choose more than 6,000 users, but do not specify enough SNAT pool addresses, after the maximum connection limit of 6,000 concurrent users per server is reached, new requests fail.

        • Mailbox Servers use the BIG-IP as their default gateway
          Select this option if the Mailbox servers use the BIG-IP system as their default gateway. In this scenario, no additional configuration is necessary to ensure correct server response handling.

Tell us about which services you are deploying

In this section, the iApp gathers information about which client access services you are deploying. Some questions only appear depending on your answers to previous questions. These contingencies are noted at the beginning of the question description.

1. Do you want to customize the server pool settings?
   Select whether you want to customize the BIG-IP load balancing pools for Mailbox services, or use the F5 recommended settings.

   • Use settings recommended by F5
     If you don't have a specific reason to customize the pool settings, leave this question set to this setting and continue with #2.

   • Customize pool settings
     If you need to modify individual pool options, select Customize pool settings and answer the following options that appear:

     1. Which load balancing method do you want to use? 
        Select the load balancing method you want to use. We recommend the default, Least Connections (member). See the BIG-IP documentation for a description of each method. If you chose a node-based load balancing method, such as Ratio (Node), and use a Ratio or Connection Limit (both optional), you must see Adding Ratio or Connection Limit information to the nodes if using a node-based load balancing method after completing the template.

     2. Do you want to give priority to specific groups of servers?
        Select whether you want to enable Priority Group Activation to send traffic first to groups of servers you specify. The BIG-IP system load balances traffic according to the priority number you assign to each server.

        • Do not use Priority Group Activation
          Select this option if you do not want to enable Priority Group Activation.

        • Use Priority Group Activation
          Select this option if you want to enable Priority Group Activation. You will need to add a priority number in the Priority box to each server . A higher number indicates higher priority. Traffic is only sent to the servers with the highest priority, unless the number of available servers in that priority group falls below the value you specify as the minimum in the following question. The BIG-IP system then sends traffic to the group of servers with the next highest priority, and so on. See the BIG-IP documentation for more details.

          1. What is the minimum number of active members in a group?
             Specify the minimum number of servers that must be active to continue sending traffic to the priority group. If the number of active servers falls below this minimum, traffic will be sent to the group of servers with the next highest priority group number.

     3. Do you want the BIG-IP system to queue TCP requests?
        Select whether you want the BIG-IP system to queue TCP requests. TCP request queuing provides the ability to queue connection requests that exceed the capacity of connections for a pool, as determined by the connection limit. Consequently, instead of dropping connection requests that exceed the capacity of a pool, TCP request queuing enables those connection requests to reside within a queue according to defined conditions until capacity becomes available. For more information on TCP Request Queuing, see the Preventing TCP Connection Requests From Being Dropped chapter in the BIG-IP Local Traffic Manager: Implementations
        guide, available on AskF5. Important: : TCP Request Queuing is an advanced feature and should be used only if you understand how it will affect your deployment, including application behavior and BIG-IP performance. If you enable TCP Request Queuing, you must have a Connection Limit set on at least one of the nodes when configuring the Address/Port for the Mailbox Server nodes.

        • Do not queue TCP requests
          Select this option if you do not want the BIG-IP system to queue TCP requests.

        • Queue TCP requests
          Select this option if you want to enable TCP request queuing on the BIG-IP system.

          1. What is the maximum number of TCP requests for the queue?
             Type the maximum number of requests you want to queue. We do not
             recommend using 0, which means unlimited and is only constrained by available memory.

          2. How many milliseconds should requests remain in the queue?
             Type a number of milliseconds for the TCP request timeout value.

2. What IP address do you want to use for your virtual servers?
   Specify a valid IP address to use for the BIG-IP virtual server. This virtual server address is used for all client access services. The BIG-IP system intelligently directs traffic to the appropriate service using an iRule created by the template.

3. Do you want to add any iRules to this combined virtual server?
   If you chose to customize pool settings, you have the option of adding existing iRules to the virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For more information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx. Important: : Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. We recommended you verify the impact of an iRule prior to deployment in a production environment. If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button.

4. Are you deploying Outlook Web App (includes ECP)?
   Select whether you are deploying Outlook Web App at this time. This includes the Exchange Control Panel (ECP).

   • No
     Select this option if you are not deploying OWA at this time. You can always reconfigure the template later to add OWA.

   • Yes
     Select this option if you are deploying OWA at this time.

     1. What are the IP addresses of your OWA servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers
        Specify the IP addresses of your Outlook Web App servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

5. Are you deploying Microsoft Outlook, including EWS and OAB?
   Select whether you are deploying Microsoft Outlook (including EWS and OAB) as a part of your Exchange 2016 deployment. If you are, you must answer the following question about the protocol Outlook uses to connect to Exchange.

   • No, not deploying Microsoft Outlook or EWS
     Select this option if you are not deploying Microsoft Outlook or EWS at this time. You can always reconfigure the template at another time to add Outlook or EWS to the configuration.

   • Yes, deploying EWS only 
     Select this option if you are only deploying Exchange Web Services at this time, and not Outlook Anywhere or Offline Address Book. In this case, the BIG-IP system sends any Offline Address Book traffic to the Exchange Web Services pool.

     1. What are the IP addresses of your EWS servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers
        Specify the IP addresses of your Exchange Web Services servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority. Continue with #6 Are you deploying ActiveSync?

   • Yes, deploying Microsoft Outlook with EWS and OAB
     Select this option if you are deploying Outlook Anywhere, EWS, and OAB at this time.

     1. Which protocol(s) will Microsoft Outlook use to connect to Exchange?
        Choose which protocols your Microsoft Outlook users are using to connect to the Exchange servers.

        • Outlook clients will use MAPI-over-HTTP
          Select this option if your Outlook clients will use MAPI-over-HTTP only to connect to Exchange.

          1. What are the IP addresses of your MAPI servers?
             This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers
             Specify the IP addresses of your MAPI servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

        • Outlook clients will use RPC-over-HTTP
          Select this option if your Outlook clients will use RPC over HTTP, and will not use MAPI over HTTP.

          1. What are the IP addresses of your Outlook Anywhere servers?
             This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
             Specify the IP addresses of your Outlook Anywhere servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

        • Outlook clients will use both MAPI-over-HTTP and RPC-over-HTTP
          Select this option if your Outlook clients will use both the RPC-over-HTTP and MAPI-over-HTTP protocols.

          1. What are the IP addresses of your MAPI servers?
             This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
             Specify the IP addresses of your MAPI servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

          2. What are the IP addresses of your Outlook Anywhere servers?
             This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
             Specify the IP addresses of your Outlook Anywhere servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

     2. What are the IP addresses of your EWS servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
        Specify the IP addresses of your EWS servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

6. Are you deploying ActiveSync?
   Select whether you are deploying ActiveSync at this time.

   • No
     Select this option if you are not deploying ActiveSync at this time. You can always reconfigure the template at another time to add ActiveSync to the configuration.

   • Yes
     Select this option if you are deploying ActiveSync at this time. See iPhones and other iOS devices are displaying invalid certificate messages after deploying the iApp for ActiveSync for important information.

     1. What are the IP addresses of your ActiveSync servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
        Specify the IP addresses of your Outlook Anywhere servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

7. Are you deploying Autodiscover?
   Select whether you are deploying Autodiscover at this time.

   • No
     Select this option if you are not deploying Autodiscover at this time. You can always reconfigure the template at another time to add Autodiscover to the configuration.

   • Yes
     Select this option if you are deploying Autodiscover at this time. Warning To deploy Autodiscover, you must either create an 'SRV' record in DNS or create 'A' records in order for external clients to be able to make use of Autodiscover. If you do not want to use an 'SRV' record, then you must have 'A' records for either 'autodiscover.' or '' that resolve to the IP address you have designated for your Autodiscover virtual server.

     1. What are the IP addresses of your Autodiscover servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
        Specify the IP addresses of your Autodiscover servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

8. Are you deploying POP3?
   Select whether you are deploying POP3 at this time.

   • No
     Select this option if you are not deploying POP3 at this time. You can always reconfigure the template at another time to add POP3 to the configuration.

   • Yes
     Select this option if you are deploying POP3 at this time. Important: You must enable POP3 on each of your Exchange Mailbox Servers before that service will be available. POP3 is not enabled by default on Exchange Mailbox Servers. If you are offloading SSL, you must configure the Authentication properties for POP3 on each of your Exchange Mailbox Servers to allow logins using plain text. By default, POP3 is configured to only allow secure (encrypted) logins.

     1. What are the IP addresses of your POP3 servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
        Specify the IP addresses of your POP3 servers. Click Add to include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

9. Are you deploying IMAP4?
   Select whether you are deploying IMAP4 at this time.

   • No
     Select this option if you are not deploying IMAP4 at this time. You can always reconfigure the template at another time to add IMAP4 to the configuration.

   • Yes
     Select this option if you are deploying IMAP4 at this time. Important: You must enable IMAP4 on each of your Exchange Mailbox Servers before that service will be available. IMAP4 is not enabled by default on Exchange Mailbox Servers. If you are offloading SSL, you must configure the Authentication properties for IMAP4 on each of your Exchange Mailbox Servers to allow logins using plain text. By default, IMAP4 is configured to only allow secure (encrypted) logins.

     1. What are the IP addresses of your IMAP4 servers?
        This question only appears if you selected Each service will be handled by a unique set of Mailbox Servers in the previous section.
        Specify the IP addresses of your IMAP4 servers. Click Addto include additional servers. If you chose to have the BIG-IP system queue TCP requests, you must specify a Connection Limit. If you chose to enable Priority Group Activation, you must specify a Priority.

Server Health Monitors

The last section of the template asks for information about the health checks the iApp will configure for the Mailbox Servers.

1. Do you want to create external monitors for client access services?
   Choose whether you want to use external or standard health monitors to check the availability of the client access services on your Mailbox Servers. External monitors require a mailbox account and password and perform logins to POP3, IMAP4 services (if you are using them).

   • No, do not create external monitors (use standard monitors)
     Select this option if you want to use standard monitors for checking the availability of the client access services. Standard monitors check network connectivity but do not perform actual logins.

   • Yes, create external monitors If you choose external monitors, uses a script to look for the Windows service status of five critical client access services. If you are deploying the iApp for POP3 and/or IMAP4 services, the monitors attempt to login to the service and checks for valid content in the response. Because these monitors attempt to access a specific mailbox, account maintenance and Mailbox status must become a part of your monitoring strategy. For example, if an account used for monitoring is locked or deleted, the monitor will mark the services down for all users. We strongly recommend creating a mailbox account(s) specifically for use in the monitor(s). The accounts for those mailboxes should have no other privileges in the domain and should be configured with passwords that do not expire.

     1. What is the SNMP community string for your Client Access servers?
        Type the SNMP community string for your Client Access servers. Because Microsoft only supports SNMP v2 in their default SNMP service, you must use an SNMP v2 community string. If you require SNMP v3 support, and have configured that using a custom solution on your Exchange servers then you can manually modify the external monitor script created by the iApp. See Modifying the external monitor script file to support SNMP v3.

     2. Which mailbox account should be used for the monitors?
        This question only appears if you are deploying the iApp for POP3 and/or IMAP4
        Type a mailbox account for use in the external monitors. This name corresponds to the account name field in Active Directory (rather than the email address).

     3. What is the password for that mailbox account?
        This question only appears if you are deploying the iApp for POP3 and/or IMAP4
        Type the associated password.

     4. What is the domain name of the user account for the monitors?
        This question only appears if you are deploying the iApp for POP3 and/or IMAP4
        Type the Domain name for the user account. This domain can be entered in either FQDN (mydomain.example.com) or NetBIOS (MYDOMAIN) format.

     5. Do you want to monitor a second mailbox?
        Choose whether you want to monitor a second mailbox. We strongly recommend configuring a second mailbox account to be used by a second set of monitors, using a mailbox that is configured to reside on a different Mailbox server. The BIG-IP LTM will only mark a client access service on a specific server down if both sets of credentials fail. This provides resiliency to accommodate configuration errors with a single account, mailbox, or Mailbox server.

        • Monitor only one mailbox
          Select this option if you do not want the BIG-IP system to monitor a second mailbox. Continue with #3.

        • Monitor a second mailbox (recommended)
          Select this option if you want the BIG-IP system to monitor a second mailbox. You must answer the following:

          1. Which email address do you want to use for the second set of advanced monitors?
             This question only appears if you specified you are deploying Autodiscover and/or Exchange Web Services
             Type the email address associated with the account you are going to monitor (and that you specify below).

          2. Which mailbox account should be used for the second set of monitors?
             This question only appears if you are deploying the iApp for POP3 and/or IMAP4
             Type a mailbox account for use in the second monitors. Again, this name corresponds to the account name field in Active Directory (rather than the email address).

          3. What is the password for that mailbox account?
             This question only appears if you are deploying the iApp for POP3 and/or IMAP4
             Type the associated password.

          4. What is the domain name of the user account for the second set of monitors?
             This question only appears if you are deploying the iApp for POP3 and/or IMAP4
             Type the Domain name for the second user account. This domain can be entered in either FQDN (mydomain.example.com) or NetBIOS (MYDOMAIN) format.

2. Which authentication method have you configured for OWA?
   This question only appears if you specified you are deploying Outlook Web App.
   If you configured the iApp to deploy Outlook Web App at this time, choose the authentication method you have configured for Outlook Web App. The health monitors will be customized to accommodate the authentication method you are using. Important: If you are using APM in this scenario, you must choose Forms-Based. If you are using Forms-Based authentication for OWA, you must change the credential format required for OWA on each Exchange Mailbox Server from the default domain\username format to just username. If you are using NTLMv2, even if you select advanced health monitors in the iApp template, the EAV health checks (the checks that call an external script) will only be simple monitors.

   • OWA uses the default Forms-Based authentication
     Select this option if you are using Forms-based authentication. If you chose Forms-based authentication, the BIG-IP system does not perform an actual login to the service, but checks the availability of the forms-based authentication page.

   • OWA uses Basic or Windows Integrated authentication
     Select this option if you are using Basic/Windows Integrated authentication.

3. How many seconds should pass between health checks?
   This question does not appear if you chose not to create external monitors Specifies how often the system checks the health of the servers. We recommend the default of 30 seconds. The maximum value for the interval is 28,799 seconds.

4. Are you using the same FQDN for all HTTP-based services?
   This question only appears if you specified you are using a single IP address for all connections. If you selected Different IP addresses for different services, continue with #5.
   Select whether you are using one FQDN for all HTTP-based services or separate FQDNs for each service. These values are used for HTTP 1.1-based health monitors.

   • One FQDN for all HTTP services
     Select this option if you are using a single FQDN for all HTTP-based client access services.

     1. What is the FQDN that you use for your HTTP-based client access services?
        Specify the fully qualified domain name you are using for all of the HTTP-based client access services.

        • Different FQDNs for each HTTP service
          Select this option if you are using separate FQDNs for each HTTP-based client access service. Additional questions appear. When you are finished adding the FQDNs, continue with Additional Steps.

          1. What FQDN do you use for the OWA service?
             This question only appears if you specified you are deploying Outlook Web App.
             Specify the fully qualified domain name you use for your Outlook Web App service.

          2. What FQDN do you use for the Outlook Anywhere service?
             This question only appears if you specified you are deploying Outlook Anywhere.
             Specify the fully qualified domain name you use for your Outlook Anywhere service.

          3. What FQDN do you use for the ActiveSync service?
             This question only appears if you specified you are deploying ActiveSync.
             Specify the fully qualified domain name you use for your ActiveSync service.

          4. What FQDN do you use for the Autodiscover service?
             This question only appears if you specified you are deploying Autodiscover. Specify the fully qualified domain name you use for your Autodiscover service.

5. What is the FQDN for your OWA service?
   This question only appears if you specified you are using different IP addresses for different services and you are deploying OWA
   Specify the fully qualified domain name you use for your Outlook Web App service.

6. What is the FQDN for your MAPI service?
   This question only appears if you specified you are using different IP addresses for different services and you are deploying MAPI-over HTTP Specify the fully qualified domain name you use for your MAPI service.

7. What is the FQDN for your Outlook Anywhere service?
   This question only appears if you specified you are using different IP addresses for different services and you are deploying Outlook Anywhere Specify the fully qualified domain name you use for your Outlook Anywhere service.

8. What is the FQDN for your ActiveSync service?
   This question only appears if you specified you are using different IP addresses for different services and are deploying ActiveSync
   Specify the fully qualified domain name you use for your ActiveSync service.

9. What is the FQDN for your Autodiscover service?
   This question only appears if you specified you are using different IP addresses for different services and you are deploying Autodiscover
   Specify the fully qualified domain name you use for your Autodiscover service.

Additional Steps

Review the information in the Additional steps section, and take appropriate action if necessary. All of the notes in Additional Steps are found in the relevant section of this deployment guide.

Finished

Review your answers to the questions. When you are satisfied, click the Finished button. The BIG-IP system creates the relevant objects. Continue with Next steps.

Configuring a local APM to secure and forward traffic to a remote LTM

If you chose Local APM secures and forwards traffic to a remote LTM, use this section for guidance on configuring the iApp. In this scenario, the BIG-IP will be configured as a BIG-IP APM that will use a single virtual server to provide proxy authentication and secure remote access to all Exchange HTTP-based Mailbox services (Outlook Web App (including ECP), Outlook Anywhere (including EWS and OAB), ActiveSync, and Autodiscover) without requiring the use of the F5 Edge Client. The traffic will be forwarded to separate BIG-IP running LTM which will provide advanced load balancing, monitoring and optimizations for those services.

As mentioned in the prerequisites, because you are deploying BIG-IP APM, you must have configured the BIG-IP system for DNS and NTP. See Configuring DNS and NTP settings for instructions.

Analytics

This section of the template asks questions about Analytics. The Application Visibility Reporting (AVR) module allows you to view statistics specific to your Microsoft Exchange implementation. AVR is available on all BIG-IP systems v11 and later, however you must have the AVR provisioned for this option to appear. Note that this is only for application visibility reporting, you can view object-level statistics from the BIG-IP without provisioning AVR.

Important: Enabling Analytics may adversely affect overall system performance. If you choose to enable Analytics, we recommend gathering statistics for a set time period, such as one week, and then re-entering this template and disabling Analytics while you process the data.

If you plan on using AVR for analytics, we recommend creating a custom Analytics profile. To create a new profile, from the Main tab, select Profiles and then click Analytics. Click New and then configure the profile as applicable for your configuration. See the online help or product documentation for specific instructions. To select the new profile, you must restart or reconfigure the iApp template.

1. Do you want to enable Analytics for application statistics?
   Choose whether you want to enable AVR for Analytics.

   • No, do not enable Analytics If you do not want to enable Analytics, leave this list set to No, and continue with the next section.

   • Yes, enable Analytics using AVR If you choose to enable Analytics, select Yes from the list, and then answer the following questions.

     1. Use the default Analytics profile or select a custom profile?If you decide to use AVR, you must decide whether to use the default Analytics profile, or create a new one. As mentioned previously, we recommend creating a new profile to get the most flexibility and functionality out of AVR. If you have already started the iApp template configuration and then decide to create a new Analytics profile, you must exit the iApp, create the profile, and then restart the iApp template.

        • Select a custom Analytics profile
          Select this option if you have already created a custom Analytics profile for Exchange Server.

          1. Which Analytics profile do you want to use?From the list, select the appropriate Analytics profile.

        • Use default profile
          Select this option if you have not yet created a custom Analytics profile for Microsoft Exchange. We do not recommend using the default profile.

BIG-IP Access Policy Manager

The first section of the iApp in this scenario asks about the BIG-IP Access Policy Manager. You must have APM fully licensed and provisioned to use APM. For more information on BIG-IP APM, see http://f5.com/products/big-ip/access-policy-manager.html.

1. Would you like to create a new Access Profile, or use an existing Access Profile?
   Choose whether you want the system to create a new BIG-IP APM Access Profile, or if you have already created a custom Access Profile outside the template. If you are unsure, select Create a new Access Profile.

   • Select the Access profile you created from the list If you have previously created an Access profile for your Exchange implementation, select the existing profile you created from the list. Continue with the next section.

   • Create a new Access profile
     Select this option if you have not created a custom Access profile, and want the system to create one.

     1. Would you like to create a new AAA server, or use an existing AAA server? Choose whether you want the system to create a new BIG-IP APM AAA Server object, or if you have already created a custom AAA Server outside the template. The AAA server contains information about your Active Directory implementation. If you are unsure, select Create a new AAA Server.

        • Select the AAA Server you created from the list If you have previously created an AAA Server for your Exchange implementation, select the existing object you created from the list. Because additional information about the AAA Server is used elsewhere in this template, only AAA Servers configured to use a pool of Domain Controllers appear in the list.

          1. What is the FQDN of your Active Directory domain for your Exchange users? Specify the FQDN of the Active Directory deployment for your Exchange users. This is the FQDN for your entire domain, such as example.com, rather than the FQDN for any specific host. Continue with b on the following page.

        • Create a new AAA Server
          Select this option if you have not created a custom AAA Server, and want the system to create one.

          1. What is the FQDN of your Active Directory domain for your Exchange users? Specify the FQDN of the Active Directory deployment for your Exchange users. This is the FQDN for your entire domain, such as example.com, rather than the FQDN for any specific host.

          2. Which Active Directory servers in your domain can this BIG-IP system contact? Specify both the FQDN and IP address of each Active Directory server you want the BIG-IP APM to use for servicing authentication requests. Click Add to include additional servers.

          3. Does your Active Directory domain allow anonymous binding? Select whether anonymous binding is allowed in your Active Directory environment.

             • Yes, anonymous binding is allowed
               Select this option if anonymous binding is allowed. No further information is required.

             • No, credentials are required for binding
               Select this option if credentials are required for binding. You must answer the following questions.

               1. Which Active Directory user with administrative permissions do you want to use? Type a user name with administrative permissions.

               2. What is the password associated with that account? Type the associated password.

          4. How do you want to handle health monitoring for this pool? Specify whether you want the template to create a new LDAP monitor or a new ICMP monitor, or if you select an existing monitor. For more accurate monitoring, we recommend using an LDAP monitor.

             • Select an existing monitor for the Active Directory pool
               Select this option if you have already created a health monitor (only monitors with a Type of LDAP or External can be used) for the Active Directory pool that will be created by the template. If you want to create a health monitor, but have not already done so, you must exit the template and create the object before it becomes available from the list. The iApp allows you to select monitors that are a part of another iApp Application Service. If you select a monitor that is a part of another Application Service, be aware that any changes you make to the monitor in the other Application Service will apply to this Application Service as well.

               1. Which monitor do you want to use?From the list, select the LDAP or External monitor you created to perform health checks for the Active Directory pool created by the template. Only monitors that have a Type value of LDAP or External appear in this list. Continue with the next question.

             • Use a simple ICMP monitor for the Active Directory pool
               Select this option if you only want a simple ICMP monitor for the Active Directory pool. This monitor sends a ping to the servers and marks the server UP if the ping is successful. Continue with b.

             • Create a new LDAP monitor for the Active Directory pool
               Select this option if you want the template to create a new LDAP monitor for the Active Directory pool. You must answer the following questions:

               1. Which Active Directory user name should the monitor use? Specify an Active Directory user name for the monitor to use when attempting to log on as a part of the health check. This should be a user account created specifically for this health monitor, and must be set to never expire.

               2. What is the associated password?Specify the password associated with the Active Directory user name.

               3. What is the LDAP tree for this user account? Specify the LDAP tree for the user account. As noted in the inline help, ADSI editor, an tool for Active Directory LDAP administration, is useful for determining the correct LDAP tree value. For example, if the user name is ‘user1’ which is in the organizational unit ‘Exchange Users’ and is in the domain ‘exchange.example.com’, the LDAP tree would be: ou=Exchange Users, dc=Exchange, dc=example, dc=com.

               4. Does your Active Directory domain require a secure protocol for communication? Specify whether your Active Directory implementation requires SSL or TLS for communication, or does not require a secure protocol. This determines the port the health monitor uses.

                  • No, a secure protocol is not required
                    Select this option if your Active Directory domain does not require a secure protocol.

                  • Yes, SSL communication is required
                    Select this option if your Active Directory domain requires SSL communication. The health check uses port 636 as the Alias Service Port.

                  • Yes, TLS communication is required
                    Select this option if your Active Directory domain requires TLS communication. The health check uses port 389 as the Alias Service Port.

               5. How many seconds between Active Directory health checks? Specify how many seconds the system should use as the health check Interval for the Active Directory servers. We recommend the default of 10 seconds.

     2. What text should appear in the user access logon prompt?Type the text you want users to see above the user name and password prompts when logging on to the BIG-IP APM. By default, this includes the HTML tag to insert a line break between 'Secure Logon' and 'for F5 Networks'. Warning If the text you want to appear includes the characters &, ", or ', you must use proper encoding: & for &, "e; for ", and ' for '.

     3. Which APM logging profile do you want to use?
        This question only appears if you are using BIG-IP version 12.0 or later BIG-IP version 12.0 allows you to attach a logging profile to your BIG-IP APM configuration. If you created an APM logging profile for this configuration, you can select it from the list. The default profile is named default-log-setting. For more information on APM logging, see the APM documentation for v12.0 and later.

Application Firewall Manager (BIG-IP AFM)

This entire section only appears if you have licensed and provisioned BIG-IP AFM

This section gathers information about BIG-IP Advanced Firewall Manager, if you want to use it to protect the Exchange deployment. For more information on BIG-IP AFM, see http://support.f5.com/kb/en-us/products/big-ip-afm.html, and then select your version.

1. Do you want to use AFM network firewall and IP Intelligence to protect your application?
   Choose whether you want to use BIG-IP AFM, F5's network firewall with IP intelligence, to secure this Exchange deployment. If you choose to use BIG-IP AFM, you can restrict access to the Exchange virtual server(s) to a specific network or IP address. See the BIG-IP AFM documentation for specific details on configuring AFM.

   • No, do not use network firewall and IP Intelligence
     Select this option if you do not want to enable BIG-IP AFM at this time. You can always re-enter the template at a later date to enable BIG-IP AFM. Continue with the next section.

   • Select an existing AFM policy from the list
     If you already created a BIG-IP AFM policy for this implementation, select it from the list. Continue with c.

   • Yes, use network firewall and IP Intelligence
     Select this option if you want to enable BIG-IP AFM using F5's recommended configuration.

     1. Do you want to forbid access to your application from specific networks or IP addresses? Choose whether you want to restrict access to the Exchange implementation via the BIG-IP virtual server.

        • No, do not forbid client addresses (allow all)
          By default, the iApp configures the AFM to accept traffic destined for the Exchange virtual server(s) from all sources. If you do not have a need to restrict access to the virtual server, leave this option selected and then continue with b.
          

        • Yes, forbid specific client addresses
          Select this option if you want to restrict access to the Exchange virtual server(s) by IP address or network address.

          1. What IP or network addresses should be allowed to access your application? Specify the IP address or network access that should be allowed access to the Exchange virtual server(s). You can specify a single IP address, a list of IP addresses separated by spaces (not commas or other punctuation), a range of IP addresses separated by a dash (for example 192.0.2.10-192.0.2.100), or a single network address, such as 192.0.2.200/24.

   • How should the system control connections from networks suspected of malicious activity?
     The BIG-IP AFM uses an IP intelligence database to categorize IP addresses coming into the system. Choose what you want the system to do for sources that are attempting to access the Exchange virtual server(s) with a low reputation score. For more information, see the BIG-IP AFM documentation. Important: You must have an active IP Intelligence license for this feature to function. See https://f5.com/products/modules/ip-intelligence-services for information.

     • Accept all connections and log nothing
       Select this option to allow all sources, without taking into consideration the reputation score or logging anything.

     • Reject connections from IP addresses with poor reputations
       Select this option to reject access to the Exchange virtual server(s) from any source with a low reputation score.

     • Accept all connections but log those from suspicious networks
       Select this option to allow access to the Exchange virtual server(s) from sources with a low reputation score, but add an entry for it in the logs. By default, IP Intelligence events are logged to Security > Event Logs > Network > IP Intelligence. We recommend creating a remote logging profile for IP Intelligence events.

   • Would you like to stage a policy for testing purposes?
     Choose whether you want to stage a firewall policy for testing purposes. A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules. You must already have a policy on the system in order to select it.

     • Do not apply a staging policy
       Select this option if you do not want to apply a logging profile at this time. You can always re-enter the template at a later date to add a logging profile. Continue with the next question.

     • Select an existing policy from the list
       If you have already created a firewall policy for this implementation, select it from the list. Only policies that already exist on the system appear in the list. To create a new policy, on the Main tab, click Security > Network Firewall > Policies. Specific instructions for creating a firewall policy is outside the scope of this iApp and deployment guide.

   • Which logging profile would you like to use? Choose whether you or not you want to use a logging profile for this AFM implementation. You can configure the BIG-IP system to log detailed information about BIG-IP system Network Firewall events and store those logs on the BIG-IP system or a remote logging server (supports servers like syslog and Splunk). If you want to use a logging profile, we recommend creating one outside this template. The list only contains profiles with Network Firewall enabled.

     • Do not use a logging profile
       Select this option if you do not want to use a logging profile at this time. You can always re-enter the template at a later date to add a logging profile. Continue with the next question.

     • Select an existing logging profile from the list
       If you have already created a logging profile for this implementation, select it from the list. You must create a profile before it is available in the list. To create a logging profile, on the Main tab, click Security > Event Logs > Logging Profiles. Specific instructions for creating a logging profile is outside the scope of this iApp and deployment guide. See the online help or the About Local Logging with the Network Firewall chapter of the BIG-IP Network Firewall: Policies and Implementations guide for more information.

Tell us about your Access Policy Manager deployment

This section of the iApp asks about your BIG-IP Access Policy Manager deployment.

1. What IP address do you want to use for the BIG-IP APM virtual server?
   Specify the IP address you want to use for the BIG-IP Access Policy Manager virtual server. This is the address clients will use to access the HTTP-based client access services.

2. Do you want to re-encrypt the traffic that will be forwarded to your BIG-IP LTM?
   Select whether you want the system to re-encrypt traffic that will be sent from this BIG-IP APM to the BIG-IP LTM.

   We generally recommend you do not re-encrypt traffic between your BIG-IP APM and BIG-IP LTM because both BIG-IP systems must process the SSL transactions. However, if you do choose to re-encrypt, we strongly recommend you use a valid certificate (usually SAN-enabled) rather than the default, self-signed certificate for the Client SSL profile on your BIG-IP LTM system. If not re-encrypting traffic, you do not need a certificate on your BIG-IP LTM.

   • Re-encrypt (SSL Bridging)
     Select this option if your implementation requires encrypted traffic to the Mailbox Servers. The system unencrypts, then re-encrypts the traffic headed for the Mailbox Servers.

     1. Which Client SSL profile do you want to use? The iApp can create a new Client SSL profile, or if you have created a Client SSL profile which contains the appropriate SSL certificate and key for your Exchange implementation, you can select it from the list.

        • Select the Client SSL profile you created from the list
          If you manually created a Client SSL profile, select it from the list, and then continue with #2.

        • Create a new Client SSL profile
          Select this option if you want the iApp to create a new Client SSL profile.

          1. Which SSL certificate do you want to use? 
             Select the SSL certificate you imported onto the BIG-IP system for decrypting client connections. If you have not yet imported a certificate, you can leave the default selections and reconfigure this iApp after obtaining the certificates. The deployment will not function correctly until you have selected the correct certificates. Note: Any certificate that you obtain with multiple names must be in SAN (Subject Alternative Name) format, not SNI (Server Name Indication) format. For more information on SAN certificates, see Subject Alternative Name (SAN) SSL Certificates.

          2. Which SSL key do you want to use? 
             Select the associated key from the list.

     2. Which Server SSL profile do you want to use? 
        Select whether you want the iApp to create an F5 recommended Server SSL profile, or if you want to choose a Server SSL profile you already created.

        • Select the Server SSL profile you created from the list If you have previously created a Server SSL profile for your Exchange implementation, from the list, select the existing Server SSL profile you created.

        • Create a new Server SSL profile
          Select this option if you want the iApp to create a new Server SSL profile.

          The default, F5 recommended Server SSL profile uses the serverssl parent profile. For information about the ciphers used in the Server SSL profile, see http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html.

     3. Is the remote BIG-IP LTM receiving this traffic using a self-signed or default certificate for decryption, or is the certificate signed by a CA? Select whether the remote BIG-IP LTM receiving the traffic is using a self-signed (or default) certificate for decrypting the traffic from this system, or if the certificate is signed by a Certificate Authority. Your answer determines the Secure Renegotiation setting on the Server SSL profile. This BIG-IP system will not trust the remote BIG-IP default or a self-signed certificate unless specifically configured to do so in this question. Important: This question pertains to the certificate used by the remote BIG-IP LTM, NOT the certificates present and assigned on the local BIG-IP system you are configuring.

        • Certificate Authority-provided certificate and key
          Select this option if the remote BIG-IP LTM is using a certificate from a Certificate Authority.

        • Self-signed or default certificate and key
          Select this option if the remote BIG-IP LTM is using a self-signed or default certificate.

   • Do not re-encrypt (SSL Offload)
     Select this option if you do not want the system to re-encrypt traffic to the BIG-IP LTM virtual server. We recommend not re-encrypting unless you have a requirement for SSL for the entire transaction. In this case, the system is offloading the BIG-IP LTM from also having to process the SSL transaction.

     1. Which Client SSL profile do you want to use? The iApp can create a new Client SSL profile, or if you have created a Client SSL profile which contains the appropriate SSL certificate and key for your Exchange implementation, you can select it from the list.

        • Select the Client SSL profile you created from the list
          If you manually created a Client SSL profile, select it from the list, and then continue with #2.

        • Create a new Client SSL profile
          Select this option if you want the iApp to create a new Client SSL profile.

          1. Which SSL certificate do you want to use? 
             Select the SSL certificate you imported onto the BIG-IP system for decrypting client connections. If you have not yet imported a certificate, you can leave the default selections and reconfigure this iApp after obtaining the certificates. The deployment will not function correctly until you have selected the correct certificates. Note: Any certificate that you obtain with multiple names must be in SAN (Subject Alternative Name) format, not SNI (Server Name Indication) format. For more information on SAN certificates, see Subject Alternative Name (SAN) SSL Certificates.

          2. Which SSL key do you want to use? 
             Select the associated key from the list.

3. Which intermediate certificate do you want to use?
   Choose whether or not you want to use an intermediate certificate (also called intermediate certificate chains or chain certificates) in this deployment. These certificates are used to help systems which depend on SSL certificates for peer identification. These certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown. In order to use an intermediate certificate in this deployment, you must have manually imported it onto the BIG-IP system.

   • Do not use a chain certificate
     Select this option if you do not want to use an intermediate (chain) certificate in this deployment, or have not yet imported the certificate onto the system but want to exit the template to import it and then restart the template.

   • Select the intermediate certificate you imported from the list
     If you imported an intermediate certificate for this Exchange implementation, select the certificate you imported from the list.

4. What is the virtual IP address on the remote BIG-IP system to which you will forward traffic?
   Type the IP address of the virtual server on the remote BIG-IP LTM to which you will be forwarding Exchange client traffic from this BIG-IP device. This BIG-IP APM sends traffic to this address after performing authentication.

5. Will clients be connecting to this BIG-IP virtual server primarily over a LAN or WAN?
   Select how the system should optimize client-side TCP connections. The iApp uses your selection to configure the proper TCP optimization settings on the TCP profile.

   • Optimize TCP connections for WAN clients
     Select this option if most Exchange server clients are coming into your Exchange environment over a Wide Area Network.

   • Optimize TCP connections for WAN clients
     Select this option if most Exchange server clients are coming into your Exchange environment over a Local Area Network.

6. Should BIG-IP APM restrict EAC access to members of the Exchange Organization Management Security Group?
   Select whether you want the BIG-IP APM to restrict Exchange Administration Center (EAC) access to members of Exchange 2016's Organizational Management group. The BIG-IP APM module queries Active Directory group membership for the user making the request to EAC. If the user is not a member of the Organization Management group, the APM policy denies access.

   • No, do not restrict EAC access by group membership
     Select this option and the BIG-IP APM will not restrict access to the EAC by group membership.

   • Yes, restrict EAC access by group membership
     Select this option if you want to restrict EAC access to the Organization Management group. This adds an additional layer of security to your Exchange deployment, as the system denies access to the EAC from anyone who is not a member of the Organization Management group.

7. Which type of authentication do Outlook Web App clients use?
   Choose whether your outlook Web App clients are using Forms-based authentication or Smart Card authentication. You must be using BIG-IP APM version 11.3 or later for Smart Card authentication support for OWA.

   • Outlook Web App not used or clients use Forms-based authentication
     Select this option if your Outlook Web App clients are using Forms-based authentication, or if you are not using OWA.

     1. Which type of authentication have you configured on the Outlook Web App virtual directory?
        Select whether you have configured Outlook Web App to use Windows authentication or Forms-based authentication. Note that this selection is only for OWA, and not for Outlook clients. If you choose Windows authentication, the question asking about showing the OWA logon options do not appear. Showing the OWA logon options is only supported when doing server-side Forms authentication.

        • Outlook Web App is configured for Forms-based authentication
          Select this option if your OWA implementation uses forms-based authentication. You must answer the following question.

          1. Would you like to display the OWA computer type and light version options on the APM logon page?
             Choose whether you want to display the computer type (public/shared vs private) and light version (Use the light version of Outlook Web App) options for OWA on the APM logon page.

             • No, do not display the OWA logon options
               Select this option if you do not want to display the OWA logon options on the APM logon page.

             • Yes, display the OWA logon options
               Select this option if you want users to see the OWA logon options on the BIG-IP APM logon page. Note that in Exchange 2016, you must enable the logon page options by running a specific PowerShell command in the Exchange Management Shell prior to logging into OWA. Note: For the blind and low vision experience to function correctly when accessing OWA with Internet Explorer 11, the OWA site must be added to the Compatibility View websites list. Consult Microsoft documentation for more information.

             • Outlook Web App is configured for Windows authentication
               Select this option if your Outlook Web App implementation uses Windows authentication.

               1. What should the timeout be for inactive OWA sessions (in minutes)?Type the number of minutes you want to pass before the BIG-IP system closes inactive OWA sessions.

   • Outlook Web App clients use Smart Card authentication
     Select this option if your OWA clients use Smart Card authentication and you are using BIG-IP APM v11.3 or later.

     1. Which certificate from a CA trusted by this BIG-IP system for client-side processing of smart card authentication do you want to use?
        This question does not appear if you are using an existing Client SSL profile and iApp v1.0.2rc1 Select the certificate you imported onto the BIG-IP system that is from a Certificate Authority and is trusted by the BIG-IP system for client-side processing of smart card authentication. This certificate must already be imported onto the system before you can select it.

     2. What should the timeout be for inactive OWA sessions (in minutes)? Type the number of minutes you want to pass before the BIG-IP system closes inactive OWA sessions.

8. Which type of authentication do Outlook clients use?
   Choose whether your Outlook clients use Basic or NTLM authentication. Beginning in BIG-IP version 11.3, the iApp supports using NTLM authentication for Outlook Anywhere.

   • Outlook not used or clients use Basic Auth
     Select this option if your Outlook Anywhere clients use Basic Authentication, or if you are not using Outlook. Continue with #9.

   • Outlook Anywhere clietns use NTLM authentication
     Select this option if your Outlook Anywhere clients use NTLM information. You must answer the following questions about your Active Directory implementation. Also see Appendix E: Active Directory and Exchange Server configuration for NTLM for important information and modifications for NTLM. Important: Before completing this section, you must create a user account in the same domain that has been properly configured for NTLM delegation. You must also create an NTLM Machine Account object on the BIG-IP system to join this system to the Active Directory domain. See Creating an NTLM Machine Account. Note that the Kerberos SSO method is the only SSO method that can be used when the authentication method of the access policy is NTLM.

     1. Which NTLM machine account should be used for Kerberos delegation?
        Select the NTLM Machine Account you created to join the BIG-IP system to the Active Directory domain. If you have not already created an NTLM Machine Account on the BIG-IP system, see Creating an NTLM Machine Account. You must either exit the template now and start over once you have created the NTLM Machine Account, or choose Outlook Anywhere Clients use Basic Authentication from the previous question, and then re-enter the template later.

     2. What is the Kerberos Key Distribution Center IP or FQDN?
        Specify the IP address or fully qualified domain name of the Kerberos Key Distribution Center (KDC). If you type an FQDN, the BIG-IP system must be able to resolve the address. Otherwise, use the IP address.

     3. What is the name of the Kerberos Realm? 
        Specify the name of the Kerberos Realm. While this name should be in all capital letters, the iApp automatically turns any lower case letters to capital.

     4. What is the user name for the Active Directory delegation account you created?
        Specify the user name for the Active Directory delegation account you created. This account must be correctly configured in Active Directory for Kerberos delegation. See Appendix E: Active Directory and Exchange Server configuration for NTLM details.

     5. What is the associated password?
        Specify the password associated with the account.

9. What version of NTLM authentication does your deployment require?
   This question appears depending on your other selections in the template Choose the version of NTLM your Microsoft Exchange deployment requires. Your selection determines the type of BIG-IP APM SSO Configuration object.

   • NTLMv1 authentication
     Select this option if your Exchange implementation is using NTLMv1.

   • NTLMv2 authentication
     Select this option if your Exchange implementation is using NTLMv2.

10. Do you want to add any iRules to this configuration?
    You have the option of adding existing iRules to the virtual server. iRules allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. For more information on iRules, see https://devcentral.f5.com/HotTopics/iRules/tabid/1082202/Default.aspx. Important: Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your system. Verify the impact of an iRule prior to deployment in production. If you want to add iRules, from the Options box, select the iRule(s) you want to include, and then click the Add (<<) button.

Additional Steps

Review the information in the Additional steps section, and take appropriate action if necessary. All of the notes in Additional Steps are found in the relevant section of this deployment guide.

Finished

Review your answers to the questions. When you are satisfied, click the Finished button. The BIG-IP system creates the relevant objects.

Modifying the iApp configuration

This section contains modifications you must make to the configuration after running the iApp. Not all of these changes are required in all cases; make sure the change applies to your configuration before modifying the configuration.

Adding iRules to the configuration if you chose to use different IP address for the different client access services

If you configured the iApp template to use different IP address for the different client access Services, and are using ActiveSync and/or Outlook Anywhere, you must add an iRule to the virtual server(s).

Creating the ActiveSync iRule

If you deployed the iApp for separate virtual servers and are deploying ActiveSync, create the following iRule. To create the iRule, on the Main tab click iRules > Create. Give the iRule a unique name, and then in the Definition field, copy and paste the following code.

when HTTP_REQUEST {

COMPRESS::disable

CACHE::disable

}

Creating the Outlook Anywhere iRule

If you deployed the iApp for separate virtual servers and are deploying Outlook Anywhere, create the following iRule. To create the iRule, on the Main tab click iRules > Create. Give the iRule a unique name, and then in the Definition field, copy and paste the following code.

when HTTP_REQUEST {

COMPRESS::disable

CACHE::disable

}

when HTTP_RESPONSE {

if { ( [HTTP::header exists "WWW-Authenticate"] && [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate" ) ||

( [HTTP::header exists "Persistent-Auth"] && [string tolower [HTTP::header "Persistent-Auth"]] contains "true" ) } {

ONECONNECT::reuse disable

ONECONNECT::detach disable

## disables NTLM conn pool for connections where OneConnect has been disabled

NTLM::disable

}

## this command rechunks encoded responses

if {[HTTP::header exists "Transfer-Encoding"]} {

HTTP::payload rechunk

}

}

To attach the iRule(s) to the virtual server

1. From the Main tab of the BIG-IP Configuration utility, expand iApp and then click Application Services.

2. Click the name of your existing Microsoft Exchange application service from the list.

3. On the Menu bar, click Reconfigure.

4. If necessary, from the Do you want to customize your server pool settings? question, select Customize pool settings.

5. If you created the ActiveSync iRule, from the Do you want to add any iRules to this virtual server? question under the question asking if you are deploying ActiveSync, select the iRule you just created and then click the Add (<<) button to move it to the Selected list.

6. If you created the Outlook Anywhere iRule, from the Do you want to add any iRules to this virtual server? question under the question asking if you are deploying Outlook Anywhere, select the iRule you just created and then click the Add (<<) button to move it to the Selected list.

7. Click Finished.

Next steps

After completing the iApp Template, the BIG-IP Application Services page opens for the Exchange application service you just created. To see the list of all the configuration objects created to support Microsoft Exchange, on the Menu bar, click Components. The complete list of all Exchange related objects opens. You can click individual objects to see the settings.

Once the objects have been created, you are ready to use the new deployment.

Modifying DNS settings to use the BIG-IP virtual server address

Before sending traffic to the BIG-IP system, your DNS administrator may need to modify any DNS entries for the Exchange implementation to point to the BIG-IP system’s virtual server address.

Modifying the iApp configuration

The iApp application service you just created can be quickly and easily modified if you find it necessary to make changes to the configuration. The Strict Updates feature of the iApp prevents users from manually modifying the iApp configuration (Strict Updates can be disabled, but use extreme caution). iApp allows you to re-enter the template, make changes, and then update the template. The modifications are automatically made to any of the associated objects.

1. To modify the configuration
2. On the Main tab, expand iApp and then click Application Services.
3. Click the name of your Exchange Application service from the list.
4. On the Menu bar, click Reconfigure.
5. Make the necessary modifications to the template.
6. Click the Finished button.

Viewing statistics

You can easily view a number of different statistics on the BIG-IP system related to the Exchange configuration objects created by the iApp template. You can get statistics specific to the Application Service if you have provisioned AVR. Otherwise, you can always get object-level statistics.

AVR statistics

If you have provisioned AVR, you can get application-level statistics for your Exchange application service.

1. To view AVR statistics
2. On the Main tab, expand iApp and then click Application Services.
3. From the Application Service List, click the Exchange service you just created.
4. On the Menu bar, click Analytics.
5. Use the tabs and the Menu bar to view different statistics for your Exchange iApp.

Object-level statistics

If you haven’t provisioned AVR, or want to view object-level statistics, use the following procedure.

1. To view object-level statics
2. On the Main tab, expand Overview, and then click Statistics.
3. From the Statistics Type menu, you can select Virtual Servers to see statistics related to the virtual servers.
4. You can also choose Pools or Nodes to get a closer look at the traffic.
5. To see networking statistics in a graphical format, click Dashboard.

For more information on viewing statistics on the BIG-IP system, see the online help or product documentation.

Adding Ratio or Connection Limit information to the nodes if using a node-based load balancing method

If you chose to customize the server pool settings, changed the load balancing method from the default to a node-based method (such as Ratio (node) or Least Connections (node)), and configured a Ratio or Connection Limit, the iApp applies the ratio or connection limit to the load balancing pool member, and not to the node itself. In this case, you must manually modify each node to include any Ratio or Connection Limit settings you want to configure.

1. To modify the nodes to include Ratio or Connection Limit settings
2. On the Main tab, expand Local Traffic and then click Nodes.
3. From the Node table, click a Mailbox Server node you entered in the iApp template.
4. In the Ratio box, type the appropriate ratio, if applicable.
5. In the Connection Limit box, type the appropriate connection limit, if applicable.
6. Click Update.
7. Repeat this procedure for each node that is a part of your Exchange deployment.

Modifying the external monitor script file to support SNMP v3

If you deployed the iApp template to use external health monitors and need to use SNMP v3, you must manually modify the monitor script file produced by the template. Note this procedure does not require disabling Strict Updates.

1. To modify the monitor to support SNMP v3

2. On the Main tab, click System->File Management->External Monitor Program File List.

3. Click one of the Exchange script files. These begin with the abbreviation for the Exchange service, followed by _eav. For example for Autodiscover, the file name is ad_eav.

4. Modify each query variable containing the snmpget query string with the appropriate snmpget variables and values to perform an SNMP v3 get request. Use the following example for guidance.

   If the standard string is:

   query1=$(/usr/bin/snmpget -v 2c -c "${PASSWORD}"
   

   You would change it to something like:

   query1=$(/usr/bin/snmpget -v 3 -A authpassphrase -a MD5 -x AES -X "${PASSWORD}" -l authPriv
   

   followed by the existing $NODE variable and service oid.

   Refer to external documentation for more information on the snmpget linux client to understand each argument being passed in as well as SNMP v3 standard requirements.

5. Click Update.

6. Repeat this procedure for each script file you need to modify.

Troubleshooting

This section contains common issues and troubleshooting steps. Beginning with document revision 1.6 on 8/3/16, we include the document revision and date for each new troubleshooting entry. New entries now appear at the top of this section.

• Clients experiencing Outlook connectivity issues

This issue has been corrected in iApp version v1.0.2rc1. Upgrade to this version, or use the following guidance.

If clients are experiencing Outlook connectivity issues (described in detail here: https://blogs.technet.microsoft.com/exchange/2016/05/31/checklist-for-troubleshooting-outlook-connectivity-in-exchange-2013-and-2016-on-premises/), you must add an iRule to the virtual server(s). This iRule increases the TCP Idle Timeout on the server-side TCP profile.

If you are running a BIG-IP version prior to 11.6, see Procedure for BIG-IP versions prior to 11.6 on this page.

To create the iRule and add it to the Exchange 2016 virtual server(s)

1. On the Main tab, click Local Traffic > iRules > Create.
2. In the Name box, type a unique name for this iRule.
3. In the Definition section, copy and paste one of the following iRules depending on whether you configured the iApp to use a combined IP address or separate IP addresses for the Exchange services.

Note that the idletime value (in line 7 or line 2) of 2100 seconds based on the default CAS KeepAliveTime setting. If you are not using the default KeepAliveTime, modify the value in line 7 or 2 so it is 300 seconds more than your CAS KeepAliveTime value.

For the combined virtual server.

when HTTP_REQUEST {

switch -glob -- [string tolower [HTTP::path]] {

"/ews*" -

"/oab*" -

"/mapi*" -

"/rpc/rpcproxy.dll*" {

TCP::idletime 2100

return

}

}

}

For separate virtual servers.

when HTTP_REQUEST {

TCP::idletime 2100

}

4. Click the Finished button.

5. Re-enter the iApp template (on the Main tab, click iApp > Application Services > [name of your Exchange application service] and then from the Menu bar, click Reconfigure).

6. In the Tell us which services you are deploying section, from the "Do you want to customize your server pool settings" question, select Customize pool settings.

7. The next step depends on if you used a single IP address or separate IP address for Exchange services.

- Single IP address: From the "Do you want to add any custom iRules to this combined virtual server?" enable the iRule you created.

- Separate IP addresses: From the "Do you want to add any custom iRules to this virtual server?" questions, enable the iRule you just created for all of the following services you are using: Outlook Anywhere, MAPI-over-HTTP, EWS, and OAB.

7. Click Update. This completes the solution for v11.6 and later.

Procedure for BIG-IP versions prior to 11.6 - Different IP addresses for different services

1. Create a new TCP Profile (Local Traffic > Profiles > Protocol > TCP > Create). Set the Idle Timeout value to 2100 (if you are not using the default KeepAliveTime, modify the value so it is 300 seconds more than your CAS KeepAliveTime value).
2. If you have not already disabled Strict Updates, see Step 2. Disable the Strict Updates feature:.
3. Click Local Traffic > Virtual Servers.
4. For the Outlook Anywhere, MAPI-over-HTTP, EWS, and OAB virtual servers (you may not have all of these depending on your choices), click the name of the virtual server, and then from the Protocol Profile (Server) list, select the TCP profile you just created.
5. Click Update.

Procedure for BIG-IP versions prior to 11.6 - Single IP address

1. If you have not already disabled Strict Updates, see Step 2. Disable the Strict Updates feature:.
2. Click Local Traffic > Profiles > Protocol > TCP.
3. Click the name of the server side TCP profile created by the template. This name is _lan-optimized_tcp_profile.
4. In the Idle Timeout field, type 2100 (if you are not using the default KeepAliveTime, modify the value so it is 300 seconds more than your CAS KeepAliveTime value).
5. Click Update.

Updated in document revision 2.6 on 05-11-2017

• Clients receiving error message when using BIG-IP APM with OWA 2016 and IE10 or Google Chrome

If you are using APM and Outlook Web App 2013, and have clients using Internet Explorer 10 or Google Chrome, clients may receive the following error message from the BIG-IP APM: Access policy evaluation is already in progress for your current session. If clients are receiving this error, you must apply the an iRule to the virtual server(s) used for OWA 2013.

To create the iRule and add it to the OWA 2016 virtual server

1. On the Main tab, click Local Traffic > iRules > Create.

2. In the Name box, type a unique name for this iRule.

3. In the Definition section, copy and paste one of the following iRules depending on your BIG-IP version.

All versions except v11.5.4 HF2 and v11.6.1 HF1:

when HTTP_REQUEST {

if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } {

HTTP::cookie "IsClientAppCacheEnabled" False

}

}

Use the following irule if you are using BIG-IP version v11.5.4 HF2 or v11.6.1 HF1. Or if you have already deployed the iApp template and find you are not receiving a response from the BIG-IP virtual server using the rule above, and are seeing this message in /var/log/ltm: TCL error: /Common/_ - Operation not supported (line 2) invoked from within "HTTP::uri"

when HTTP_REQUEST {

if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } {

HTTP::cookie remove "IsClientAppCacheEnabled"

HTTP::cookie insert name "IsClientAppCacheEnabled" value False

}

}

4. Click the Finished button.

5. Re-enter the iApp template (on the Main tab, click iApp > Application Services > [name of your Exchange application service] and then from the Menu bar, click Reconfigure).

6. In the Tell us which services you are deploying section, from the "Do you want to customize your server pool settings" question, select Customize pool settings. Either in the "Do you want to add any custom iRules to this combined virtual server?" (if you used a single IP address) or in the "Do you want to add any custom iRules to this virtual server?" question under the IP address for OWA question (if you used different IP addresses), enable the iRule you just created.

7. Click Update.

If you have Outlook Web App clients connecting to a BIG-IP APM virtual server externally, and the same clients connect to a non-APM virtual server internally, you must apply the iRule to both virtual servers.

If clients are still receiving this error after adding the iRule, you should request they delete Temporary Internet Files (IE10), or go to chrome://appcache-internals and remove the application cache for Outlook Web Access (Chrome).

Updated in document revision 2.2 on 11-02-2016

• OSX/iOS clients receive a bad request error when clicking logout from Outlook Web App

This issue has been corrected in iApp version v1.0.1rc1. We recommend upgrading if you are experiencing this issue.

If your clients using Apple's OSX and/or iOS are receiving a bad request error when clicking the Logout button from OWA, you must modify the login_timeout rule created by the iApp using the following guidance.

1. If you have not already disabled Strict Updates, see Step 2. Disable the Strict Updates feature:.
2. On the Main tab, click Local Traffic > iRules, and then click the login timeout rule. This rule starts with the name you gave the iApp application service, followed by _login_timeout. For example, myExchange_login_timeout.
3. In the Definition area, change all references of Thurs to Thu.
4. Click the Update button.

Added in document revision 1.9 on 09-22-2016

• When using Forms-based authentication, users are unable to logout of an APM session after clicking logout from OWA

This issue has been corrected in iApp version v1.0.1rc1. We recommend upgrading if you are experiencing this issue.

If using Forms-based authentication for clients to access Outlook Web App you may experience an issue with users being unable to logout of the APM session after clicking logout in the OWA browser. If you are experiencing this issue, you must make a change to the iRule that controls the session timeout.

1. To modify the APM session check iRule if you used the iApp template

1. If you have not already disabled Strict Updates, see Step 2. Disable the Strict Updates feature:.

2. On the Main tab, click Local Traffic > iRules > Create.

3. From the iRules list, click _login_timeout.

4. Follow the instructions in Step 3 of Optional: Creating the iRule to terminate inactive APM sessions if using Windows based authentication for OWA to copy and paste the iRule in the Definition field.

5. Click Update.

Note that if you make changes to the iApp template using the Reconfigure option, you'll have to make this change to the iRule again. The next version of the iApp template will correct this issue.

Added in document revision 1.9 on 09-22-2016

• Exchange Hybrid Autodiscover, free/busy lookups, and remote mailbox moves/migrations fail when APM is deployed

If your Exchange environment is federated with Exchange Online, and you have deployed BIG-IP APM in front of your on-premise Exchange servers, federated requests for Autodiscover and free/busy information will fail, as will remote moves and migrations between your Exchange organization and Exchange Online. You must create and assign the following iRule to correct this behavior. The following rule selectively disables APM for hybrid-specific Exchange URIs.

Once you have configured the iRule, attach it to the Rule to the combined virtual server or the separate EWS virtual server:

1. On the Main tab, click Local Traffic > iRules > Create.

2. In the Name field, type a unique name.

3. In the Description field, copy and paste the following code, omitting the line numbers. Important: : Make sure to substitute the appropriate pool names/paths in lines 11 and 19.

   priority 1
   

   when HTTP_REQUEST {
   

   set is_disabled 0
   

   switch -glob [string tolower [HTTP::path]] {
   

   "/ews/mrsproxy.svc" -
   

   "/ews/exchange.asmx/wssecurity" {
   

   set is_disabled 1
   

   set path [HTTP::path]
   

   ACCESS::disable
   

   HTTP::path _disable-$path
   

   pool
   

   }
   

   "/autodiscover/autodiscover.svc/wssecurity" -
   

   "/autodiscover/autodiscover.svc" {
   

   set is_disabled 1
   

   set path [HTTP::path]
   

   ACCESS::disable
   

   HTTP::path _disable-$path
   

   pool
   

   }
   

   }
   

   }
   

   when HTTP_REQUEST_RELEASE {
   

   if { [info exists is_disabled] && $is_disabled == 0 } { return }
   

   if { [info exists path] } {
   

   HTTP::path $path
   

   unset is_disabled
   

   unset path
   

   }
   

4. Re-enter the iApp template (on the Main tab, click iApp > Application Services > [name of your Exchange application service] and then from the Menu bar, click Reconfigure).

5. .rom the iApp interface, select “Customize pool settings” from the “Tell us about which services you are deploying” section, from the “Do you want to add any iRules to this combined virtual server?” question, enable the iRule you created. If you are using separate virtual servers, assign the iRule to the virtual servers that pass Autodiscover and EWS traffic.

6. Click Update Added in document revision 1.6 on 08-03-2016.

• SSL Offloading is not supported when performing remote moves and migrations between your Exchange organization and Exchange Online

Because connections to the MRS Proxy endpoint must be encrypted to the Exchange server(s), F5 requires you select Re-encrypt (SSL Bridging) in response to the Do you want to re-encrypt this traffic to your Client Access Servers? question in the iApp template. Added in document revision 1.6 on 08-03-2016.

• Modifying the IIS authentication token timeout value

The iApp template configures most Exchange monitors to check service health every 30 seconds. However, to reduce traffic between the Exchange server and domain controllers, IIS virtual directories configured to use Basic authentication cache authentication tokens for up to 15 minutes before re-authenticating the user with Active Directory. This may result in the BIG-IP pool members for these services being marked UP incorrectly while Basic authentication tokens are cached.

You can decrease the length of or disable this token caching period by editing the registry on the Exchange server. The length of time configured for the token cache combined with the timeout value of the monitor will determine how long it will take until a resource is marked down. For example, setting a token cache period of 60 seconds, combined with a monitor using a timeout value of 91 seconds, will result in a resource being marked down after 151 seconds.

For instructions on modifying the registry, see the following Microsoft article (while this article says IIS 6.0, we tested it on IIS 7.5 with no modifications): http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6b2e7fcd-5fad-4ac8-ac0a-dcfbe771e9e1.mspx

Warning Use extreme caution any time you are editing the registry. Contact Microsoft for specific instructions and/or help editing the registry values.

• Microsoft Exchange Remote Connectivity Analyzer fails to successfully run the FolderSync command

If you deployed the BIG-IP system for ActiveSync, either using the iApp template or manually, and attempt to run the Microsoft Exchange Remote Connectivity Analyzer (ExRCA) against an Exchange mailbox, you may receive the following error:

This behavior affects versions of BIG-IP earlier than 11.4.0. To work around this error, you must create an iRule, and then use the iApp template to apply the iRule to the combined Exchange BIG-IP virtual server (or attach the iRule manually if you used the manual configuration tables).

1. To create the iRule
2. On the Main tab, expand Local Traffic, click iRules, and then click the Create button.
3. In the Name box, give the iRule a unique name.
4. In the Definition section, copy and paste one of the following iRules, omitting the line numbers, depending on whether you configured the system for a combined virtual server, or a separate virtual server for ActiveSync.
5. Click Finished.

Only use the definition applicable to your configuration.

Combined virtual server iRule definition

when HTTP_REQUEST {

set isactivesync 0

if { [string tolower [HTTP::path]] contains "/microsoft-server-activesync" } {

set isactivesync 1

}

}

when HTTP_RESPONSE {

if { [HTTP::status] == 401 && [HTTP::header exists "Content-Length"] && $isactivesync == 1 } {

HTTP::header insert "Connection" "Close"

}

unset isactivesync

}

Separate virtual server iRule definition

when HTTP_RESPONSE {

if { [HTTP::status] == 401 && [HTTP::header exists "Content-Length"] } {

HTTP::header insert "Connection" "Close"

}

}

The next task is to attach the iRule to the virtual server. This depends on whether you configured the BIG-IP system using the iApp template or manually.

Attaching the iRule if you used the iApp template to configure the BIG-IP system

Use the following procedure if you used the iApp template to configure the BIG-IP system.

1. 1.    To attach the iRule to the virtual server
2. 2.    From the Main tab of the BIG-IP Configuration utility, expand iApp and then click Application Services.
3. 3.    Click the name of your existing Microsoft Exchange application service from the list.
4. 4.    On the Menu bar, click Reconfigure.
5. 5.    If necessary, from the Do you want to customize your server pool settings? question, select Customize pool settings.
6. 6.    If you used a Combined virtual server, from the Do you want to add any iRules to this combined virtual server? question, select the iRule you just created and then click the Add (<<) button to move it to the Selected list. If you used Separate virtual servers, after the question What IP address do you want to use for the ActiveSync virtual server? from the Do you want to add any custom iRules to this virtual server?question, select the iRule you just created and then click the Add (<<) button to move it to the Selected list.
7. 7.    Click Finished.

Attaching the iRule if you manually configured the BIG-IP system

If you configured the BIG-IP system manually, and configured a combined virtual server, modify the combined virtual server you created to attach the combined iRule. If you configured separate virtual servers, modify the ActiveSync virtual server you created to attach the separate virtual server iRule.

• iPhones and other iOS devices are displaying invalid certificate messages after deploying the iApp for ActiveSync

If you deployed the iApp template for ActiveSync (or manually configured the BIG-IP system) and iOS devices started showing invalid certificate messages even though the certificates were issued by an appropriate authority, you must manually create an Client SSL profile that uses a Chain certificate. Intermediate certificates, also called intermediate certificate chains or chain certificates, are used to help systems which depend on SSL certificates for peer identification.

Use the guidance in this solution to create a Client SSL profile that uses an intermediate certificate chain: http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html. Be sure Secure Renegotiationis set to Require (the default) on the Client SSL profile.

If you manually configured the system, add the Client SSL profile to your virtual server.

If you used the iApp, use this procedure:

1.    Re-enter the iApp template (on the Main tab, click iApp > Application Services > [name of your Exchange application service] and then from the Menu bar, click Reconfigure).

2.    In the Tell us about your deployment section, from the " Do you want to create a new client SSL profile or use and existing one?" question, select the profile you just created that uses the Chain certificate.

3.    Click Update.

• When using SSL Bridging and BIG-IP version 11.4.x, pool members may be marked down or you may experience connection resets and TLS errors logged to the Mailbox servers

This issue only occurs when using SSL Bridging and BIG-IP versions 11.4.x. Pool members may be marked down when using simple monitors, or you may experience connection resets and TLS errors logged to the Mailbox servers because the SSL ciphers used in the Server SSL profile in 11.4.x are not compatible with those in some versions of Microsoft Internet Information Server (IIS).

There are two ways you can resolve this issue:

1.    Upgrade your BIG-IP system to version 11.5 or later.

2.    Create a custom Server SSL profile and associate it with the virtual server, either using the iApp template or manually.

To create the Server SSL profile

a. On the Main tab, click Local Traffic > Profiles > SSL > Server.

b. Click Create.

c. In the Name box, type a unique name for this profile.

d. In the Options row, click the Custom box.

e. From the Available Options list, select No TLSv1.2, and then click the Enable button.

f. Click the Finished button.

g. Attach the new Server SSL profile to the virtual server either using the iApp or manually.

• To attach the profile to the virtual server using the iApp template:

i) Re-enter the iApp template (on the Main tab, click iApp > Application Services > [name of your Exchange application service] and then from the Menu bar, click Reconfigure).

ii) In the Tell us which services you are deploying section, from the "Which Server SSL profile do you want to use" question, select the Server SSL profile you just created.

iii) Click Update.

• To attach the profile to the virtual server manually:

i) Select the Exchange virtual server you created.

ii) From the SSL Profile (Server) area, enable the Server SSL profile you just created.

iii) Click Update.

iv) If you used separate virtual servers for each Exchange service, add the profile to each virtual server.

• Lync clients cannot connect or receive authentication prompts when accessing Microsoft Exchange Autodiscover and EWS through F5 APM

When you have deployed APM in front of Microsoft Exchange, Microsoft Lync clients may be unable to successfully query the Autodiscover service or download free/busy information from EWS. To work around this issue, you must create an iRule to disable APM for these requests and attach it using the iApp interface.

To create the iRule and add it to the virtual server

1. On the Main tab, click Local Traffic > iRules > Create.

2. In the Name box, type a name.

3. In the Definition section, copy and paste the following iRule, omitting the line numbers. Enter line 4 as a single line.

priority 1

when HTTP_REQUEST {

set is_disabled 0

# Lync Client Exchange Conversation History Auto discovery APM Bypass

if { [string tolower [HTTP::header value "User-Agent"]] contains "microsoft lync" || [string tolower [HTTP::header value "User-Agent"]] contains "ms-webservices" || [string tolower [HTTP::header value "User-Agent"]] contains "skype for business" } {

if { [string tolower [HTTP::path]] starts_with "/autodiscover" } {

set is_disabled 1

set path [HTTP::path]

ACCESS::disable

HTTP::path _disable-$path

pool

}

if { [string tolower [HTTP::path]] starts_with "/ews" } {

set is_disabled 1

set path [HTTP::path]

ACCESS::disable

HTTP::path _disable-$path

pool

}

}

#Lync Server Partner Application Setup APM Bypass

if { [string tolower [HTTP::path]] starts_with "/autodiscover/metadata/json/1" } {

set is_disabled 1

set path [HTTP::path]

ACCESS::disable

HTTP::path _disable-$path

pool /Common/Exchange_2013.app/Exchange_2013_ad_pool3

}

}

when HTTP_REQUEST_RELEASE {

if { !$is_disabled } { return }

HTTP::path $path

unset is_disabled

}

4. Click the Finished button.

5. Re-enter the iApp template (on the Main tab, click iApp > Application Services > [name of your Exchange application service] and then from the Menu bar, click Reconfigure).

6. From the iApp, select “Customize pool settings” from the “Tell us about which services you are deploying” section, from the “Do you want to add any iRules to this combined virtual server?” question, enable the iRule you created.

7. Click Update.

• You may experience deployment errors when a NTLM Machine Account name contains spaces or special characters

If you are using BIG-IP APM, and specified that Outlook Anywhere clients use NTLM authentication, you must specify an NTLM Machine Account in the iApp template that you created manually. If the name of the NTLM Machine Account object contains spaces or special characters, you may experience errors when trying to deploy the template.

If your NTLM Machine Account object name contains a special character or space, the workaround for this issue is to create an NTLM Machine Account name that only contains alphanumeric characters and underscores, with no spaces. Return to Creating an NTLM Machine Account, and create a new machine account.

• The Direct File Access setting for public computers is not honored

When you have configured the OWA virtual directory to deny Direct File Access to public computers, and you have deployed BIG-IP APM with OWA logon options enabled, users who have selected This is a public or shared computer from the APM logon page are able to download or open OWA file attachments.

To solve this issue, create and then attach the following iRule to the combined virtual server or the separate OWA virtual server (this rule should appear below the _owa_forms_value_irule in the iRule list):

when HTTP_REQUEST {

if { [ACCESS::session data get "session.custom.owa.trusted"] == 0 } {

if { [HTTP::cookie exists "PrivateComputer"] } {

HTTP::cookie remove "PrivateComputer"

}

}

• After deploying the iApp template for SSL Bridging, my BIG-IP system is experiencing excessive memory usage

If you are experiencing high memory usage on the BIG-IP system after deploying the iApp template for SSL Bridging, it may be due to the Retain Certificate setting on the Server SSL profile. If you are experiencing this issue, we recommend creating a new Server SSL profile with Retain Certificate disabled, and then selecting the new profile from the iApp.

To create a new Server SSL profile

1. On the Main tab, click Local Traffic > Profiles > SSL > Server > Create.

2. In the Name box, type a unique name.

3. In the Retain Certificate row, clear the check box to disable the Retain Certificates setting.

4. Click the Finished button.

5. Re-enter the iApp template (on the Main tab, click iApp > Application Services > [name of your Exchange application service] and then from the Menu bar, click Reconfigure).

6. In the Tell us about your deployment section, from the "Which Server SSL profile do you want to use?" question, select the Server SSL profile you just created.

7. Click Update.

• Multiple BIG-IP APM sessions may be created when a website uses favicon

When connecting to Outlook Web App through the BIG-IP APM, you may see multiple sessions for a single client IP address, and the Favorite icon may not display in the browser.

To work around this issue, create and then attach the following iRule to the combined virtual server or the separate OWA virtual server (this rule should appear above the pool assignment rule in the iRule list):

when HTTP_REQUEST {

if { [string tolower [HTTP::path]] ends_with "favicon.ico" and [HTTP::cookie "MRHSession"] eq "" } {

ACCESS::disable

}

}

• When choosing a custom APM profile created outside the template, sessions are not timing out

If you created a custom APM profile outside the iApp and then chose to use it in the iApp template, the iApp does not attach a timeout iRule to the virtual server, as the system does not know which SSO method is being used. If this is the case, you must manually create the iRule and then attach it to the virtual server.

Follow the instructions in either Creating the iRule to terminate inactive APM sessions if using Forms-based authentication for OWA (default) or Optional: Creating the iRule to terminate inactive APM sessions if using Windows based authentication for OWA depending on the authentication method you are using.

Creating an NTLM Machine Account

If you are using BIG-IP APM to provide secure authentication and configuring the BIG-IP system for Outlook Anywhere clients using NTLM authentication, you must have an NTLM Machine Account object configured before you can successfully complete the template. Use the following procedure to create the NTLM Machine Account.

1. To create the NTLM Machine Account
2. On the Main tab, expand Access Policy, and then click Access Profiles.
3. On the Menu bar, from the NTLM menu, click Machine Account List.
4. Click the Create button.
5. In the Name box, type a name for the BIG-IP Machine Account object. Currently, the NTLM machine account should contain alphanumeric characters and underscores only. Spaces and special characters are not allowed.
6. In the Machine Account Name box, type the name of the computer account that will be created in the domain after clicking Join.
7. In the Domain FQDN box, type the fully qualified domain name of the domain that you want the machine account to join.
8. In the Domain Controller FQDN box, if the machine account should have access to one domain only, type the FQDN for the domain controller for that domain.
9. In the Admin User box, type the name of a user with administrative privileges.
10. In the Password box, type the associated password.
11. Click the Join button.

Appendix A: Configuring additional BIG-IP settings

This section contains information on configuring the BIG-IP system for objects or settings that are required, but not part of the template.

Configuring DNS and NTP settings

If you are configuring the iApp to use BIG-IP APM, you must configure DNS and NTP settings on the BIG-IP system before beginning the iApp.

Configuring the DNS settings

In this section, you configure the DNS settings on the BIG-IP system to point to a DNS server that can resolve your Active Directory server or servers. In many cases, this IP address will be that of your Active Directory servers themselves.

Note: DNS lookups go out over one of the interfaces configured on the BIG-IP system, not the management interface. The management interface has its own, separate DNS settings.

Important: The BIG-IP system must have a self IP address in the same local subnet and VLAN as the DNS server, or a route to the DNS server if located on a different subnet. The route configuration is found on the Main tab by expanding Network and then clicking Routes. For specific instructions on configuring a route on the BIG-IP system, see the online help or the product documentation.

1. To configure DNS settings
2. On the Main tab, expand System, and then click Configuration.
3. On the Menu bar, from the Device menu, click DNS.
4. In the DNS Lookup Server List row, complete the following:
5. In the Address box, type the IP address of a DNS server that can resolve the Active Directory server.
6. Click the Add button.
7. Click Update.

Configuring the NTP settings

The next task is to configure the NTP settings on the BIG-IP system for authentication to work properly.

1. To configure NTP settings
2. On the Main tab, expand System, and then click Configuration.
3. On the Menu bar, from the Device menu, click NTP.
4. In the Address box, type the fully-qualified domain name (or the IP address) of the time server that you want to add to the Address List.
5. Click the Add button.
6. Click Update.

To verify the NTP setting configuration, you can use the ntpq utility. From the command line, run ntpq -np.

See http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10240.html for more information on this command.

Appendix B: Using X-Forwarded-For to log the client IP address

When you configure BIG-IP LTM to use SNAT, the BIG-IP system replaces the source IP address of an incoming connection with its local self IP address (in the case of SNAT Automap), or an address you have configured in a SNAT pool. As a result, Microsoft IIS logs each connection with its assigned SNAT address, rather than the address of the client. The iApp produces an HTTP profile on the BIG-IP system which inserts an X-Forwarded-For header, so the original client IP address is sent as well; however, in default IIS configuration, this information is not logged.

Beginning with IIS 7, Microsoft provides an optional Advanced Logging Feature for IIS that allows you to define custom log definitions that can capture additional information such as the client IP address included in the X-Forwarded-For header.

Deploying the Custom Logging role service

The first task is to deploy the Custom Logging role service. If you do not deploy this role service, you may receive a "Feature not supported" error when trying to edit the log definition in the next section.

1. To deploy the Custom Logging role service in Windows 2008 and 2008 R2
2. From your Windows Server 2008 or Windows Server 2008 R2 device, open Server Manager.
3. In the Navigation pane, expand Roles.
4. Right-click Web Server, and then click Add Role Services.
5. Under Health and Diagnostics, check the box for Custom Logging, and then click Next.
6. On the Confirmation page, click Install.
7. After the service has successfully installed, click the Close button.
8. To deploy the Custom Logging role service in Windows 2012 and 2012 R2
9. From your Windows Server 2012 or Windows Server 2012 R2 device, open Server Manager.
10. Click Add Roles and Features.
11. In the Add Roles and Features wizard, the Custom Logging Role is under the Web Server > Web Server > Health and Diagnosticscategory.
12. On the Confirmation page, click Install.
13. After the service has successfully installed, click the Close button.

Adding the X-Forwarded-For log field to IIS

Before beginning the following procedure, you must have installed IIS Advanced Logging. For installation instructions, see http://www.iis.net/community/files/media/advancedlogging_readme.htm

If you are using IIS version 6, F5 has a downloadable ISAPI filter that performs a similar function to the Advanced Logging Feature discussed here. For information on that solution, see the DevCentral post at http://devcentral.f5.com/weblogs/Joe/archive/2009/08/19/x_forwarded_for_log_filter_for_windows_servers.aspx

1. To add the X-Forwarded-For log field to IIS
2. From your Windows Server 2008 or Windows Server 2008 R2 device, open the Internet Information Services (IIS) Manager.
3. From the Connections navigation pane, click the appropriate server, web site, or directory on which you are configuring Advanced Logging. The Home page appears in the main panel.
4. From the Home page, under IIS, double-click Advanced Logging.
5. From the Actions pane on the right, click Edit Logging Fields.
6. From the Edit Logging Fields dialog box, click the Add Field button, and then complete the following:
7. In the Field ID box, type X-Forwarded-For.
8. From the Category list, select Default.
9. From the Source Type list, select Request Header.
10. In the Source Name box, type X-Forwarded-For.
11. Click the OK button.
12. Click a Log Definition to select it. By default, there is only one: %COMPUTERNAME%-Server. The log definition you select must have a status of Enabled.
13. From the Actions pane on the right, click Edit Log Definition.
14. Click the Select Fields button, and then check the box for the X-Forwarded-For logging field.
15. Click the OK button.
16. From the Actions pane, click Apply.
17. Click Return To Advanced Logging.
18. In the Actions pane, click Enable Advanced Logging.

Now, when you look at the logs, the client IP address is included.

Appendix C: Manual configuration tables

This table contains the BIG-IP configuration objects in this deployment and any non-default settings. See the BIG-IP APM tables for additional APM configuration. Give each BIG-IP object a unique name in the Name field. Because of the complexity, we strongly recommend using the iApp to configure Microsoft Exchange Server. Replace any host names (in red) with your host name. Only configure objects for the services you are using.

TIP: If you are manually configuring the BIG-IP system, you may want to use the PDF version of this guide for easier reading.

Note: We recommend using this section to create two monitors for each service, using a second mailbox account. For the external monitors, note that Microsoft only supports SNMPv2 in their default service. If you require SNMP v3 support, see Modifying the external monitor script file to support SNMP v3.

Configuration table if using a combined virtual server for Exchange HTTP-based services

1 The optimized TCP profiles are optional. If not creating the optimized profiles, create a TCP profile with the base TCP parent 2 Server SSL profile is only necessary if configuring SSL Bridging. 3 If you expect more than 6,000 concurrent users per Mailbox Server, create a SNAT Pool instead of using Auto Map. See the BIG-IP documentation for creating SNAT Pools. This field is "SNAT Pool" in versions 11.0 - 11.2.x.

This completes the combined virtual manual configuration table. Continue with Configuration tables for POP3, and IMAP4 .

Configuration table if using separate virtual servers for Exchange HTTP-based services

Use this section if you are planning to deploy the BIG-IP system with separate virtual servers for the Exchange client access services.

Outlook Web App configuration table - includes the Exchange Control Panel (ECP)

Outlook Anywhere configuration table (for separate virtual servers)

Exchange Web Services configuration table (for separate virtual servers)

Offline Address book configuration table (for separate virtual servers)

Active Sync manual configuration table (for separate virtual server configuration)

Autodiscover manual configuration table (for separate virtual server configuration)

Configuration tables for POP3, and IMAP4

Use the following tables for POP3, and IMAP4, no matter which HTTP-based configuration you chose in the tables on the previous pages. Use the table appropriate for your configuration.

POP3 manual configuration table

IMAP4 manual configuration table

Manually configuring MAPI over HTTP in Exchange

Introduced in Exchange 2013 SP1 and in Exchange 2016, the new MAPI over HTTP transport protocol is for Outlook clients running Office 2013 SP1 and later (only).

If you are using the new MAPI over HTTP transport protocol, use the following guidance to create the objects necessary to support MAPI over HTTP. If you configured the iApp template to use a combined virtual server, you create a health monitor, pool, and an iRule.

Important: If using APM v11.x only: Because BIG-IP APM is not yet supported for MAPI over HTTP in v11.x, the iRule in the following table includes a line (commented out by default) to disable Access Policy processing for this new protocol only. If you configured the iApp to use separate virtual servers, you create the monitor, pool, and a virtual server. The iRule is not necessary at all in this case. In APM v12.0 and later, the Exchange APM profile options you configure for Outlook Anywhere also apply to MAPI over HTTP.

Use the following table to create the objects on the BIG-IP LTM. Unless otherwise specified, settings not mentioned in the table can be configured as applicable for your configuration. For help configuring individual objects, see the Help tab or product manuals.

Creating the iRule definition for the combined virtual server scenario

Use the following for the Definition of the iRule, omitting the line numbers, and changing the red text to the name your pool. If you want MAPI over HTTP to bypass the BIG-IP APM, remove the comment (#) from line 5.

Do not uncomment line 5 if you are using BIG-IP APM v12.0 or later.

when HTTP_REQUEST {

switch -glob -- [string tolower [HTTP::path]] {

"/mapi*" {

###uncomment the following line to bypass APM for MAPI-over-HTTP in v11.x ONLY

#ACCESS::disable

pool mapi_http_pool

COMPRESS::disable

CACHE::disable

return

}

}

}

External monitor script files

This section contains the EAV script code referred to from the manual configuration table. To use these external monitors, you must have SNMP enabled on each Mailbox server in the pool.

Importing the monitor script files

Before you can create the external monitors, you must download and import the applicable monitor files onto the BIG-IP system.

Note: If you are using a redundant BIG-IP system, you need to make sure any modifications to the script EAVs are manually copied between BIG-IP LTM devices, and given the required permissions when configuration is synchronized.

1. To download and install the script
2. Download the appropriate script:

• For all client access services (does not include POP/IMAP)http://www.f5.com/pdf/deployment-guides/cas-external-monitor-script.zip While you use this same script file for all client access service external monitors, you create a separate monitor object for each service as shown in the manual configuration table.
• POP3 http://www.f5.com/pdf/deployment-guides/pop-external-monitor-script.zip
• IMAP4 http://www.f5.com/pdf/deployment-guides/imap-external-monitor-script.zip

1. Extract the appropriate file(s) to a location accessible by the BIG-IP system.
2. From the Main tab of the BIG-IP Configuration utility, expand System, and then click File Management.
3. On the Menu bar, click External Monitor Program File List.
4. Click the Import button.
5. In the File Name row, click Browse, and then locate the appropriate file.
6. In the Name box, type a name for the file related to the script you are using.
7. Click the Import button.

Now when you create the external monitors, you can select the name of the file you imported from the External Program list.

iRules

This section contains the iRules referenced from the manual configuration tables. The line numbers in this section are provided for reference only. Create a new iRule and copy the code, omitting the line numbers. In many of the rules, you need need to modify pool names according to your configuration.

To create an iRule, from the Main tab, expand Local Traffic, and then click iRules. Click Create, give the iRule a unique name, and then copy and paste the iRule code into the Definition section (omitting the line numbers). If specified, you must replace any parts of the code in red text with the names of the appropriate BIG-IP object.

OWA Redirect iRule (formerly referred to as the Append iRule)

when HTTP_REQUEST {

if { ([HTTP::uri] == "/") } {

HTTP::redirect https://[HTTP::host]/owa/

}

}

This iRule should appear at the top of the iRule list in the virtual server and come before any iRules you might use.

Pool Assignment iRule if using a single virtual server for all HTTP-based services For this configuration, you must create an additional iRule which changes the pool based on the service being accessed.

Critical You must change the pool names in the following iRules (shown in red) to match the pools in your configuration.

Pool Assignment iRule if using a single virtual server for all HTTP-based services

## iRule to select pool when all Exchange Mailbox HTTP-based services are

## accessed through the same BIG-IP virtual server.

## CHANGE ALL POOL NAMES TO MATCH THOSE IN YOUR ENVIRONMENT.

when HTTP_REQUEST {

switch -glob -- [string tolower [HTTP::path]] {

"/microsoft-server-activesync*" {

## ActiveSync.

pool as_pool_name

COMPRESS::disable

CACHE::disable

return

}

"/owa*" {

## Outlook Web Access

pool owa_pool_name

return

}

"/ecp*" {

## Exchange Control Panel.

pool owa_pool_name

return

}

"/ews*" {

## Exchange Web Services.

pool oa_pool_name

COMPRESS::disable

CACHE::disable

return

}

"/oab*" {

## Offline Address Book.

pool oa_pool_name

return

}

"/rpc/rpcproxy.dll*" {

## Outlook Anywhere.

pool oa_pool_name

COMPRESS::disable

CACHE::disable

return

}

"/mapi*" {

## mapi.

pool mapi_pool_name

COMPRESS::disable

CACHE::disable

return

}

"/autodiscover*" {

## Autodiscover.

pool ad_pool_name

return

}

default {

## This final section takes all traffic that has not otherwise

## been accounted for and sends it to the pool for Outlook Web App

pool owa_pool_name

}

}

}

when HTTP_RESPONSE {

if { ( [HTTP::header exists "WWW-Authenticate"] && [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate" ) ||

( [HTTP::header exists "Persistent-Auth"] && [string tolower [HTTP::header "Persistent-Auth"]] contains "true" ) } {

ONECONNECT::reuse disable

ONECONNECT::detach disable

## disables NTLM conn pool for connections where OneConnect has been disabled

NTLM::disable

}

## this command rechunks encoded responses

if {[HTTP::header exists "Transfer-Encoding"]} {

HTTP::payload rechunk

}

}

Outlook Anywhere rule if using separate pools AND virtual servers

Use this rule for Outlook Anywhere, Exchange Web Services, and Offline Address book. If you are using more than one service, you can attach the same iRule to multiple virtual servers.

when HTTP_RESPONSE {

if { ( [HTTP::header exists "WWW-Authenticate"] && [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate" ) ||

( [HTTP::header exists "Persistent-Auth"] && [string tolower [HTTP::header "Persistent-Auth"]] contains "true" ) } {

ONECONNECT::reuse disable

ONECONNECT::detach disable

## disables NTLM conn pool for connections where OneConnect has been disabled

NTLM::disable

}