Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ace 4710 Exchange 2010 not working

Struggling here with getting my ACE to play nice with two Exchange 2010 servers in a DAG. He ave the CAS array all set up and The VIP of my ACE is the FQDN of my CAS Array.

Here is the config. nothing seems to be working. Any thoughts? Thanks for the help!!

crypto chaingroup WWW-PROD-CHAINGROUP
  cert AddTrustExternalCARoot.crt
  cert COMODOHigh-AssuranceSecureServerCA.crt


access-list allow line 8 extended permit ip any any

probe https Exchange-OWA
  interval 30
  ssl version all
  request method get url get /owa/auth/logon.aspx
  expect status 400 404
probe tcp TCP135
  description RPC Endpoint Mapper
  port 135
  interval 30
  connection term forced
probe tcp TCP60000
  description RPC Client Access
  port 60000
  interval 30
  connection term forced
probe tcp TCP60001
  description Address Book Service
  port 60001
  interval 30
  connection term forced

rserver redirect OWA-SSL-REDIRECT
  webhost-redirection https://%h%p 301
  inservice
rserver host mail1
  ip address 10.0.14.11
  inservice
rserver host mail2
  ip address 10.0.14.12
  inservice

serverfarm host Exchange-CAS-HTTPS
  predictor leastconns
  probe Exchange-OWA
  rserver mail1 443
    inservice
  rserver mail2 443
    inservice
serverfarm host Exchange-CAS-RPC
  predictor leastconns
  probe TCP135
  probe TCP60000
  probe TCP60001
  fail-on-all
  rserver mail1
    inservice
  rserver mail2
    inservice
serverfarm redirect Exchange-OWA-REDIRECT
  rserver OWA-SSL-REDIRECT
    inservice

parameter-map type http Exchange-OWA
  case-insensitive
  persistence-rebalance
  set header-maxparse-length 16384
  set content-maxparse-length 8192
parameter-map type ssl SSL_PARAMS
  cipher RSA_WITH_RC4_128_MD5
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_WITH_3DES_EDE_CBC_SHA

sticky ip-netmask 255.255.255.255 address source Exchange-CAS-RPC
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-RPC
sticky http-cookie Exchange-Sticky Exchange-CAS-HTTPS-Cookie
  cookie insert browser-expire
  replicate sticky
  serverfarm Exchange-CAS-HTTPS
sticky http-header Authorization Exchange-CAS-HTTPS-AuthZHeader
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-HTTPS
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-HTTPS-SourceIP
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-HTTPS

action-list type modify http Exchange-CAS-HTTP
  header insert request X-Forwarded-For header-value "%is"

ssl-proxy service Exchange-CAS
  key ProdKEYPAIR.PEM
  cert WWW-PROD-CERT.crt
  chaingroup WWW-PROD-CHAINGROUP
  ssl advanced-options SSL_PARAMS

class-map match-any Exchange-CAS-HTTPS
  2 match virtual-address 10.0.14.6 tcp eq https
class-map type http loadbalance match-any Exchange-CAS-HTTPS-RootRequest
  2 match http url /
class-map match-any Exchange-CAS-RPC
  2 match virtual-address 10.0.14.6 tcp eq 60001
  3 match virtual-address 10.0.14.6 tcp eq 60000
  4 match virtual-address 10.0.14.6 tcp eq 135
class-map match-any Exchange-OWA-REDIRECT
  2 match virtual-address 10.0.14.6 tcp eq www
class-map type management match-any mgmt-cm
  2 match protocol https any
  3 match protocol snmp any
  4 match protocol ssh any
  5 match protocol icmp any

policy-map type management first-match mgmt-pm
  class mgmt-cm
    permit

policy-map type loadbalance first-match Exchange-CAS-HTTPS
  match OWA http url /owa.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
  match ECP http url /ecp.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
  match EWS http url /ews.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
  match ActiveSync http url /Microsoft-Server-ActiveSync.*
    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
    action Exchange-CAS-HTTP
  match OutlookAnywhere http header User-Agent header-value "MSRPC"
    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
    action Exchange-CAS-HTTP
  class Exchange-CAS-HTTPS-RootRequest
    serverfarm Exchange-OWA-REDIRECT
  class class-default
    sticky-serverfarm Exchange-CAS-HTTPS-SourceIP
    action Exchange-CAS-HTTP
policy-map type loadbalance first-match Exchange-CAS-RPC
  class class-default
    sticky-serverfarm Exchange-CAS-RPC
policy-map type loadbalance http first-match Exchange-OWA-REDIRECT
  class class-default

policy-map multi-match vlan100
  class Exchange-OWA-REDIRECT
    loadbalance vip inservice
    loadbalance policy Exchange-OWA-REDIRECT
  class Exchange-CAS-RPC
    loadbalance vip inservice
    loadbalance policy Exchange-CAS-RPC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 100
  class Exchange-CAS-HTTPS
    loadbalance vip inservice
    loadbalance policy Exchange-CAS-HTTPS
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 100
    appl-parameter http advanced-options Exchange-OWA
    ssl-proxy server Exchange-CAS

interface vlan 100
  ip address 10.0.14.7 255.255.255.0
  access-group input allow

  nat-pool 1 10.0.14.6 10.0.14.6 netmask 255.255.255.255 pat

  service-policy input mgmt-pm
  service-policy input vlan100
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.14.1

snmp-server community mycompany group Network-Monitor


MailSwitch/Exchange#

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Ace 4710 Exchange 2010 not working

Hi Andrew,

It seems that you have rservers listening on port 443 for serverfarm Exchange-CAS-HTTPS which means that you have end-to-end ssl in place. But i don't see "ssl-proxy client configured. Please configure that and see if it resolves the issue.

You need to configure ACE as a client along with server when doing end-to -end ssl. In your case it is just server. Please configure the above command under "policy-map type loadbalance first-match Exchange-CAS-HTTPS".

Regards,

Kanwal

1 REPLY
Cisco Employee

Ace 4710 Exchange 2010 not working

Hi Andrew,

It seems that you have rservers listening on port 443 for serverfarm Exchange-CAS-HTTPS which means that you have end-to-end ssl in place. But i don't see "ssl-proxy client configured. Please configure that and see if it resolves the issue.

You need to configure ACE as a client along with server when doing end-to -end ssl. In your case it is just server. Please configure the above command under "policy-map type loadbalance first-match Exchange-CAS-HTTPS".

Regards,

Kanwal

422
Views
5
Helpful
1
Replies