Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1237
Views
0
Helpful
3
Replies

ACE 4710 Outlook Anywhere not working

Andrew MacDonald
Level 1
Level 1

‎01-15-2014 08:56 AM

I have set up our ACE 4710 and everything is working great with the exception of Outlook Anywhere. When i take one of the servers out of service in the

serverfarm host Exchange-CAS-HTTPS everything runs correctly but when i put the server back in service everything involving outlook anywhere blows up again. I contacted Microsoft and they informed me this was an issue with our ACE. Any help would be greatly appreciated.

crypto chaingroup WWW-PROD-CHAINGROUP
  cert AddTrustExternalCARoot.crt
  cert COMODOHigh-AssuranceSecureServerCA.crt


access-list allow line 8 extended permit ip any any

probe https Exchange-OWA
  interval 30
  ssl version all
  request method get url get /owa/auth/logon.aspx
  expect status 400 404
probe tcp TCP135
  description RPC Endpoint Mapper
  port 135
  interval 30
  connection term forced
probe tcp TCP60000
  description RPC Client Access
  port 60000
  interval 30
  connection term forced
probe tcp TCP60001
  description Address Book Service
  port 60001
  interval 30
  connection term forced

rserver redirect OWA-SSL-REDIRECT
  webhost-redirection https://%h%p 301
  inservice
rserver host mail1
  ip address 10.0.14.11
  inservice
rserver host mail2
  ip address 10.0.14.12
  inservice

serverfarm host Exchange-CAS-HTTPS
  predictor leastconns
  probe Exchange-OWA
  rserver mail1 443
    inservice
  rserver mail2 443
    inservice
serverfarm host Exchange-CAS-RPC
  predictor leastconns
  probe TCP135
  probe TCP60000
  probe TCP60001
  fail-on-all
  rserver mail1
    inservice
  rserver mail2
    inservice
serverfarm redirect Exchange-OWA-REDIRECT
  rserver OWA-SSL-REDIRECT
    inservice

parameter-map type http Exchange-OWA
  case-insensitive
  persistence-rebalance
  set header-maxparse-length 16384
  set content-maxparse-length 8192
parameter-map type ssl SSL_PARAMS
  cipher RSA_WITH_RC4_128_MD5
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_WITH_3DES_EDE_CBC_SHA

sticky ip-netmask 255.255.255.255 address source Exchange-CAS-RPC
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-RPC
sticky http-cookie Exchange-Sticky Exchange-CAS-HTTPS-Cookie
  cookie insert browser-expire
  replicate sticky
  serverfarm Exchange-CAS-HTTPS
sticky http-header Authorization Exchange-CAS-HTTPS-AuthZHeader
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-HTTPS
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-HTTPS-SourceIP
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-HTTPS

action-list type modify http Exchange-CAS-HTTP
  header insert request X-Forwarded-For header-value "%is"

ssl-proxy service Exchange-CAS
  key ProdKEYPAIR.PEM
  cert WWW-PROD-CERT.crt
  chaingroup WWW-PROD-CHAINGROUP
  ssl advanced-options SSL_PARAMS

class-map match-any Exchange-CAS-HTTPS
  2 match virtual-address 10.0.14.6 tcp eq https
class-map type http loadbalance match-any Exchange-CAS-HTTPS-RootRequest
  2 match http url /
class-map match-any Exchange-CAS-RPC
  2 match virtual-address 10.0.14.6 tcp eq 60001
  3 match virtual-address 10.0.14.6 tcp eq 60000
  4 match virtual-address 10.0.14.6 tcp eq 135
class-map match-any Exchange-OWA-REDIRECT
  2 match virtual-address 10.0.14.6 tcp eq www
class-map type management match-any mgmt-cm
  2 match protocol https any
  3 match protocol snmp any
  4 match protocol ssh any
  5 match protocol icmp any

policy-map type management first-match mgmt-pm
  class mgmt-cm
    permit

policy-map type loadbalance first-match Exchange-CAS-HTTPS

  match OWA http url /owa.*

    sticky-serverfarm Exchange-CAS-HTTPS-Cookie

    action Exchange-CAS-HTTP

    ssl-proxy client Exchange-CAS

  match ECP http url /ecp.*

    sticky-serverfarm Exchange-CAS-HTTPS-Cookie

    action Exchange-CAS-HTTP

    ssl-proxy client Exchange-CAS

  match EWS http url /ews.*

    sticky-serverfarm Exchange-CAS-HTTPS-Cookie

    action Exchange-CAS-HTTP

    ssl-proxy client Exchange-CAS

  match ActiveSync http url /Microsoft-Server-ActiveSync.*

    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader

    action Exchange-CAS-HTTP

    ssl-proxy client Exchange-CAS

  match OutlookAnywhere http header User-Agent header-value "MSRPC"

    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader

    action Exchange-CAS-HTTP

    ssl-proxy client Exchange-CAS

  class Exchange-CAS-HTTPS-RootRequest

    serverfarm Exchange-OWA-REDIRECT

  class class-default

    sticky-serverfarm Exchange-CAS-HTTPS-SourceIP

    action Exchange-CAS-HTTP

    ssl-proxy client Exchange-CAS

policy-map type loadbalance first-match Exchange-CAS-RPC

  class class-default

    sticky-serverfarm Exchange-CAS-RPC

policy-map type loadbalance http first-match Exchange-OWA-REDIRECT

  class class-default

    serverfarm Exchange-OWA-REDIRECT

policy-map multi-match vlan100
  class Exchange-OWA-REDIRECT
    loadbalance vip inservice
    loadbalance policy Exchange-OWA-REDIRECT
  class Exchange-CAS-RPC
    loadbalance vip inservice
    loadbalance policy Exchange-CAS-RPC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 100
  class Exchange-CAS-HTTPS
    loadbalance vip inservice
    loadbalance policy Exchange-CAS-HTTPS
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 100
    appl-parameter http advanced-options Exchange-OWA
    ssl-proxy server Exchange-CAS

interface vlan 100
  ip address 10.0.14.7 255.255.255.0
  access-group input allow

  nat-pool 1 10.0.14.6 10.0.14.6 netmask 255.255.255.255 pat

  service-policy input mgmt-pm
  service-policy input vlan100
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.14.1

snmp-server community mycompany group Network-Monitor

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎01-15-2014 09:17 AM

Hi Andrew,

Can you explain when the connection breaks? Do you have pcaps showing the problem? Is it SSL handshake problem, server resetting the connection, ACE not forwarding the traffic, ace forwarding traffic to wrong server, etc what exactly is going on?

Regards,

Kanwal

0 Helpful

Andrew MacDonald
Level 1
Level 1
In response to Kanwaljeet Singh

‎01-15-2014 09:27 AM

I dont think its an SSL problem because its working fine with one server at a time. The problem only happens when I put both servers in service. We are using ntlm and not basic authentication. would outlooksession be more appropriate then using authorization header? How would I determine where it is breaking down?

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Andrew MacDonald

‎01-15-2014 09:34 AM

Hi Andrew,

You can take pcap on ACE and MS server decrypt in wireshark which shall actually show what is going on. Looks like persistence issue since it works with one server. Not sure about authentication stuff. Never worked on it. Sorry. May be someone else has better idea about it.

Regards,

Kanwal

0 Helpful
Customers Also Viewed These Support Documents