BIG-IP F5 with Symantec Enterprise Vault

Our customer was performing Exchange 2010 to 2016 migration along with Enterprise Vault upgrade. And I was asked to migrate from TMG to F5.

I use F5 iapp f5.microsoft_exchange_2016.v1.0.2 to configure Exchange 2016 co-existence with Exchange 2010 and SSL profile is enabled at both client and server end in Virtual Server.

Outlook, ActiveSync and OWA worked with out any problems, however Symantec Enterprise Vault did not work as expected.

To further troubleshoot the issue, I attached the below iRule to Virtual Server to trace all request and response between F5 and Vault.

when HTTP_REQUEST {
set LogString “Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]”
log local0. “=============================================”
log local0. “$LogString (request)”
foreach aHeader [HTTP::header names] {
log local0. “$aHeader: [HTTP::header value $aHeader]”
}
log local0. “=============================================”
}
when HTTP_RESPONSE {
log local0. “=============================================”
log local0. “$LogString (response) – status: [HTTP::status]”
foreach aHeader [HTTP::header names] {
log local0. “$aHeader: [HTTP::header value $aHeader]”
}
log local0. “=============================================”
}

In the logs, as you see, there was no response from Vault server. That means to me that we are either communicating to wrong port or service is not running on the vault server.

Dec 30 14:41:16 F5LB01 info tmm[19902]: Rule /Common/logallrequestresponse <HTTP_REQUEST>: =============================================
Dec 30 14:41:16 F5LB01 info tmm[19902]: Rule /Common/logallrequestresponse <HTTP_REQUEST>: Client 17.22.11.228:51319 -> mail.com/enterprisevault/clienttest.gif (request)
Dec 30 14:41:16 F5LB01 info tmm[19902]: Rule /Common/logallrequestresponse <HTTP_REQUEST>: User-Agent: EnterpriseVaultOutlookExt-V11.0.1.3683
Dec 30 14:41:16 F5LB01 info tmm[19902]: Rule /Common/logallrequestresponse <HTTP_REQUEST>: Host: mail.com
Dec 30 14:41:16 F5LB01 info tmm[19902]: Rule /Common/logallrequestresponse <HTTP_REQUEST>: Cache-Control: no-cache
Dec 30 14:41:16 F5LB01 info tmm[19902]: Rule /Common/logallrequestresponse <HTTP_REQUEST>: Authorization: Negotiate TlRMTVNTUAAAl4II4gAAAAAAAKAO5CAAAADw==
Dec 30 14:41:16 F5LB01 info tmm[19902]: Rule /Common/logallrequestresponse <HTTP_REQUEST>: X-Forwarded-For: 17.22.11.228
Dec 30 14:41:16 F5LB01 info tmm[19902]: Rule /Common/logallrequestresponse <HTTP_REQUEST>: =============================================

Our Vault server is configured as below screenshot 1.

As server ssl profile is configured on the virtual server, F5 tries to communicate on port 443 with vault server but the server is not listening on 443 hence there was no server response. So I modified iRule as below and enterprise vault started working.

All in One WordPress Hosting
HostGator $2.75 per month
HostGator
24/7/365 Technical Support, Free Site Building Tools, 4500 Website Templates, Free Shopping Cart Software, Ideal for WordPress, 45 Day Money Back Guarantee
Starts at 30$ per month
All in One WordPress Hosting
WordPress
High optimized WordPress hosting, secure firewall, HTTPS, Backup, hack-fix guarantee and many others at 30$ per month

“/enterprisevault*” {
SSL::disable serverside
pool /Common/Vault_pool
return
}

In order to have better security, we enabled port 443 on enterprise vault.

IIS > Default Web Site > Bindings and configured SSL.

F5 with Enterprise Vault SSL

Then we modified iRule as below and enterprise vault become accessible again and this time via more secure channel.

“/enterprisevault*” {
pool /Common/Vault_pool
return
}