In this howto, F5 APM is used for the release of Exchange 2013. First, a brief overview of the test environment:
I have 2 Exchange servers and a DC in the internal network, the servers have entered 172.16.100.1 as the default gateway. F5 APM has 2 network cards, one is directly connected to the Internet (in my case the Internet is the network 172.16.1.0/24). The second network card has an IP in the internal network. Furthermore, the F5 has a dedicated network card in a management network (192.168.30.0/24). The basic configuration can be seen in the following pictures.
Management settings:
Network cards or VLANs 1.1 (internal) and 1.2 (external)
Internal and external self IPs:
So much for the basic configuration. A certificate with the external access names is required for APM. Since I want to publish all Exchange services via a DNS name, my certificate only contains 2 DNS names:
- autodiscover.frankysweb.de
- outlook.frankysweb.de
I have explained how certificates can be created with your own CA. described here. The certificate must first be imported on the F5:
The F5 understands the PFX format, so no complicated conversion is necessary. Upload certificate, enter password and name, done:
If you didn't do the provisioning directly during the installation, you have to do it now. So far, I have only provisioned the LTM module, so I am now also selecting APM:
When provisioning, the services restart, so do not run if there are active sessions...
Next, the iApp template can be installed, the current iApp templates can be downloaded here:
From the many templates, only the Exchange template is required: f5.microsoft_exchange_2010_2013_cas.v1.4.0.tmpl. This can now be imported:
Select and upload template (.tmpl) file.
An iApp can now be created from the template
Enter the name of the iApp and the template
The template now asks for the settings, the first screen is self-explanatory, by the way, a user with domain admin rights is required, in my case the user is called "F5APM":
The second page actually also. Under "What is the LDAP tree...", the path to the OU (distinguishedName) in which the F5 Service User is stored must be specified. In my case, this is the "User" OU.
The previously imported certificate must be selected under "Which Client certificate/key...".
The next settings depend on the environment. I set the IP address for the virtual service to 172.16.1.20. The DNS names outlook.frankysweb.de and autodiscover.frankysweb.de must also point to this IP address. If you want, you can restrict access to the Exchange Admin Center so that only members of the "Organization Management" group have access to EAC. Here are my settings:
The Exchange servers must be specified on the last page, and that's it:
Finally, set the DNS entries to the IP of the Virtual Service:
The iApps make it really easy to get to your destination quickly with F5. Everything works as expected. There is also a nice deployment guide here:
Deploying the BIG-IP System v11 with Microsoft Exchange
