In this howto, F5 APM is used for the release of Exchange 2013. First, a brief overview of the test environment:
I have 2 Exchange servers and a DC in the internal network, the servers have entered 172.16.100.1 as the default gateway. F5 APM has 2 network cards, one is directly connected to the Internet (in my case the Internet is the network 172.16.1.0/24). The second network card has an IP in the internal network. Furthermore, the F5 has a dedicated network card in a management network (192.168.30.0/24). The basic configuration can be seen in the following pictures.
Management settings:
Network cards or VLANs 1.1 (internal) and 1.2 (external)
Internal and external self IPs:
So much for the basic configuration. A certificate with the external access names is required for APM. Since I want to publish all Exchange services via a DNS name, my certificate only contains 2 DNS names:
- autodiscover.frankysweb.de
- outlook.frankysweb.de
I have explained how certificates can be created with your own CA. described here. The certificate must first be imported on the F5:
The F5 understands the PFX format, so no complicated conversion is necessary. Upload certificate, enter password and name, done:
If you didn't do the provisioning directly during the installation, you have to do it now. So far, I have only provisioned the LTM module, so I am now also selecting APM:
When provisioning, the services restart, so do not run if there are active sessions...
Next, the iApp template can be installed, the current iApp templates can be downloaded here:
From the many templates, only the Exchange template is required: f5.microsoft_exchange_2010_2013_cas.v1.4.0.tmpl. This can now be imported:
Select and upload template (.tmpl) file.
An iApp can now be created from the template
Enter the name of the iApp and the template
Das Template fragt jetzt die Einstellungen ab, die erste Bildschirmseite ist selbsterklärend, es wird übrigens ein Benutzer mit Domain Admin Rechten benötigt, bei mir heisst der Benutzer „F5APM“:
Die zweite Seite eigentlich auch. Bei „What is the LDAP tree…“ muss der Pfad zur OU (distinguishedName) angegeben werden, in der der F5 Service User gespeichert ist. Bei mir ist das die OU „Benutzer“.
Bei „Which Client certificate/key…) muss das zuvor importierte Zertifikat ausgewählt werden.
Die nächsten Einstellungen sind abhängig von der Umgebung. Die IP Adresse für den Virtual Service lege ich auf 172.16.1.20 fest. Auf diese IP Adresse müssen auch die DNS-Namen outlook.frankysweb.de und autodiscover.frankysweb.de zeigen. Wer möchte kann noch den Zugriff auf das Exchange Admin Center beschränken, somit haben nur noch Mitglieder der Gruppe „Organization Management“ Zugriff auf EAC. Hier sind meine Einstellungen:
The Exchange servers must be specified on the last page, and that's it:
Finally, set the DNS entries to the IP of the Virtual Service:
The iApps make it really easy to get to your destination quickly with F5. Everything works as expected. There is also a nice deployment guide here:
Deploying the BIG-IP System v11 with Microsoft Exchange