As we all know TMG was such a great fantastic and a fabulous product which was serving good for most of the external published web services. I know most of us are really worried about the reason of discontinuing this awesome product. So now people are moving towards alternatives for replacing TMG.
Among the few good alternatives F5 load balancer is one of the great product. Recently i had a chance to involve and work in this project which was lead by messaging expert and network specialist.
I would like to share few experience that i gained and things that we need to consider during this migration.
In the TMG we had the option to publish any sites , setting up and controlling the authentication delegation , application settings and we can set a secure way to access these url’s through this reverse proxy.
I still really feel bad for the reason ISA & TMG being abandoned by Microsoft as deploying exchange, lync in a environment was equally working in ISA,TMG implementation for most of the deployments.
From F5 Big IP you need to use the IAPP template for the versions of the exchange that you are running currently from the F5 support website.
You can download the latest IAPP for Exchange template from the link
I’m not going to explain more on this IAPP templates of importing them on the LTM and how to configure the settings since in this blog i’m going to explain the best practices that we can follow for Exchange 2010 & 2013.
For people who would like to explore more on this they can always explore the virtual ITM trial version on the below link and publish exchange services via this
Just download them and install it on any VM to test this functionality.
Below are the things that we need to consider in this migration :
1) Choose your type of SSL method
Decide what type of SSL encryption that you are going to use.
If you are going to use SSL offload then all the certificate decryption part will happen in the F5 itself. Then connections from the F5 to the CAS will go in un encrypted way.
Benefits of doing this :
Your CAS will not have the load of performing the SSL decryption.
There are possibilities of application layer attacks by doing this method since the connection from the n/w to the app layer goes in a un encrypted way.
SSL bridging :
If you are going to use this method then the SSL decryption will happen in the F5 and inturn it will re encrypt and send the connections encrypted to the CAS servers.
Benefits of doing this :
Double layer SSL connections check is done in the n/w layer by the F5 and the CAS servers.
Disadvantages : If you are using less number of CAS servers then the load on them might be increased which is happens in less scenarios.
I cannot recommend any on this because its you ultimately who needs to evaluate your network structure , performance and extra layer of security that is wrapped up in your environment.
But my best recommendation is always to stick on SSL bridging.
2) Prepare your SSL certificates for Exchange services
For doing any of the above activities you would need to have an SSL certificate for the BIGIP to offload and performing the decryption , encryption part. So get an SSL certificate and install it on the BIGIP system.
You need to configure your Client Access servers to support SSL offloading, you must first follow the Microsoft documentation. See
3) If you are using the new MAPI over HTTP transport protocol in Exchange 2013 there is a little bit challenge. This new service is not yet included in the iApp template, so you must manually configure the BIG-IP system to support it.
4) As a part of testing in your migration don’t ever direct the external exchange traffic from TMG to F5 and then the CAS and later remove TMG.
Below are the reasons:
a) TMG uses ARP requests to prevent switch port flooding in unicast NLB.
b) F5 extracts only the MAC address from the ethernet adapter instead of ARP requests. Since the TMG will mask the MAC address of the hosts F5 will not get the info what it requires.
5) Certificates that you obtain with multiple names must be only in SAN (Subject
Alternative Name) format, not SNI (Server Name Indication) format.
6) Enable TCP request Pooling on the Iapp template
TCP request queuing provides the ability to queue connection requests that exceed the capacity of connections. You can choose this option if its a small deployment with one CAS server.
Basically if the TCP connections exceeds the capacity of the pool it holds the connections instead of dropping the connections.
7) Secure EAC access for Exchange 2013 only
Configure settings in iapp to restrict EAC access by group membership.Select this option if you want to restrict EAC access to the Organization Management group.
The BIG-IP APM module queries Active Directory group membership for the user making the
request to EAC. If the user is not a member of the Organization Management group, the BIG-IP APM policy denies access
8) Choose your authentication for OWA
Use the BIG-IP APM module to provide secure access and proxied authentication (pre-authentication) for
HTTP-based Client Access services: Outlook Web App, Outlook Anywhere, ActiveSync, and Auto-discover). The BIG-IP APM
presents a login page to end users that takes the place of the forms-based login page normally presented by Outlook Web App.
If you have configured the FBA in the CAS VD then you no need to configure this authentication in F5 because users will be prompted for doube authentication one in F5 and other in CAS VD which will be painful. I always prefer to do this part on CAS VD and leave the reverse proxy setting as such.
9) You can configure the health checks for the owa, outlook web app,outlook anywhere in the F5.YOu need to specify how often the system checks the health of the CAS servers. The default recommended value is 30 seconds. You can configure this to monitor all these services.
10 ) Decide and perform the migration
After performing and deciding all the above factors you need to plan for the migration of the services from TMG to F5 . Perform the following steps
a) Arrange a Test PAT ip for auto-discover, Outlook Anywhere and webmail from your Network team
Configure the rules in the iapp template to listen on these IP’s
b) Choose few set of users add host entries of auto-discover , Outlook Anywhere and webmail in their PC’s
c) Monitor and test the connectivity for couple of weeks.
d) If the connectivity tests are successful on a fine day shift the original IP’s of all the exchange services and stop all the TMG services.
The above are few guide lines which might help in migrating the exchange services from TMG to F5
Hope this helps
MVP – Exchange Server