How to migrate your F5 BIG-IP Exchange Service to Kemp using Edge Security Pack

Posted on

Today, we are going to provide technical guidance on how to migrate your F5 BIG-IP Exchange Virtual Server using F5`s Access Policy Manager (APM), to a Kemp Exchange Virtual Service using Kemp’s Edge Security Pack (ESP). This is a valuable technical guide if you currently use F5 BIG-IP products and are interested in learning about migrating an advanced service that includes iRules and advanced modules like APM.  In this walk-through, we are using our Exchange OWA service with Forms Based Client Side and Forms Based Server Side.

Architecture/Design Requirements

  • Microsoft Exchange backend with OWA configured for “Forms Based”
  • Kemp LoadMaster load balancer with Enterprise or Enterprise Plus support package (or Trial license)

Terminology

F5 uses different terms for some functions and technologies.  Below is a chart that maps the F5 terms with what is used within Kemp documentation.

F5Kemp
Virtual Servers Virtual Services
iApp Template
SSL Profile SSL Acceleration
iRules Content Rules
Monitors Health Checks
APM ESP
Server Pool Sub Virtual Service

Template

Kemp provides an Exchange configuration Template which comes preconfigured with all the required configuration parameters.  This makes the Kemp configuration easy since only customer unique information needs to be provided (IP addresses, server names, etc.). To download our popular application Templates, please navigate here. Select the corresponding Template depending on your Exchange version. In this case, we have chosen Exchange 2016.

On the Kemp load balancer, to import the template, navigate to Virtual Services > Templates > Browse > Import on the left-hand menu.

A screenshot of a social media postDescription automatically generated

Exporting your F5 SSL Certificates

On your F5 BIG-IP navigate to:System > Certificate Management > Traffic Certificate Management > SSL Certificate List > Archive.

A screenshot of a social media postDescription automatically generated

Select Certificates > Generate & Download Archive

A screenshot of a social media postDescription automatically generated

This action will create a zip file with your certificates and keys.  The unzipped file will contain 2 folders, “ssl.crt” & “ssl.key”.

  • Rename files inside “ssl.crt” by adding “.crt” to the file names.
  • Rename files inside “ssl.key” by adding “.key” to the file names.

Importing your F5 SSL Certificate

On your LoadMaster Navigate to Certificates & Security > Import Certificate.

A screenshot of a cell phoneDescription automatically generated

For the certificate file select your .crt file,and for your Key file select your .key file. No password is required unless you are importing a PFX certificate.

iRules Versus Content Rules

Both F5 & Kemp can direct traffic to a specific Exchange Pool by looking at the HTTP URL. F5 achieves this using iRules, whereas Kemp achieves by using Content Ruleswhich are assigned to a Sub VS.

OWA iRulewhen HTTP_REQUEST {     switch -glob — [string tolower [HTTP::path]] {                         “/owa*”                         pool /Common/Exchange2016.app/Exchange2016_owa_pool3             return } This function is easily achieved on Kemp by creating a simple Content Switching rule.

A screenshot of a cell phoneDescription automatically generated

All Exchange Content Rules come as part of the template and are already associated to each Exchange Pool such as OWA & ECP.

  • More information on Content Rules can be found here.
  • F5 iRule Conversion KB can be found here.

Virtual Service Configuration

Navigate to Virtual Services > Add New > Add IP > User Template > Select Exchange 2016 HTTPs Reencrypted with ESP.

A screenshot of a cell phoneDescription automatically generated

Adding Real Servers to Sub VSNavigate to Virtual Services > Modify Sub VS > Real Servers > Add Real ServerCheck “Add to all SubVS”. This will add your server to all Exchange Sub VS such as OWA & ECP.

A screenshot of a social media postDescription automatically generated

F5 APM Policy & Kemp SSO Manager

Within the F5 environment, you will configure an Authentication SSO Profile which will be associated to your Virtual Server. Kemp uses similar logic where you will create a Single Sign On Profile and associate it with your Virtual Service or Sub VS.

ESP High Level Overview

Create LDAP Endpoint

Certificates & Security > LDAP Configuration > Add new LDAP Endpoint

A screenshot of a cell phoneDescription automatically generated

Create SSO Profile

Navigate to Virtual Services > Manage SSO > Add new Client Side Configuration

A screenshot of a cell phoneDescription automatically generated

Associate SSO Profile to Sub VS

Navigate to Virtual Services > Modify > LM_auth Sub VSand OWA Sub VS and assign your previously created SSO Profile “kemptest.com”. You will also be required to configure your Virtual Host to your FQDN. e.g. “mail.kemptest.com”.

A screenshot of a cell phoneDescription automatically generated

Finishing and Testing the Migration

Once complete, you should be able to connect to the newly created Virtual Service using your Exchange client and access the service on the Kemp load balancer in the same way you did with your F5 BIG-IP load balancer. All of the F5 functionality has been migrated to the Kemp solution delivering an optimal application experience (AX).

Advanced Configuration

If you would like to implement an multi-factor authentication (MFA) solution please see this blog. For additional information on specific ESP Exchange Options, please see this Knowledge Base article.

To learn more, we recommend reading this Exchange related blog post: Load Balancing Microsoft Exchange Server 2019. For details on how to Migrate F5 iRules to LoadMaster click here.

Posted on

Darren Morrissey

Darren is an Enterprise Engineer in Kemp.He holds an honors degree in Computer Networks and Systems Management and lives in Limerick, Ireland.Darren is a subject matter expert on front-end authentication protocols and has a background in cloud computing, Windows Server and Cisco networking. Darren’s focus is assisting enterprise customers in troubleshooting and providing solutions to complex network and application layer issues.