Today, we are going to provide technical guidance on how to migrate your F5 BIG-IP Exchange Virtual Server using F5`s Access Policy Manager (APM), to a Kemp Exchange Virtual Service using Kemp’s Edge Security Pack (ESP). This is a valuable technical guide if you currently use F5 BIG-IP products and are interested in learning about migrating an advanced service that includes iRules and advanced modules like APM. In this walk-through, we are using our Exchange OWA service with Forms Based Client Side and Forms Based Server Side.
Architecture/Design Requirements
- Microsoft Exchange backend with OWA configured for “Forms Based”
- Kemp LoadMaster load balancer with Enterprise or Enterprise Plus support package (or Trial license)
Terminology
F5 uses different terms for some functions and technologies. Below is a chart that maps the F5 terms with what is used within Kemp documentation.
F5 | Kemp |
Virtual Servers | Virtual Services |
iApp | Template |
SSL Profile | SSL Acceleration |
iRules | Content Rules |
Monitors | Health Checks |
APM | ESP |
Server Pool | Sub Virtual Service |
Template
Kemp provides an Exchange configuration Template which comes preconfigured with all the required configuration parameters. This makes the Kemp configuration easy since only customer unique information needs to be provided (IP addresses, server names, etc.). To download our popular application Templates, please navigate here. Select the corresponding Template depending on your Exchange version. In this case, we have chosen Exchange 2016.
On the Kemp load balancer, to import the template, navigate to Virtual Services > Templates > Browse > Import on the left-hand menu.
Exporting your F5 SSL Certificates
On your F5 BIG-IP navigate to:System > Certificate Management > Traffic Certificate Management > SSL Certificate List > Archive.
Select Certificates > Generate & Download Archive
This action will create a zip file with your certificates and keys. The unzipped file will contain 2 folders, “ssl.crt” & “ssl.key”.
- Rename files inside “ssl.crt” by adding “.crt” to the file names.
- Rename files inside “ssl.key” by adding “.key” to the file names.
Importing your F5 SSL Certificate
On your LoadMaster Navigate to Certificates & Security > Import Certificate.
For the certificate file select your .crt file,and for your Key file select your .key file. No password is required unless you are importing a PFX certificate.
iRules Versus Content Rules
Both F5 & Kemp can direct traffic to a specific Exchange Pool by looking at the HTTP URL. F5 achieves this using iRules, whereas Kemp achieves by using Content Ruleswhich are assigned to a Sub VS.
OWA iRulewhen HTTP_REQUEST { switch -glob — [string tolower [HTTP::path]] { “/owa*” pool /Common/Exchange2016.app/Exchange2016_owa_pool3 return } This function is easily achieved on Kemp by creating a simple Content Switching rule.
All Exchange Content Rules come as part of the template and are already associated to each Exchange Pool such as OWA & ECP.
Virtual Service Configuration
Navigate to Virtual Services > Add New > Add IP > User Template > Select Exchange 2016 HTTPs Reencrypted with ESP.
Adding Real Servers to Sub VSNavigate to Virtual Services > Modify Sub VS > Real Servers > Add Real ServerCheck “Add to all SubVS”. This will add your server to all Exchange Sub VS such as OWA & ECP.
F5 APM Policy & Kemp SSO Manager
Within the F5 environment, you will configure an Authentication SSO Profile which will be associated to your Virtual Server. Kemp uses similar logic where you will create a Single Sign On Profile and associate it with your Virtual Service or Sub VS.
ESP High Level Overview
Create LDAP Endpoint
Certificates & Security > LDAP Configuration > Add new LDAP Endpoint
Create SSO Profile
Navigate to Virtual Services > Manage SSO > Add new Client Side Configuration
Associate SSO Profile to Sub VS
Navigate to Virtual Services > Modify > LM_auth Sub VSand OWA Sub VS and assign your previously created SSO Profile “kemptest.com”. You will also be required to configure your Virtual Host to your FQDN. e.g. “mail.kemptest.com”.
Finishing and Testing the Migration
Once complete, you should be able to connect to the newly created Virtual Service using your Exchange client and access the service on the Kemp load balancer in the same way you did with your F5 BIG-IP load balancer. All of the F5 functionality has been migrated to the Kemp solution delivering an optimal application experience (AX).
Advanced Configuration
If you would like to implement an multi-factor authentication (MFA) solution please see this blog. For additional information on specific ESP Exchange Options, please see this Knowledge Base article.
To learn more, we recommend reading this Exchange related blog post: Load Balancing Microsoft Exchange Server 2019. For details on how to Migrate F5 iRules to LoadMaster click here.