F5 Iapp Template Download

Posted : admin On 1/26/2022

Download free cease and desist letter template for FREE. All formats available for PC, Mac, eBook Readers and other mobile devices. Download free cease and desist letter template.pdf. The Official Website of the Universal Peace Federation International and the Ambassadors for Peace.

  1. F5 Big Ip Edge Client Windows

Had to deploy Exchange server 2016 with F5 Local Traffic manager (LTM) and F5 Application Security Manger (ASM) . Lets see how to configure it

Points to Consider –

  • Free library of english study presentation. Share and download educational presentations online.
  • This F5 deployment guide contains detailed information on configuring the downloadable and fully supported iApp template for BIG-IP system version 11 and later for the Client Access Service of Exchange 2010 and 2013, resulting in a secure, fast, and available deployment. This deployment guide is for the official version of the iApp available on.
  • F5 Local Traffic Manager (LTM) should be the gateway for the exchange server. (Highly recommended to reduce complexity and retain SMTP source IP)

Load balancing SMTP traffic and to retain the source ip in the exchange logs you need to disable SNAT/Auto map. so make sure f5 is your gateway when you deploying exchange with f5. I have stretched my Exchange server VLAN and added as a Self IP in F5 and self ip will be my gateway for the exchange servers in the same VLAN.

As a first step your f5 should act as a router .Create a forwarding virtual servers and set source address translation snat/automap to none. So that now all my Exchange server outbound traffic goes out to the gateway and but it won’t know the route to come back to exchange server

F5 Iapp Template Download
  • Create a Forwarding IP virtual Server
  • Source address
  • Destination address
  • Service Port All Ports
  • State Enabled
  • Choose All Protocols so that ICMP will work
  • Choose protocol client Profile as fastL4
  • Choose Enable on Exchange server VLAN only
  • Source address translation set to none

Now Exchange servers gateway is f5 on the same VLAN and VLAN is forwarding all traffic from the f5 to its default gateway .

Now whatever is your default gateway Cisco Router or Firewall . Create a static route to route back the traffic to f5 floating ip. So you are making sure all the traffic via exchange servers goes to f5 and comes via f5.

get the ssl ready on exchange servers Configuring 3rd Party SSL Exchange Certificate in Exchange 2016

we need to export the file as .pfx or use mmc to export the cert as .pfx with the private key.

Configuring SSL Profiles in F5 –

  • Import the Exchange Certificate (.pfx with private key) to the f5 device

System – File management – SSL Certificates list –

F5 iapp template download
  • Import type – PKCS 12 (IIS)
  • Create new – Exch_Cert
  • choose file – Choose .pfx file
  • Enter the password
  • Key security – Normal

Choose Import

also import the root chain. get it from your certificate authority. in my case its digicert

Creating Client SSL Profile.

Choose the SSL Client Profile Name

Choose Parent Profile

Choose Custom

Add the Certificate you imported.

  • Choose Certificate
  • Choose Certificate for key ( As we imported with private key)
  • Choose Chain
  • Leave the passphrase empty
  • OCSP Stapling – none
  • Click add
  • Choose Finished now SSL Client is ready.

Create Server SSL Profile . Redo the same process of choosing the same cert.

Now you have a client ssl and server ssl profile.

  • Now we are on the same VLAN
  • Have the SSL profiles ready.

lets go the iApp templates

We need iApp Templates to configure the internal LTM . As you have a f5 account. login to https://downloads.f5.com and download iApp Templates

Download iapps .zip and extract it

Extract the zip file.


Login to F5 Local Traffic Manager (LTM)

iApps – Templates – Templates + – Choose Import

Choose the f5.microsoft_exchange_2016.v1.0.2.tmpl and Click on Upload

Click on Application Services – Create

Choose Name and Template

  • Exchange-2016_.
  • f5.microsoft_exchange_2016.v1.0.2

Choose – Yes , Show all inline help

Choose – Local Big-IP load balances and optimizes traffic

  • Choose incoming traffic as Encrypted
  • Choose Re-encrypt (SSL Bridging) – You have to choose this as Exchange can’t run on HTTP
  • Choose Client SSL Profile you created
  • Choose Server SSL Profile you created
  • Choose Optimize Connections for WAN clients. (As majority of my users are connecting via WAN)
  • Choose Same Subnet for BIG ip virtual servers and mailbox servers ( In most the network designs you can always stretch the VLAN and use in on F5 .It will be a clean design)
  • Choose the maximum number of concurrent users fewer than 6000 . 64,000 concurrent connections is more than sufficient for a 3000+ mailbox environment in this specific case.
  • Choose Use a single IP address for all connections
  • Choose All services will be handled by the same set of mailbox servers (In my case – have 4 nodes with same configuration in parallel )
  • All Services will be handled by the same set of mailbox servers
  • Choose – Server pool settings – Use settings recommended by f5
  • choose the Virtual ip will be used
  • Choose yes for deploying ECP ( Disable Admin ECP at Server level if required)
  • Choose Deploy EWS and OAB ( most common)
  • Choose MAPI over HTTP and RPC over HTTP (Only Exchange 2016 mailboxes use MAPI over HTTP by default)
  • Choose Yes of Active sync
  • Yes for Autodiscover
  • Choose yes , if imap and pop3 needs to be enabled
  • Enter the mailbox server ips
F5 plugin download

Choose FQDN for OWA/MAPI/Outlook anywhere/EWS/Active sync/autodiscover

Choose finish. Now iApp with Exchange HTTPS traffic is Configured.

Now lets see how to retain the source ip for http/https traffic and Source address translation is enabled by default on the HTTPS pool Configured by the template. I want to keep the design and configuration minimal so that when you import or replace or upgrade templates. no much additional configuration is needed. Also note that X-Forward-For is enabled by default on the http profile which will remain untouched.

Now Open Exchange server IIS . Choose logging

Select Fields

  • Field Name – Source-IP
  • Source Type – Request Header
  • Source – X-FORWARDED-FOR

Add the Custom Field

Do iis reset

C:inetpublogsLogFilesW3SVC1 Check the latest log. you can see the correct source ip and not the F5 floating / non floating ips

Lets configure the SMTP Load balancing now .

As seen above , now choose the SMTP template , Import it.

Basic – Use F5’s recommended settings

  • Choose BIG IP virtual Server IP and SMTP servers are on the same subnet
  • Choose fewer than 64,000 Concurrent connections per user

Choose Encryption – Do nothing (No Encrypted SMTP Traffic)

Choose the same VIP as HTTPs to simplify the setup.

Choose create new pool and add the mailbox servers

Choose the fqdn for smtp and choose no authentication required and no message submitted as Exchange will handle the rest.

Choose the defaut frontend receive connector

  • Uncheck anonymous users to stop using this connector to receive internet email . ( Recommended )
F5 plugin download

and create anonymous relay connectors for Applications which need to send out to the internet.

and create a dedicated internet connector To receive email from internet or anti-spam appliances

Make sure connector log set to verbose

Check connector logs in below location to check your valid source ip of SMTP Traffic

C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsFrontEndProtocolLogSmtpReceive

F5 Big Ip Edge Client Windows

Hope it will help many . As I wasted too much time on this. F5 deployment guides are huge. I will be sharing the F5 asm configurations on my next blog