Exchange Activesync with Netscaler - iPhones fail

[Martijn Kools]

Hi all,

 

I have Netscaler configured with content switching and AAA for MS Exchange Activesync as a replacement for our old TMG server.

 

Now this works fine for all of our Android devices without users even noticing when we make the switch however, iPhones stop working and they come with a password pop-up and users need to re-authenticate. From then on the password pop-up keeps coming and users need to keep authenticating. Sometimes mail will flow through, sometimes not, it's very unstable.

 

I can see in the Netscaler logs that Android devices only authenticate once and from then on it's quiet but with our test iphone, I can see it keeps trying to authenticate and get a new cookie every time. Then after a while all these authentication sessions are timing out.

 

Any idea how to fix this? Do I need some special settings for iPhone like persistent cookies?

Thanks!

[Rasmus Kindberg]

Active-Sync traffic should be allowed to bypass AAA and hit backend exchange servers directly (you can achieve this with Content Switch policies to separate "/owa" traffic from "/microsoft-server-activesync" and have one LB vServer for the owa traffic and another LB vServer, without AAA protection, for the Active-Sync traffic) . If you have already done this and you have verified that CS policies are applied correctly, then I would look at the authentication configuration on your exchange servers and/or any logs there.

[Martijn Kools]

On 9/8/2018 at 0:07 AM, Rasmus Kindberg said:

Active-Sync traffic should be allowed to bypass AAA and hit backend exchange servers directly (you can achieve this with Content Switch policies to separate "/owa" traffic from "/microsoft-server-activesync" and have one LB vServer for the owa traffic and another LB vServer, without AAA protection, for the Active-Sync traffic) . If you have already done this and you have verified that CS policies are applied correctly, then I would look at the authentication configuration on your exchange servers and/or any logs there.

 

If we disable AAA on AS traffic everything works fine indeed, however the company says they want to do authentication on the Netscaler for security reasons then pass-through to CAS. The old TMG server worked in the same way and it is working fine for Android phones, just not iPhones which puzzles me.

 

If a direct connection is needed we'll probably do that eventually anyway but if I can get it to work with AAA it would be even better.

 

Thanks!

[Rasmus Kindberg]

Default authentication for ActiveSync traffic is Basic auth on the backend servers, which is one of the reasons why you simply let that type of traffic through AAA. I haven't tried this, but you could probably change to WIndows Authentication on the backend for the ActiveSync virtual directory specifically and then configure a Traffic Policy + Profile on your Exchange ActiveSync LB vServer to handle 401 Windows Auth SSO. So ActiveSync devices would auth at AAA, hopefully save the AAA cookie generated and re-use this cookie for subsequent requests, and at the same time Netscaler will cache the credentials and use them to provide SSO to backend when backend requests auth. But the issue here is that the AAA cookie won't be persistent, so users will have to auth against AAA every so often.

 

You can run below PS command on your backend exchange to see the current configuration for activesync:

Get-ActiveSyncVirtualDirectory | fl identity, *url*, *auth*

[Hakan Polatli1709158891]

On 07.09.2018 at 11:14 AM, Martijn Kools said:

I have Netscaler configured with content switching and AAA for MS Exchange Activesync as a replacement for our old TMG server

Hi,

 

How did you configure this? One of my customers asked me to replace TMG with NetScaler but I don't really know how to do though I read so many articles. It'd great if you can share the configuration or at least depict what to do.

 

Thanks,

[Marcel Strohmeyer1709152676]

Hi mkools,

we have exact the same issue with an customer, are you able to fix it?

It don´t find any Problem on the NetScaler or on the Exchange site.

 

looking forward hearing from you :)

have a nice day

 

@Others, the Problem is, if we bypass it i cannot filter to an ad group to allow active sync or not.

 

Edited October 4, 2019 by mstrohm924
attach information