ESW URL changed after we've migrated from URA to F5 APM

[catalinsg@gmail.com]

Hello Kostya,

This weekend we've changed our company's remote access used for OWA access and other apps to BiG IP APM (f5.com).
Untill now we were using URA from Microsoft and the EWS URL was http$://email.company.com:443/owa/ and the EWS was http$://email.company.com/ews/exchange.asmx . This was for the unsupported devices to access the email, for the supported platforms - IOS - we are OK (there we allow Active Sync so it's another discussion).

Starting yesterday when we've switched to APM the URL is slightly different  http$://email.company.com:443/ID_Code_or_someting_$$/owa/ and the EWS is http$://email.company.com/ID_Code_or_someting_$$/ews/exchange.asmx

From my initial tests looks like the "ID_Code_or_someting_$$" is linked to my account as it is the same when I user any browser on three different machines - 2 Androids and an Win7.

So could be that with the new APM, in order to be able to receive emails with AquaMail we have to include that "ID_Code_or_someting_$$"
into URL ?

With old setup, I get an "HTTP/1.0 302 Found" error message and when I 've looked in F5 logs and on my sessions that are not connecting I can see that there is an "\N: User-Agent header is absent or empty" vs "Received User-Agent header: Mozilla%2f5.0%20(Linux%3b%20U%3b%20Android%202.2%3b%20en-gb%3b%20Nexus%20One%20Build%2fFRF50)................." (this session works) and after a while the session is closed due to inactivity.

If there is something else needed let me know and I'll see how can I provide them.

Have a nice weekend,
PS: look on http$://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_webapps.html
for "Understanding full patching mode" to understand the "ID_Code_or_someting_$$" I'm referring to.

[Kostya Vasilyev]

The things "corporate security people" come up with...

About the URL - yes, /EWS/Exchange.asmx is the standard one.

You should be able to enter it into AquaMail under "server name" -- just change "server.com" to "https://server.com/whatever/the/new/url_is.txt".

But the server is complaining about missing User-Agent.

Yes, true, AquaMail does not send a User-Agent because -- *other* corporate security people sometimes set up a "whitelist" of user-agents, i.e. they only allow iPhone, Outlook, etc. and block everything else.

What would you recommend I do?

Please keep in mind that this can (and will) happen during initial account setup.


The web site says:

"Applications delivered.
Anywhere, any time, on any device"

Is there a typo here?

"Applications blocked and messed up.
Arbitrarily, any time, on any device"

[catalinsg@gmail.com]

Hello Kostya,

That I've tried first time during the tests to have the URL for server.com to server.com/ID_Code_or_someting_$$/ without success.
The HTTP error was same "Exchange mail server (EWS): Invalid server response. HTTP/1.0 302 Found" .

Since the APM complain is regarding "User agent" not being sent while authenticating, can we have the possibility to choose to send or not to send it from the options ? If I use any browser from the tablet I can authenticate and see the emails.

I can assure you that is was not the thing "corporate security people" came up with, on the other side tomorrow I'll email our BiG IP consultant and ask him about this, to see if there is some place in the APM where we can accept all "User Agents" or not and what changes implies and if we can "hide" the "ID_Code_or_someting_$$" from the URL.
 
I have no issues to redo the account setup in order to test and send "User Agent".

Have a nice weekend,

[Kostya Vasilyev]

Re: That I've tried first time during the tests to have the URL for server.com to server.com/ID_Code_or_someting_$$/ without success.

Well, the 302 is a redirect, and my code enables redirect handling, so I'm a bit confused about this.

Re: to see if there is some place in the APM where we can accept all "User Agents"

Or maybe accept no user agent?

[catalinsg@gmail.com]

Yes you are right, I will ask both questions.

But would be easy to enable sending "User Agent" from AquaMail ?
From the logs I can see that the session is closed from BiG IP as it does not like the agent part, so probably the "ID_Code_or_someting_$$" is not required either in the server name. Juts the agent part.

Thank you,
Do you want me to email the .log file from the tablet ?

[Kostya Vasilyev]

Re: But would be easy to enable sending "User Agent" from AquaMail ?

Easy to enable (hard-code), but that would be wrong, it needs to be user-settable.

As I mentioned above, some corporate servers only allow a set of "whitelisted" user-agents.

[catalinsg@gmail.com]

Hopefully you'll find time to enable it as user settable option.   

Thank you,
PS: I'll keep you updated how it's going on BiG IP side.

[Kostya Vasilyev]

Please try this version:

http://www.aqua-mail.com/forum/index.php?topic=4734.0

Works for me, but then Office 365 doesn't care about User-Agent at all. I can see it on the wire though.

[catalinsg@gmail.com]

Here is what I have in session now - still 302 HTTP error:

2016-06-05 20:19:37
Received User-Agent header: Aquamail.
2016-06-05 20:19:37
Received client info - Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0
2016-06-05 20:19:37
New session from client IP 188.XX.129.128 (ST=Brasov/CC=RO/C=EU) at VIP 32.XX.XX.224 Listener /Common/ALVA-email.companyX.com (Reputation=Unknown)

similar with mine and working :

2016-06-05 19:42:35
Received User-Agent header: android.webview.
2016-06-05 19:42:35
Received client info - Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0
2016-06-05 19:42:35
New session from client IP 86.XX.118.4 (ST=Brasov/CC=RO/C=EU) at VIP 32.XX.XX.224 Listener /Common/ALVA-email.companyX.com (Reputation=Unknown)
2016-06-05 19:42:36
Username 'criXXX.ivaXXu'
2016-06-05 19:42:36
Logging Agent: Debug: Session=b046621a Domain=eu
2016-06-05 19:42:36
Following rule 'Successful' from item 'AD Auth EU' to terminalout 'Success'
2016-06-05 19:42:36
Webtop '/Common/email.companyX.com_OWA' assigned
2016-06-05 19:42:36
Following rule 'fallback' from item 'OWA' to ending 'Allow'
2016-06-05 19:42:36
Access policy result: Web_Application

and here is from an working session:

05.1.1%3b%20D5503%20Build%2f14.6.A.1.236)%20AppleWebKit%2f537.36%20(KHTML%2c%20like%20Gecko)%20Chrome%2f50.0.2661.89%20Mobile%20Safari%2f537.36.
2016-06-05 20:14:49
Received client info - Type: Safari Version: 1 Platform: Android CPU: unknown UI Mode: Mobile Smart Phone Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
2016-06-05 20:14:49
New session from client IP 93.45.XXX.197 (ST=Lazio/CC=IT/C=EU) at VIP 32.XX.XX.224 Listener /Common/ALVA-email.companyX.com (Reputation=Unknown)
2016-06-05 20:14:56
Username 'username.password'
2016-06-05 20:14:56
Logging Agent: Debug: Session=17606daf Domain=eu
2016-06-05 20:14:56
Following rule 'Successful' from item 'AD Auth EU' to terminalout 'Success'
2016-06-05 20:14:56
Webtop '/Common/email.companyX.com_OWA' assigned
2016-06-05 20:14:56
Following rule 'fallback' from item 'OWA' to ending 'Allow'
2016-06-05 20:14:56
Access policy result: Web_Application

Do you want me to send you the log from Android device ? Hopefully will bring up some light into as I've seen that the "http.target_host" is original email server and not the "server.com/ID_Code_or_someting_$$/" or "server.com/ID_Code_or_someting_$$/owa/" as I've tried.

Thank you,

[Kostya Vasilyev]

The user-agent is there.

The rest -- please understand -- is complete gibberish to me personally.

Your working logs mention "OWA" -- which is not at all same thing as "EWS".

One funny thing is that 1) the server does a 302 (redirect), 2) redirect support is enabled on my side and yet 3) the client doesn't follow the redirect.

I'm guessing it's because the redirect is on a POST method, which is not valid IIRC.


I made a custom build for you, which specifically enables redirect support on POSTS. No idea if this is "it", but perhaps worth trying:

If it works, please try it without a user agent, perhaps that one was a red herring?

https://www.aqua-mail.com/download/AquaMail-market-1.6.2.2-5-lax-redirect.apk

[StR]

Kostya,  It's possibly late, as you've already implemented the user -agemy string configuration.
But just in case...
I remember,  there was a period when Opera (desktop version) was offering a few standard options for the User-agent: opera, IE, Firefox (or was it Netscape at that point?). The point was to pick from a standard, universally accepted preset.
I haven't seen the new version,  but if I understood correctly,  one can enter any text. That is more prone to entry errors. Besides, most users wouldn't know what exactly to enter ....
So, if maybe it would be better to offer a multiple choice of a few "standard " ones. The downside (for you)  is that you'd need to update that list every so often ...

[Kostya Vasilyev]

@StR

Yes, I thought about it, but:

- I don't want to offer "standard ones" if it means "iPhone Mail", "Outlook", etc. -- lest me or one of the users is accused of "maliciously impersonating another mail app".

- I've not seen any Exchange servers not wanting to work without a User-Agent, so the only case is probably this one, a particular "corporate firewall" with a particular set of rules. And even here, I'm not sure the error has to do with user agent, I'd put my money on the redirect.

And so, almost all users have no reason to enter *anything* into that field. And given that Aqua has auto-discovery for Exchange, most won't ever see the "detailed settings screen" either.