This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with ActiveSync in a cascaded Sophos - Kemp environment.

Hi,

 

we are facing sporadic, non reproducible problems with ActiveSync. Sometimes changes in the appointments (acknowledgements, creation) or contacts (creation) are lost / don't get synchronized.

 

We are using a cascaded installation of sophos web application firewall and a kemp load balancer and two Exchange 2016 servers. Most of our ActiveSync devices are Apple iPhones and iPads.

 

Are there any known issues (problems, timeouts, ...) regarding ActiveSync synchronisation?

How can this be best troubleshooted in an environment of several hundred ActiveSync clients?

 

Thanks

Bernd



This thread was automatically locked due to age.
  • Just curious, Bernd, what advantage is there to using the Kemp instead of multiple Real Server definitions in your Virtual Server definitions?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    I was not aware that Sophos is able to load balance an Exchange DAG Cluster. Is there some official document on this? It is definitely not just redirecting some http(s) requests.

    As you are able to read some German I post a link to a german blog where the issue is discussed.

    https://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/

     

    The biggest problem seems to be the authentication when using more than one server. There seems to be less session awareness when using round robin with sophos resp. using a real loadbalancer like the kemp. The kemp also loadbalances smtp(s), imap(s)

     

    Another difference: Externally everything is routed through the chain sophos - kemp. Internally the clients speak with the kemp directly. This is realised by split dns entries for webmail.riedel.net.

     

    Best regards,
    Bernd

  • Thanks, Bernd.  I didn't see the load balancing issue discussed there, but that is the cleanest, clearest explanation I've see in either English or German.  This was the first time that I realized that one can no longer have a separate Client Access Server in 2016.  If the Kemp can balance based on source and target, then I understand why it might be necessary.

    Did you try using the round-robin with two Real Servers in WAF?  I wonder if 'Enable sticky session cookie' and/or 'Proxy Protocol' wouldn't accomplish what the Kemp is doing???

    Cheers - Bob
    PS When I moved from Berlin to Paris, Germans could tell I wasn't from their Land, but they weren't sure I wasn't a native speaker.  Although I can still read as well as then, my brain almost always goes to French when I turn off English, so writing and speaking German is only occasionally possible.  Even then, I speak with a French accent. :-D

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA