Access to resource based on the Active Directory group.

Hi

 

I am trying to allow the access to resource, MS exchange server based on the Active Directory user group.

 

 

AD Group A (Tom, Jane) ----------------------------- |

 

| ---------------------- APM or LTM---------------- | -------- AD server

 

| | --------- MS Active Sync

 

AD Group B (Mike, Olivia) --------------------------- |

 

 

 

Tom's iPhone and Jane's Galaxy S in AD group A

 

Mike's iPhone and Olivia's Galsxy S in AD group B

 

 

Each mobile devices is authenticated by AD server.

 

And if the devices are authenticated, they can access to MS Active Sync

 

 

CONDITIONS;

 

1. Both Tom and Jane in AD group A must allowed for access to the MS Exchange server.

 

2. Mike must DENYED for access to the MS Exchange server. However only Olivia must allowed.

 

 

If the condition is the user agents, not AD group and if be used LTM with the following iRule..

 

Excellent!!

 

when HTTP_REQUEST {

 

set string_useragent [string toupper [HTTP::header User-Agent]]

 

log "User-Agent is $string_useragent"

 

if { $string_useragent != "" && [class match $string_useragent contains secureclient] } {

 

pool ActiveSync_Pool

 

} else {

 

reject

 

}

 

}

 

 

 

But, my customers require ACL based on both the AD group and the user agent.

 

Approximately, I know that I need APM to extract the AD Group information.

 

I refering the following the informations.

 

- https://devcentral.f5.com/community...593/asg/52

 

- http://support.f5.com/kb/en-us/solu...r=28900557

 

 

But, the customer doesn't like the APM's logon page.

 

If I deploy the APM, is it possible without the APM's logon page?

 

 

How should I approach?

 

 

Thank you.

 

ChaBanGoon