ActiveSync and Client Certificates

I am looking for some understanding around the use of client certificates with ActiveSync.

 

To set some context, our ActiveSync and OWA users currently touch down on a Big-IP which was originally built using the Exchange 2010 iApp. The Access policy was modified a fair bit to do things such as Geo-location blocking, client blocking based on User-Agent string, AD Group lookups to ensure users point to the correct server, Android vs iOS, etc. Everything works fine. From an Edge Client/APM perspective (completely separate from mail) we do device and user certificate checking using Machine Cert Auth and On-Demand Cert Auth along with the appropriate OCSP check. We also parse the certificates to pull out the necessary information. Again everything works fine and the above is really just to say we’re comfortable with ActiveSync as well as using certs.

 

Now we would like to use client certificates on ActiveSync. Poking through the Exchange iApp I can see some code which pulls the UPN from the x509extensions and then the username and domain are extracted from this. I cannot tell from the template how this is actually being used though. Can someone shed some light on this?

 

For example, do I have to set the client SSL profile to request and then do a client cert auth to see if a valid cert was presented? Can I ignore in the profile then do an On-Demand Cert Auth in the Access Profile? Do I have to compare the username and domain from the cert to the username and domain presented by the ActiveSync client? Does using a client certificate change the way that the Big-IP talks to the back end CAS servers or is the only change in the way the client authenticates to the Big-IP? Are these changes manual or does the iApp do all/most/some of this? I did look through the deployment guide but did not come across this information so any help would be appreciated.

 

Thanks,

 

David

 

APM 12.1.2