For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Aug 03, 2015

A full more official Microsoft description of how ADFS works to create these access policies are here:

https://technet.microsoft.com/en-us/library/Hh526961%28v=WS.10%29.aspx

In that article, the values of various headers that Microsoft sends are described towards the end.

Keep in mind that your APM(or ADFS, the underlying technology does not matter here) needs to be externally reachable for the ActiveSync/OutlookAnywhere clients to get the assertion. There are probably a number of ways to tackle this issue with APM - but can definitely be done to suite your needs.

One way is to write an iRule that will check client IP's origin to see if it comes from internal network - if not, check the required headers. It would look something like this(not tested) - assumes that all internal space you have is 10.0.0.0/8, all else is external, and 222.222.222.222 is the external IP address of your firewall that Office 365 will see when people try to get to it from behind corporate firewall:

    when HTTP_REQUEST {
       if { not [IP::addr [IP::client_addr]/8 equals 10.0.0.0] } {
          if { [HTTP::header exists X-MS-Client-Application] and [HTTP::header exists X-MS-Forwarded-Client] } 
          { if { not [IP::addr [HTTP::header X-MS-Forwarded-Client] equals 222.222.222.222 } {
             HTTP::respond 401 content "Not Authorized" 
          }
        }
   }