Forum Discussion

Josh_41258's avatar
Josh_41258
Icon for Nimbostratus rankNimbostratus
Feb 23, 2012

APM Domain Membership Restriction?

I have a requirement to restrict access to Outlook Anywhere to ONLY domain members. If a client from a non-member computer tries to connect to the OA service, he or she should be rejected. We do own APM.

 

 

Is this possible?

 

 

 

Thanks,

 

 

 

Josh

 

BIG-IP Access Policy Manager (APM)
remote access
security
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 23, 2012
    Hi Josh,

     

     

    You could use APM to perform web access auth for your OWA service. There are a number of ways to you could prompt the users for credentials and then verify them against AD.

     

     

    Try searching on AskF5 for "active directory authentication" for APM to get more info.

     

     

    Aaron
  • Josh_41258's avatar
    Josh_41258
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2012
    Aaron,

     

     

    Thanks for the reply. I'm guessing that in order to restrict access to OA (The Outlook client), we would first have to have them login through some type of web portal which would run various client system checks, then grant access to the Outlook Anywhere. This would be different than OWA, since OWA is a web based service, and OA actually used the Outlook Client. I believe APM can actually just pass credentials on to OWA.

     

     

    Josh
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Feb 24, 2012
    You're going to have to set it up like activesync. Outlook anywhere uses pretty much the same components as Acticesync.
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Feb 24, 2012
    I think that the requirement here was to allow only DOMAIN-joined machines to access OutlookAnywhere. Josh's second post is right on the money - the only way to do it is to have a client to connect to a web-based VIP first that will perform the inspection of the end-point and authenticate the user and confirm he's coming from domain-joined machines. THen it will create a "holding" session for that username for a short period of time, so that when the user launches Outlook client and OA connection is established, APM will authenticate those credentials and make sure that that username has been verified as coming from domain-joined machine within last x seconds or minutes - and let the connection through.

     

     

    THe same logic can be applied to use client certs to authenticate OutlookAnywhere clients - use browser to connect to APM and perform 2-factor auth - then have APM automatically launch Outlook and authorize based upon the logic described above
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Sep 26, 2014

    Baron,

     

    As a matter of fact, APM can certainly do everything that is described in the doc you are referencing, but using client certificate for authenticating OutlookAnywhere traffic is not described there. Can you please perhaps point me to the page in the doc where it's buried? Thanks.