Forum Discussion

Josh_41258's avatar
Josh_41258
Icon for Nimbostratus rankNimbostratus
Feb 23, 2012

APM Domain Membership Restriction?

I have a requirement to restrict access to Outlook Anywhere to ONLY domain members. If a client from a non-member computer tries to connect to the OA service, he or she should be rejected. We do own...
BIG-IP Access Policy Manager (APM)
remote access
security
Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Feb 24, 2012
I think that the requirement here was to allow only DOMAIN-joined machines to access OutlookAnywhere. Josh's second post is right on the money - the only way to do it is to have a client to connect to a web-based VIP first that will perform the inspection of the end-point and authenticate the user and confirm he's coming from domain-joined machines. THen it will create a "holding" session for that username for a short period of time, so that when the user launches Outlook client and OA connection is established, APM will authenticate those credentials and make sure that that username has been verified as coming from domain-joined machine within last x seconds or minutes - and let the connection through.

 

 

THe same logic can be applied to use client certs to authenticate OutlookAnywhere clients - use browser to connect to APM and perform 2-factor auth - then have APM automatically launch Outlook and authorize based upon the logic described above