Certificate as second factor for ActiveSync
we have a F5 in front of an Exchange 2016 Cluster, which does the LB (configured via iApp / the https-combined-pool-selection-irule). There is no APM in use. Since ActiveSync is one of the last "open" services that has no second factor for authentication, we'd like to implement some kind of simple client-certificate check against the CA.
In principle our (simple) approach would be:
- if /ms-active-sync is called and no client cert exists -> reset SSL-Handshake and switch to another SSL-profile
- other SSL-profile has "client cert: require" and a CA that it checks against
- if this succeeds, the client request (with the Auth details) is forwarded as usual tothe Exchange-Server, which handles the authentication with username/pw (normal EAS login)
Unfortunately I'm not sure if EAS-client is able to present a certificate at request from F5. I know about a guide that describes how to switch EAS to cert-auth on Exchange servers, but that would be "cert-only" (no additional user/pw).
But I assume this "reconfigures the client" , so that it presents a cert for authentication, and leaves out the part with user/pw.
But I'm not sure if the client would present a certificate if requested by F5 only, or if this would terminate in an error.
Anyone experienced with such a setup?