Forum Discussion
AltostratusCertificate as second factor for ActiveSync
CumulonimbusYour approach to implementing a client-certificate check for ActiveSync on your F5 load balancer in front of an Exchange 2016 Cluster sounds reasonable. However, the success of this setup largely depends on whether the Exchange ActiveSync (EAS) client can present a certificate when requested by F5. In a typical setup, the EAS client does not present a certificate unless it's explicitly configured to do so. This configuration is usually done on the Exchange server, not on the F5 device. When the Exchange server is configured for certificate-based authentication (CBA), the EAS client will present a certificate during the SSL/TLS handshake process. In your case, you want the client to present a certificate when requested by the F5 device, not by the Exchange server. This scenario is less common and may not work as expected unless the EAS client is configured to present a certificate regardless of the server requesting it.
am_gliThanks for the reply - but what would be a common approach to resolve this?
The setup with an Exchange-Server + F5 and security-aware customers that don't want any 1F-Authentication from the Internet to their AD should be something that exists in thousands of setups worldwide. I'm not sure how others have achieved this? Because a 2F-auth with Tokens for EAS is not an option - and if you'd activate it on Exchange side, you'd have to disable SSL-Termination on F5, so that Exchange receives the client-certificate for authentication. That way, you remove many advantages that F5 provides (e.g. ASM).
