Forward ActiveSync Requests if user is member of BLABLA

What I did was add an LDAP Query (or AD Query if you like).

At first, I pulled the memberOf attribute and created a Deny Branch Rule with the following syntax:

expr { [string tolower [mcget {session.server.landinguri}]] contains "/microsoft-server-activesync" && [string match -nocase *CN=YOURGROUPHERE,OU=GRP-WorkGRP,OU=USA-Groups,OU=USA,DC=na,DC=yourdomain,DC=com* [mcget {session.ldap.last.attr.memberOf}]] == 0 }

Then I create an Allow Branch at the bottom that sets the SSO and moves forward.

The problem with the above method is that the LDAP Query pulls a literal group membership. If the user is a member of a group that is NESTED within the group mentioned in the Branch Rule above, it will not be considered. With that said, I moved on to setting an AD Attribute for those I wanted to allow or deny access.

Here's the new Deny branch I created:

expr { [mcget {session.ldap.last.attr.extensionAttribute15}] == "External-Access-Restricted" }

(Change the attribute and return string to whatever you'd like to use)

The second has worked very well for me so far, but feel free to experiment with either!

-Cory

Hi Thanks for the answer. Can you share more details like VPE flow ?

Hi,

If you need to validate only one group membership with nested group, you can use the following filter in LDAP query:

(&(sAMAccountName=%{session.logon.last.username})(memberof:1.2.840.113556.1.4.1941:=CN=YOURGROUPHERE,OU=GRP-WorkGRP,OU=USA-Groups,OU=USA,DC=na,DC=yourdomain,DC=com)(sAMAccountType=805306368))

This filter will request to AD if the user is member of the group, including nested groups.