Forum Discussion

Patrick_M__Stoe's avatar
Patrick_M__Stoe
Icon for Nimbostratus rankNimbostratus
Apr 13, 2017

How do I pass IMAP(s) to APM for NTLM/AD Group Membership authentication?

My internal MS Exchange 2010 CAS and MB platforms are setup to enable IMAP globally to all domain users, and my v11.6 LTM is properly handling all the iApp features to support OWA, ECP, IMAP, ActiveSync, etc. internally as well. Externally, we have an additionally iApp that serves public-facing ActiveSync, as well as utilizes the APM functionality to limit OWA and Outlook Web access to specific Active Directory users.

 

We now have a need to extend that 'limited' external use to IMAP as well, but have not been able to figure out how to configure an iRule that will pass SSL (tcp/993) NTLM-based IMAP user credentials into APM for pre-authentication, prior to allowing connectivity. I have found many examples that use "ACCESS::policy" and "ECA::enable" that I think are just what I need, but everything I have tried requires that I associate an Access Policy directly to the Virtual Server which then requires I associate a HTTP profile, breaking IMAP communications completely.

 

  • Hi,

    ECA profile challenge client with

    WWW-Authenticate NTLM
    HTTP header.

    Maybe you can create a HTTP virtual server with NTLM auth enabled... then create a IMAP VS with irule creating a sideband connection to HTTP VS converting IMAP NTLM header to HTTP header, then parse response to search HTTP NTLM headers and convert to IMAP...

    such an interesting challenge.