Forum Discussion

Altostratus

Jul 23, 2013

Machine Cert Auth for Microsoft Outlook Anywhere

Hello There, i need your help about the subject. Beceuase i have taken an order from our security executives and they say that all clients must come to virtual server through apm access. Then i ...

BIG-IP Access Policy Manager (APM)

remote access

security

Michael_Koyfma1

Cirrus

Jul 24, 2013

It is not about F5 supporting it - it's the fact that Outlook client itself does not support machine certificate authentication. F5 CAN help - however, it's not the most trivial implementation and I would suggest engaging professional services for this. The gist is as follows:

User connects to the APM virtual server using their browser. APM performs user AD authentication as well as machine certificate authentication(since we can do it from the browser's realm). Then the user name and source IP address need to be stored in a table(using a very simple iRule) with the expiration time of x number of seconds.

Then you have to modify your APM policy for OutlookAnywhere to detect OutlookAnywhere traffic specifically, and once OA traffic is detected, branch out and raise an iRule event right after the Login page object to check whether the username supplied and source IP address exist in the table - if they dont, it means that user has not authenticated with previous x seconds using machine certificate and you will Deny their session as as result.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)