Forum Discussion
CirrostratusOWA with APM
Hello,
We are implementing OWA with APM for the first time and have a few questions.
-
We are adding an additional F5 layer at the perimeter network and this is where the APM will be configured. The OWA VIP will be configured on this F5 and the VIP will point to the VIP for OWA on the internal F5 (which currently holds the VIP and SSL offload). SSL offloading will be moved from the internal to the external F5. I created the appropriate SSL profiles and allied them to the VIP (Our cert for the client and insecure SSL to the server). Initially i had left the inside VIP to use the same certs as before but when i tested this it did not work. The page would not come up due to cert errors. I modified the external F5 to use the default "clientssl" and this seems to work. I also tried to set the internal VIP to "performance L4" so that once SSL offload happens on the external F5 the traffic gets sent straight to the exchange servers which will then decrypt them. Would appreciate any suggestions in getting this to work.
-
Second question is that I want to use 2 factor for OWA when the source IP is not an internal/trusted IP.If the source is internal then the user will be presented the logon page, enter AD username/pass , SSO mapping ( username/password) and then resources will be assigned. If however the user is not from an internal or trusted network then the user will be presented with a logon page which will ask for username/password and security token. On input , Radius authentication will take place ( we use Symantec VIP) and if successful SSO mapping. My question regarding this is that for the SSO mapping does the token needs to be sent through to OWA or only username/password will suffice. If token needs to be sent through then does the backend OWA need to have it's login page/IIS modified so as to accept the token?
Sorry about the long question, but I am new to APM and we need to get this deployed very quickly due to a security incident and would sincerely appreciate any help.
thanks,
karthik
2 Replies
Yann_DesmarestCirrus
Hi,
for the first question, you can define the VS on the internal F5 as standard with default client and server ssl profiles. It will provide you the ability to add cookie persistence. If you set L4 performance, you should not add any ssl profiles and you need to add source_addr persistence that will not help as the source IP will be the external F5 floating self ip. So, I suggest to opt for the standard VS with SSL bridging (clientssl and serverssl) and add a cookie persistence profile
for the second question, if you configure 2-factor authentication directly on the VPE, you then need to provide username/password creds only to OWA and make everything works smoothly. You have an IP Subnet Check block on the VPE to help you decide if the user should get an extra 2-factor auth or not.
- Yann_Desmarest
Hi,
for the first question, you can define the VS on the internal F5 as standard with default client and server ssl profiles. It will provide you the ability to add cookie persistence. If you set L4 performance, you should not add any ssl profiles and you need to add source_addr persistence that will not help as the source IP will be the external F5 floating self ip. So, I suggest to opt for the standard VS with SSL bridging (clientssl and serverssl) and add a cookie persistence profile
for the second question, if you configure 2-factor authentication directly on the VPE, you then need to provide username/password creds only to OWA and make everything works smoothly. You have an IP Subnet Check block on the VPE to help you decide if the user should get an extra 2-factor auth or not.
