Forum Discussion
Nimbostratustwo factor authentication for Exchange 2013 OWA
Hello,
I have followed "Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers Deployment Guide" and deployed Exchange 2013 CAS load balance using F5 LTM and APM (single VS). OWA, ActiveSync (EAS), Outlook Anywhere (OA) and ECP works as expected. I am trying to add RSA authentication for OWA and ECP which breaks EAS and OA since these two are under same VS, expecting a RSA credentials. I have modified the default access policy which iApp created to include RSA passcode option. I have created the following iRule. Instead of disable I need to forward the request to AD access policy. Any help is appreciated.
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::path]] { "/owa" - "/ecp" { ACCESS::enable } default { ACCESS::disable } } }
The access policy is, Start -> Login Page (UID, RSAPasscode, AD PWD) -> RSA auth -> Variable Assign -> AD Auth -> SSO Credential Mapping -> Allow.
Thanks, Surya
3 Replies
Michael_JenkinsCirrostratus
Have you considered using a Macro in the VPE that will check the http path, and then use an RSA auth login when it's owa and ecp, and then a normal logon page for anything else? Then you could still have the same branch coming out of the macro for both auth methods, and continue to do the rest of the policy flow.
Surya_Duvuri_89Michael,
Thank you for your reply. I am creating a Macro in VPE as follows.
In -> Landing URI matches /owa or /ecp -> TACACS+ Auth -> Variable -> AD Auth -> Resource Assign -> Allow.
-Surya
Seth_CooperEmployee
You can use a VPE action of "Client for MS Exchange" which is under "Endpoint Security (Server-Side)" to determine the client type connecting. If they are connecting from an MS Exchange client then you do the normal single factor auth and if they are in the "fallback" (OWA) then you present a logon page, etc. This should be how the iApp creates the APM policy.
