ActiveSync Client Cert Auth - no password prompt
I've seen a few threads, tagged on to some of them, but still no real solid answers. I would like to know the recommended / best config to implement client certificate authentication for ActiveSync.
There are references to the built-in irule _sys_apm_activesync as a solution but also several comments from F5 that it is highly preferred to use the Exchange iapp.
I am provisioning the client cert from AirWatch. My current config is good for passing the cert check, I have not yet stepped into using the cert for authentication.
I see a few options, what is best?
Which is preferred for ActiveSync (EAS)? - configure 2nd iapp specific to EAS, remove irules, Exchange Profile add _sys_apm_activesync irule? - configure 2nd iapp specific to EAS, keep irules, Exchange Profile - if so what is recommended for client cert auth? - Configure without the iapp, use _sys_apm_activesync irule?
Configure 2nd iApp for EAS, keep iRules, attached 'exchange' profile. The APM docs on AskF5 outline on-demand cert auth: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/17.htmlconceptid. The proper APM profile should handle clientless mode.