Forum Discussion

rgordon_01's avatar
rgordon_01
Icon for Nimbostratus rankNimbostratus
Jul 13, 2017

Machine Cert Inspection

Need some help with access policy and machine cert inspection. But first can someone clarify if Machine Cert Inspection is the only action that can be used with a machine cert or can you also use Client Cert Inspection or On-demand Cert Auth in the access policy? I understand the difference in location of machine vs client.

 

Here's what I'm trying to do. We want Outlook Anywhere to be accessible externally but only on company owned laptops with a valid machine cert installed. I've setup an access policy with just the Machine Cert Auth action and applied it to my VIP. I added logging at the beginning of the policy even before the Machine Cert Auth and the logs never show it hitting the access policy. The APM log just shows:

 

Received User-Agent header.... Received client info..... New session from client IP....

 

and that's it. LTM logs doesn't show anything either. I've turned on debug logging for ltm and apm but no additional info in the logs. How I'm testing is connecting company owned laptop to outside line and opening outlook. I know it's hitting the VIP from the logs but why isn't it hitting the access policy? I have configured working access policies for client cert checks but this is the first time for a machine cert check.

 

7 Replies

  • Can someone clarify if Machine Cert Inspection is the only action that can be used with a machine cert or can you also use Client Cert Inspection or On-demand Cert Auth in the access policy? I understand the difference in location of machine vs client

     

    thanks!

     

  • Machine certificate inspection requires to use the edge client or the browser plugins and since the outlook client is considered "clientless" then the inspection will never happen.

     

    You should use client certificates for this use case.

     

    -Seth

     

    • The-messenger's avatar
      The-messenger
      Icon for Cirrostratus rankCirrostratus

      how would you use client certificates with Outlook? Every attempt I've made returns no data.

  • Trying to do the exact same thing here rgordon, any resolve? Thanks!

     

    • rgordon_01's avatar
      rgordon_01
      Icon for Nimbostratus rankNimbostratus

      Hi Cassidy,

       

      Company decided against allowing that and requires you to be on VPN to access the Outlook client. But I am curious about figuring out a way to make this work. If I do I'll make sure to post the answer. Sorry