F5 APM 2FA through SMTP
Hello, We need to perform 2FA but by using F5 only, we don't have other MFA solutions like Duo, Google Authenticator,.... So can we use F5 to generate token and send it to the user using his email address, (So a token can be generated and by iRule sent to the user email address through SMTP?) Currently, we are using internal DB for users so inside it we can add user's email address Then, F5 APM verifies the token? Please provide your feedback and the configuration required to do that. We know that in VPE there is generate and validate token, so we need to use them, but only with SMTP, directly with F5 Also, it will be great if you can recommend a free or trial for 2FA solutions to be integrated with F5 APM
APM: OWA Two factor authentication Issue
Hello, - I've exchange 2010, we needed to add APM mainly to add 2FA on OWA, but don't want to pass any other service (outlook, Active Sync, ...) to 2FA baranch, the OWA worked fine as expected, but for outlook it keeps sending authentication pop-up window, even when I enter the username and password it sends the popup window again. I can see from the capture that the 401 HTTP response is coming from F5! the issue disappears when I remove the access policy. Normal Pass before adding 2FA login page >> AD auth >> SSO mapping >> allow after adding 2FA landing URI (/Owa & /owa/) >>brnach1>> logon page >> ADP auth >> variable assign >> RSA logon >> RSA auth >> variable assign >> SSO mapping >> allow `` `>>branch2>> allow` any help to bypass all service from Access policy, noting i tried all solution including disabled access policy inside template default irule!!
Outlook Anywhere 2 Factor Authentication
Hello, since there is no native support for 2FA by Outlook Anywhere I'm wondering if it's possible to set up 2FA with SAML. For example, Outlook is connecting and authenticated by the NTLM Auth object. After this AD query finds users mobile number from AD, SAML is triggered and a iRule sends a SMS with a "magic link". The user has to open this link on his smartphone and the session is allowed. The link refers to the BigIP as SAML service provider. Something like Ping Identity does without external service provider and mobile app where you have to confirm your ID by sliding over. What do you think? Is this possible or have someone did a scenario like this already? Cheers
VDI Access Policy
I've used the Horizon View iApp to secure access to our VDI environment but I have a query regarding the access policy. During the build I said 'no' to SecureID as although I do want 2FA we are using Radius. So now I want to add 2FA auth onto the access policy. For the browser logons this is simple as I added a 3rd password field and used a variable assign to switch the fields as neccessary for either AD or Radius auth. For the client logon page though there does not seem to be an option to add a 3rd password field. My only option is to select from a dropdown whether I want the form to support Windows, RSA, Disclaimer, Radius or Smart Card. I could do the Radius auth, come back to a 2nd logon page for AD credentials, then to AD auth, but as with the browser logon I'd much prefer if this could be done on a single page. Is this possible? As a side note - why on earth does the iApp tempalte only support SecureID as a 2FA method?F5 APM and DUO Security protecting external website access with 2FA
We want to protect external website's login page with 2FA using DUO Security. We already have similar setup for OWA which works OK but this is all internally. Our F5 APM is doing AD authentication and then opens DUO iFrame page with 2nd step options i.e. DUO Push. Once authenticated with DUO Push it opens OWA page, job done. I have now built another virtual server, using same AD authentication as in above example and I need to open external website with DUO iFrame to continue with authentication and login. How do I take it to external website, do I need new webtop pointing there?Force Access Policy Depending on User
I currently have a Vs for SharePoint with no Access Policy as it only deals with trusted domain joined clients. It does have a couple of iRules; one regarding NTLM (I think to facilitate single sign-on although I didn't build this) and the second assigns a pool based on the requested URL. Our organisation has partner organisations and whilst their username UPN suffix is different we're all members of the same AD. For example I am me@org1.com and the partner organisation is them@org2.com. A requirement has arisen now whereby the partner organisation wish to put 2FA in front of the SharePoint application but I don't want to do this for everyone in the AD. Is it possible then to force some kind of policy/rule/profile that only kicks in when a user e.g. "ORG2\them" attempts to access SharePoint without forcing everyone to go through a log on process?
