I've seen a few threads, tagged on to some of them, but still no real solid answers. I would like to know the recommended / best config to implement client certificate authentication for ActiveSync.
There are references to the built-in irule _sys_apm_activesync as a solution but also several comments from F5 that it is highly preferred to use the Exchange iapp.
I am provisioning the client cert from AirWatch. My current config is good for passing the cert check, I have not yet stepped into using the cert for authentication.
I see a few options, what is best?
Which is preferred for ActiveSync (EAS)?
- configure 2nd iapp specific to EAS, remove irules, Exchange Profile add _sys_apm_activesync irule?
- configure 2nd iapp specific to EAS, keep irules, Exchange Profile - if so what is recommended for client cert auth?
- Configure without the iapp, use _sys_apm_activesync irule?
Configure 2nd iApp for EAS, keep iRules, attached 'exchange' profile. The APM docs on AskF5 outline on-demand cert auth: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/17.html#conceptid. The proper APM profile should handle clientless mode.
I have done as you suggest.
Configured second iapp with ActiveSync specific selections.
Configured ClientSSL profile adding the client authentication information.
prior to this I configured our AD Certificate Authority
In the Access profile, I have added a client cert inspection branch before the logon page.
Airwatch sends the cert/payload, APM checks for a valid cert, sends on the next step in the policy. iOS and Android devices are checking successfully.
Thanks for the help on this Fred. Going back to this thread, I am good with verifying the cert issued by our CA, I can require it as 1 authentication method. But I have not been able to use it as my only authentication method, there are pieces missing.
I've seen an ask f5 guide for this with older versions, but nothing for 12.1.1 or beyond. Have you seen a doc, or can you help, with the pieces required for client cert auth, no password?