Outlook and SecurID road blocks: need help

Yes, of course, although implementation is not very trivial for the first one. The gist is as follows:

 

 

You can have users enter both their RSA passcode and AD password in the OA password field, then have APM separate them, authenticate against RSA, and then against AD. The challenge is that authentication between APM and OA client will be Basic, and normally we just would pass that Basic header to CAS after we validate credentials, so that CAS is happy. If the Basic header between OA client and CAS contains encoding of both RSA token and password, you'd need to manipulate it to erase it before sending to CAS and using a straight Basic SSO on the back-end with just AD password. This is not for the faint of heart to customize this behavior - I'd recommend using professional services for this. Another option is to have the user come in to the website and authenticate via RSA first. Then it's much easier to amend APM config to stick username and their source IP in the table for x number of seconds, so when the user launches Outlook after authenticating to APM via browser using RSA, there would be a small iRule addition to check whether username exists in the 2-factor authenticated table, and if so, would proceed to allow their AD authentication and further access - this is my preferred method because it's much easier to implement.

 

 

For 2, it's very easy - just use AD QUery and pool assignment to send the user to the right pool based upon any of their attributes/memberships, etc. No iRule would be necessary, unless you really insist on sending to a particular CAS instead of a pool of CAS. If you search for "Exchange Migration" on DevCentral, you will find a video/reference to how this is done in Exchange 2007->2010 migration use case - for you, it would be very similar.

Yes, of course, although implementation is not very trivial for the first one. The gist is as follows:

 

 

You can have users enter both their RSA passcode and AD password in the OA password field, then have APM separate them, authenticate against RSA, and then against AD. The challenge is that authentication between APM and OA client will be Basic, and normally we just would pass that Basic header to CAS after we validate credentials, so that CAS is happy. If the Basic header between OA client and CAS contains encoding of both RSA token and password, you'd need to manipulate it to erase it before sending to CAS and using a straight Basic SSO on the back-end with just AD password. This is not for the faint of heart to customize this behavior - I'd recommend using professional services for this. Another option is to have the user come in to the website and authenticate via RSA first. Then it's much easier to amend APM config to stick username and their source IP in the table for x number of seconds, so when the user launches Outlook after authenticating to APM via browser using RSA, there would be a small iRule addition to check whether username exists in the 2-factor authenticated table, and if so, would proceed to allow their AD authentication and further access - this is my preferred method because it's much easier to implement.

 

 

For 2, it's very easy - just use AD QUery and pool assignment to send the user to the right pool based upon any of their attributes/memberships, etc. No iRule would be necessary, unless you really insist on sending to a particular CAS instead of a pool of CAS. If you search for "Exchange Migration" on DevCentral, you will find a video/reference to how this is done in Exchange 2007->2010 migration use case - for you, it would be very similar.

they way I see their network they have OWA hosted by a pair of LTM and want to then offload the APM function to another pair. Would seem the APM would have to be in front of the APM? Correct?