Machine Cert Auth for Microsoft Outlook Anywhere

Question

Hello There,&nbsp;
i need your help about the subject. Beceuase i have taken an order from our security executives and they say that all clients must come to virtual server through apm access. Then i have configured my exchange virtual server with apm policy which uses machine cert auth. when i test the access , no issue has been occured with owa. i mean that i requested a new cert from ms ca for my test client and i imported necessary cert ,key  ve chain to bigip and i have seen that everything is fine for the owa. As you know client downloads plugin from browser to be inspected itself localmachine cert by bigip that was loaded from ms ca. As mentioned above no problem on that . But i have issue about outlook anywhere . Because the secenario does not work correctly on the bigip. when i check the iapp i see three configuration type but we have active and standby unit so i cannot configure the bigip as external and  internal device. so i need to configure the outlook anywhere access on the single bigip.however, when i check the f5's knowledge base it sems to me that it says that f5 doesn't support  the machine cert auth for outlook anywhere.That's why, i would like to be confirmed if f5 supports outlook anywhere with machine cert auth.if it is supperted , how ? By the way , to test i downloaded edge client on windows client from bigip and installed but unfortunately, the result hasn't changed. &nbsp;
Another request is about the sso. They would like to make web sso without using the logon page. you know firstly client comes to virtual server by using itself local machine cert and if its cert is validated, bigip will access to mailbox. After client write username and password , bigip will use those credentials that was entered by client .if request posssibl&nbsp;
microsoft exchange cas_2010_06 temlate is being used on bigip for cas 2010 and 11.2.1 version is running on bigip.&nbsp;
Many thanks in advence for your support.&nbsp;
Kind regards,&nbsp;

waterfall_10467 · Answer

Anybody here to repond for the above topic ?&nbsp;

michael_koyfma1 · Answer

It is not about F5 supporting it - it's the fact that Outlook client itself does not support machine certificate authentication.  F5 CAN help - however, it's not the most trivial implementation and I would suggest engaging professional services for this.  The gist is as follows: 
&nbsp;  
&nbsp; User connects to the APM virtual server using their browser.  APM performs user AD authentication as well as machine certificate authentication(since we can do it from the browser's realm).  Then the user name and source IP address need to be stored in a table(using a very simple iRule) with the expiration time of x number of seconds. 
&nbsp;  
&nbsp; Then you have to modify your APM policy for OutlookAnywhere to detect OutlookAnywhere traffic specifically, and once OA traffic is detected, branch out and raise an iRule event right after the Login page object to check whether the username supplied and source IP address exist in the table - if they dont, it means that user has not authenticated with previous x seconds using machine certificate and you will Deny their session as as result.

seth_cooper · Answer

Could you not just use an app tunnel?  Since Outlook Anywhere cannot establish the APM session with all the checks you need it seems like an App Tunnel would be your next best thing. 
&nbsp;  
&nbsp; Seth

waterfall_10467 · Answer

Seth Hello,&nbsp;
Firstly, thank you for response but as i mentioned above we must do it without loginpage. i mean that they don't wanna use the implementation by using AD or any authentication, al ready all clients are in local network to test so bigip insoects if client's local or current user cert is validate for the windows clients. ok i know that to do this with ios or android we have to install edge client on the mobile phones which use android or ios. that's why i think app tunnel doesn't work for the implementation. Does it ?&nbsp;
Regards,&nbsp;

waterfall_10467 · Answer

Hello Micheal,&nbsp;
Thank you for response&nbsp;
as far as ı understand , in any case we have to use browser to be inspected for the oa local or current user machine cert. Right? what i understand is that clients first come to apm virtual server then they connet to system and run oa. Are there example for the irules which you mentioned ? but i would like to point out that diffrent load balancer has done the implementation at diffrent bank. well, how can we perform workaround for ios and androind mobile phones wihch use active sync to connet to mail server. how to configure egde clinets or apm acess policy , does on demand cer auth configuration work for mobilephone?&nbsp;
Regards,&nbsp;

Forum Discussion

Machine Cert Auth for Microsoft Outlook Anywhere

8 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Making EKS Anywhere Highly Available and Secure

How to Automate Load Balancing ECS Anywhere

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

Microsoft Powershell with iControl

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator