Forum Discussion

Pratik_125797's avatar
Pratik_125797
Icon for Nimbostratus rankNimbostratus
Apr 15, 2013

Checking group when doing APM for activesync

Hello Experts,

 

 

I am trying to deploy APM for exchange 2007 with F5 version 11.2.1. I can use a template to build the configuration. However APM is needed as we need to check which group does user belong to, before passing on the traffic.

 

 

If I build a normal APM policy with login page and stuff, and I add an LDAP query for the AD group, I can achieve the purpose. But how can I do it in activesync, outookanywhere etc. where there is no login. The irule -sys_APM_activesync is used but I dont't know how exactly is it used ? Does it use the same APM policy as used by OWA traffic but then how does it by pass login page ? If I put ldap query in that policy will it act in same way for active sync traffic as well ?

 

 

Any kind of help is much appreciated.

 

config
design

7 Replies

Sort By
  • AndOs's avatar
    AndOs
    Icon for Cirrostratus rankCirrostratus
    Apr 17, 2013

    Hi!

     

     

    We recently started to use APM with activesync for some of our users.

     

    Any new session from an activesync client will traverse the access policy the same way as any normal client.

     

    The irule _sys_APM_activesync sets a flag "clientless mode" which somehow indicates to APM that it should not stop for logon pages etc.

     

    The irule also sets a session variable, activesync = 1, which can be used to check if a client connecting is an activesync client.

     

     

    Yes, the LDAP or AD query will act the same way for ActiveSync as any other client.

     

    User credentials is sent with basic authentication from the activesync client, and those gets picked up and can be used with the authentication and query objects in the access policy.

     

    Here's an example of an access policy we use for both normal web clients and activesync clients.

     

     

    One thing I've noticed is that if an activesync client is denied by the access profile, say by a group check, the client will show a message saying that username and password is incorrect.

     

    That caused some confusion for our users when some of them wasn't in the correct AD group.

     

    That can probably be solved by an irule checking if access was denied and then sending a diffrent http response than the default 401-status.

     

     

     

    /Andreas

     

    • SteveVernau_132's avatar
      SteveVernau_132
      Icon for Nimbostratus rankNimbostratus
      Jan 18, 2016
      Hi Andreas what is the Logon user pass box? I need to do this and I dont want the APM policy to force the activesync client to try and hiot a login web page so what is that firsrt box on your VPE that captured the cvreds from activesync auth?
    • AndOs's avatar
      AndOs
      Icon for Cirrostratus rankCirrostratus
      Jan 18, 2016
      Hi! The box "Logon User pass" is a standard logon page with "Split domain from full Username" set to yes. Our config was made on 11.2.1 with the iApp that was current back then in 2013 which used the irule _sys_APM_activesync to capture credentials. From there we added on extra queries to check if a user was allowed Active Sync. As far as I know _sys_APM_activesync made sure that active sync clients got handled separatly and didn't "stop" on the logon page. We are still on 11.2.1 for our active sync setup. If you are using a fairly new version, I would suggest looking into the microsoft exchange profile which is available under Access Policy / Application Access. To my knowledge that profile adds the same functionality as irule _sys_APM_activesync. /Andreas
  • Pratik_125797's avatar
    Pratik_125797
    Icon for Nimbostratus rankNimbostratus
    Apr 21, 2013
    Hi Andreas,

     

     

    Thanks for the information. It was pretty useful. The irule _sys_APM_activesync is used for Exchange 2010. Can we use it for Exchange 2007 ? Actually I am receiving TCP reset as soon as try to intercept traffic of exchange 2007. Are there any specific changes needed to make it work with Exchange 2007 ??
  • AndOs's avatar
    AndOs
    Icon for Cirrostratus rankCirrostratus
    Apr 21, 2013

    I've only worked with Exchange 2010, so I don't know if there's anything specific that needs to be changed for 2007.

     

     

    Looking at the irule, it looks fairly general though.

     

     

    This article does not mention any versions either.

     

    sol13074: Configuring the BIG-IP APM system as a proxy for Microsoft Exchange ActiveSync

     

    http://support.f5.com/kb/en-us/solu...r=28900557

     

     

     

    /Andreas

     

     

  • Pratik_125797's avatar
    Pratik_125797
    Icon for Nimbostratus rankNimbostratus
    Apr 21, 2013
    Yes, it seems to be generic and even I can see a successful APM session from active sync device but after that I receive a TCP reset from the server and it says unauthorized user. However there is not issue with user credentials.