AndOs
May 08, 2013Cirrostratus
MS ActiveSync with APM and On-demand Cert Auth
Hello!
I'm trying to add certiticate authentication for ActiveSync to an existing exchange 2010 installation.
The Exchange implementation uses a single VIP for all http based services, so dynammically requesting a certificate from the device if it's calling activesync would be ideal.
I'm following the document "Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform" which seems to describe a method for doing this.
http://www.f5.com/pdf/white-papers/...-brief.pdf
On page 9-10 there's a description of dynamically requesting a certificate with APM using On-demand cert auth.
To test I've made a really simple access profile, basically the same as on page 10. Just an AD auth, a check if it's active sync or not, and then an On-demand cert auth set to Require.
The ssl profile contains my trusted CAs and advertised CAs.
The problem I'm having is that after an activesync client sends its first request (OPTIONS /Microsoft-Server-ActiveSync), the client gets redirected to /my.policy, and then APM seems to stop processing the request.
An error is logged to apm log:
err apd[9778]: 01490000:3: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 174 Msg: Unknown HTTP method: OPTIONS
err apd[9778]: 01490093:3: 00000000: Request header parsing failed while processing request from remote client
err apd[9778]: 01490000:3: AccessPolicyD.cpp func: "process_request()" line: 759 Msg: EXCEPTION AccessPolicyD.cpp line:676 function: process_request - error reading from socket
debug apd[9778]: 01490000:7: AccessPolicyD.cpp func: "sendAccessPolicyResponse()" line: 1341 Msg: send 'error' code
I found this post describing the same error
https://devcentral.f5.com/community...824/asg/52
But the problem there seemed to be that the _sys_APM_activesync irule wasn't attached to the VIP.
Here, we already have the functionality of _sys_APM_activesync added by the irules created from exchange iApp 2012-06-08.
I've set APM to do debug logging and done a few tests, and it looks quite good until the certificate it received.
I've verified with wireshark that the client certificate is sent in the ssl handshake.
The last few lines in the debug log also show that the certificate is received by APM "session.ssl.cert.exist: 1 session.ssl.cert.issuer: CN=Company CA,DC=domain......".
If the on-demand cert auth element is removed to restore the access profile to just to plain AD authentication, sync works without any issues.
Running on TMOS v11.2.1 HF4
Just reading the tech brief, it looks like it should be really simple :)
Has anyone been able to use on-demand cert auth together with activesync?
Any help appreciated.
/Andreas