Forum Discussion

AndOs's avatar
AndOs
Icon for Cirrostratus rankCirrostratus
May 08, 2013

MS ActiveSync with APM and On-demand Cert Auth

Hello!

 

 

I'm trying to add certiticate authentication for ActiveSync to an existing exchange 2010 installation.

 

The Exchange implementation uses a single VIP for all http based services, so dynammically requesting a certificate from the device if it's calling activesync would be ideal.

 

 

I'm following the document "Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform" which seems to describe a method for doing this.

 

http://www.f5.com/pdf/white-papers/...-brief.pdf

 

 

On page 9-10 there's a description of dynamically requesting a certificate with APM using On-demand cert auth.

 

To test I've made a really simple access profile, basically the same as on page 10. Just an AD auth, a check if it's active sync or not, and then an On-demand cert auth set to Require.

 

The ssl profile contains my trusted CAs and advertised CAs.

 

 

The problem I'm having is that after an activesync client sends its first request (OPTIONS /Microsoft-Server-ActiveSync), the client gets redirected to /my.policy, and then APM seems to stop processing the request.

 

An error is logged to apm log:

 

err apd[9778]: 01490000:3: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 174 Msg: Unknown HTTP method: OPTIONS

 

err apd[9778]: 01490093:3: 00000000: Request header parsing failed while processing request from remote client

 

err apd[9778]: 01490000:3: AccessPolicyD.cpp func: "process_request()" line: 759 Msg: EXCEPTION AccessPolicyD.cpp line:676 function: process_request - error reading from socket

 

debug apd[9778]: 01490000:7: AccessPolicyD.cpp func: "sendAccessPolicyResponse()" line: 1341 Msg: send 'error' code

 

 

 

I found this post describing the same error

 

https://devcentral.f5.com/community...824/asg/52

 

 

But the problem there seemed to be that the _sys_APM_activesync irule wasn't attached to the VIP.

 

Here, we already have the functionality of _sys_APM_activesync added by the irules created from exchange iApp 2012-06-08.

 

 

 

I've set APM to do debug logging and done a few tests, and it looks quite good until the certificate it received.

 

 

I've verified with wireshark that the client certificate is sent in the ssl handshake.

 

The last few lines in the debug log also show that the certificate is received by APM "session.ssl.cert.exist: 1 session.ssl.cert.issuer: CN=Company CA,DC=domain......".

 

 

 

If the on-demand cert auth element is removed to restore the access profile to just to plain AD authentication, sync works without any issues.

 

 

Running on TMOS v11.2.1 HF4

 

 

Just reading the tech brief, it looks like it should be really simple :)

 

 

Has anyone been able to use on-demand cert auth together with activesync?

 

 

Any help appreciated.

 

 

 

/Andreas

 

 

microsoft
partner

4 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 08, 2013
    A few things:

     

     

    1. The _sys_APM_activesync iRule should enable clientless-mode for ActiveSync traffic, so you shouldn't see a redirect to /my.policy. I believe that redirect will certainly break things.

     

     

    2. I've personally experienced issues with ActiveSync and the APM OnDemand Cert Auth agent. Try removing that and enabling certificate request or require in the client SSL profile.
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    May 08, 2013
    Unfortunately On-demand certifiate authentication does not work reliably with all ActiveSync clients, and thus is not supported. I played around with it today, and it worked for me on Andoid, but then did not work on iOS 6. As Kevin said, you need to have a dedicated VS for ActiveSync and have client cert required in th clientssl profile and then have Certificate Inspection action in the VPE.
  • AndOs's avatar
    AndOs
    Icon for Cirrostratus rankCirrostratus
    May 09, 2013
    Ah, ok.

     

    Thanks for the info.

     

    Using a separate VIP with a separate client profile would work around the problem, but it would have been so nice just to be able to use On-demand, because it would drop right in to our current setup.

     

     

    I'm a bit curious though, how those who wrote the tech brief managed to get it to work.

     

    Could there have been some change in newer tmos versions that made it stop working?

     

     

    Would it be possible to make a request for enhancement for this feature?

     

     

    /Andreas
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    May 09, 2013
    It has something to do with the way APM responds when it performs On-Demand renegotiations- it looks like some ActiveSync clients don't like it too much. I had it working for Android device yesterday but could not get it to work on iOS 6, for example. It would be great if it was possible and we are going to log it as an RFE.