F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Authentication Methods
  3. HTTP Basic Authentication for Microsoft Exchange Clients
Manual Chapter : HTTP Basic Authentication for Microsoft Exchange Clients

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0
Manual Chapter

HTTP Basic Authentication for Microsoft Exchange Clients

Overview: Configuring APM for Exchange clients that use HTTP Basic

Access Policy Manager (APM) requires an Exchange profile to support Microsoft Exchange clients. An Exchange profile is specified in the access profile attached to the virtual server that handles the traffic from Exchange clients.

About Exchange profiles

An Exchange profile specifies service settings for Microsoft Exchange clients. Based on the settings, Access Policy Manager (APM) identifies the client, authenticates the client and, when an SSO configuration is specified, provides SSO.
In an Exchange profile, you can specify settings for one or more of these Microsoft Exchange services:
  • ActiveSync
  • Autodiscover
  • Exchange Web Service
  • Offline Address Book
  • Outlook Anywhere
For Microsoft Exchange clients that are configured to use NTLM, you must include an NTLM authentication configuration in the Exchange profile.
With an NTLM authentication configuration, APM supports only Kerberos SSO on the back end.
An Exchange profile is specified in an access profile.

Configuring an Exchange profile

If any of the Microsoft Exchange clients you support authenticate using NTLM, you must first create these objects:
  • A machine account
  • An NTLM Auth configuration
  • At least one Kerberos SSO configuration
For Access Policy Manager (APM) to support Kerberos SSO, a delegation account is required on Active Directory.
You create an Exchange profile to specify how to handle traffic from Microsoft Exchange clients.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Microsoft Exchange
    .
    A list of Exchange profiles displays.
  2. Click
    Create
    .
    A Create New Exchange Profile popup screen displays general settings.
  3. In the
    Exchange Name
     field, type a name for the Exchange profile.
  4. From the
    Parent Profile
     list, select a profile.
    The Exchange profile inherits settings from the parent profile that you select.
    APM supplies a default Exchange profile named exchange.
  5. Repeat these steps for one or more Microsoft Exchange services:
    1. From Service Settings on the left, select an Exchange service.
      Settings for the service are displayed in the right pane.
    2. In the
      URL
       field, retain any default settings that are displayed or type a path to use to match the Exchange client.
      Default settings for this field are supplied in the default exchange profile.
    3. From the
      Front End Authentication
       list, select the type of authentication to use:
      Basic
      ,
      Basic-NTLM
      , or
      NTLM
      .
      Only the applicable authentication types for the particular the Exchange service are included on the list.
      If you select
      NTLM
       or
      Basic-NTLM
      , you must also select a configuration from
      NTLM Configuration
       list on the General Settings screen.
    4. From the
      SSO Configuration
       list, select an SSO configuration, if needed, for use after initial login.
      For
      Basic-NTLM
      and
      NTLM
       authentication types, only Kerberos SSO is supported.
    You configured settings for one or more Microsoft Exchange services.
  6. Click
    OK
    .
    The screen closes.
The Exchange profile is displayed on the list.
Apply this Exchange profile by adding it to an access profile.

Creating an access profile for Exchange clients

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session. You add an Exchange profile to the access profile to specify how to handle traffic from Microsoft Exchange clients.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
     field, type a unique name for the access profile.
  4. In the Configurations area from the
    Exchange
     list, select an Exchange profile.
    Exchange profiles specify any SSO configurations for Microsoft Exchange services, such as Autodiscover, Outlook Anywhere, and so on. The configuration in the Exchange profile is used for Microsoft Exchange clients regardless of any SSO configuration you select from the
    SSO Configuration
     list in this access profile.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    If no browser language matches one in the accepted languages list, the browser uses the default language.
  6. Click
    Finished
    .
  7. To change from using the default-log-settings that APM automatically adds to the access profile, you can do this.:
    Logging occurs for a session only when a log setting is specified for the access profile.
    1. Click the name of the access profile.
      The Properties screen opens.
    2. On the menu bar, click
      Logs
      .
      The General Properties screen opens.
    3. In the Log Settings area, move log settings from the
      Available
       list to the
      Selected
       list.
    4. Click
      Update
      .
    You can configure log settings in the
    Access
    Overview
    Event Log
    Settings
    area of the product.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Verify log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
Access
Overview
Event Log
Settings
area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click
    Logs
    .
    The access profile log settings display.
  4. Move log settings between the
    Available
     and
    Selected
     lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Logging is disabled when the
    Selected
     list is empty.
  5. Click
    Update
    .
An access profile is in effect when it is assigned to a virtual server.

Configuring an access policy for Microsoft Exchange clients

Before you configure this access policy, you must have an AAA Active Directory server configured in Access Policy Manager.
You configure an access policy to support Microsoft Exchange clients with login, HTTP basic authentication, and SSO.
This access policy does not support Microsoft Exchange clients that are configured to authenticate using NTLM.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
     link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. On a policy branch, click the
    (+)
     icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. On the Logon tab, select
    Logon Page
     and click the
    Add Item
     button.
    The Logon Page Agent properties screen opens.
  5. Make any changes that you require to the properties and click
    Save
    .
    The properties screen closes and the policy displays.
  6. On the fallback branch after the previous action, click the
    (+)
     icon to add an item to the policy.
    A popup screen opens.
  7. On the Authentication tab, select
    AD Auth
    .
    A properties screen displays.
  8. From the
    Server
     list, select a server.
  9. Click
    Save
    .
    The properties screen closes and the policy displays.
  10. On the Successful branch after the previous action, click the
    (+)
     icon.
    A popup screen opens.
  11. On the Assignment tab, select
    SSO Credential Mapping
     and click
    Add Item
    .
    A properties screen opens.
  12. Click
    Save
    .
    The properties screen closes and the policy displays.
  13. Click the
    Apply Access Policy
     link to apply and activate the changes to the policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding the access profile to the virtual server

You associate the access profile with the virtual server so that the system can apply the profile to incoming traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Access Policy area, from the
    Access Profile
     list, select the access profile that you configured earlier.
  4. Click
    Update
     to save the changes.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information