Manual Chapter : HTTP Basic Authentication for Microsoft Exchange Clients

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.1
Manual Chapter

Overview: Configuring APM for Exchange clients that use HTTP Basic

Access Policy Manager (APM) requires an Exchange profile to support Microsoft Exchange clients. An Exchange profile is specified in the access profile attached to the virtual server that handles the traffic from Exchange clients.

About Exchange profiles

An Exchange profile specifies service settings for Microsoft Exchange clients. Based on the settings, Access Policy Manager (APM) identifies the client, authenticates the client and, when an SSO configuration is specified, provides SSO.

In an Exchange profile, you can specify settings for one or more of these Microsoft Exchange services:

  • ActiveSync
  • Autodiscover
  • Exchange Web Service
  • Offline Address Book
  • Outlook Anywhere

For Microsoft Exchange clients that are configured to use NTLM, you must include an NTLM authentication configuration in the Exchange profile.

Note: With an NTLM authentication configuration, APM supports only Kerberos SSO on the back end.

An Exchange profile is specified in an access profile.

Task summary for Exchange clients that use HTTP Basic authentication

Task list

Configuring an Exchange profile

If any of the Microsoft Exchange clients you support authenticate using NTLM, you must first create these objects:
  • A machine account

  • An NTLM Auth configuration

  • At least one Kerberos SSO configuration

Note: For Access Policy Manager (APM) to support Kerberos SSO, a delegation account is required on Active Directory.
You create an Exchange profile to specify how to handle traffic from Microsoft Exchange clients.
  1. On the Main tab, click Access Policy > Application Access/Microsoft Exchange. A list of Exchange profiles displays.
  2. Click Create. A Create New Exchange Profile popup screen displays general settings.
  3. In the Exchange Name field, type a name for the Exchange profile.
  4. From the Parent Profile list, select a profile. The Exchange profile inherits settings from the parent profile that you select.
    Note: APM supplies a default Exchange profile named exchange.
  5. Repeat these steps for one or more Microsoft Exchange services:
    1. From Service Settings on the left, select an Exchange service. Settings for the service are displayed in the right pane.
    2. In the URL field, retain any default settings that are displayed or type a path to use to match the Exchange client. Default settings for this field are supplied in the default exchange profile.
    3. From the Front End Authentication list, select the type of authentication to use: Basic, Basic-NTLM, or NTLM. Only the applicable authentication types for the particular the Exchange service are included on the list.
      Note: If you select NTLM or Basic-NTLM, you must also select a configuration from NTLM Configuration list on the General Settings screen.
    4. From the SSO Configuration list, select an SSO configuration, if needed, for use after initial login. For Basic-NTLMand NTLM authentication types, only Kerberos SSO is supported.
    You configured settings for one or more Microsoft Exchange services.
  6. Click OK. The screen closes.
The Exchange profile is displayed on the list.
Apply this Exchange profile by adding it to an access profile.

Creating an access profile for Exchange clients

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session. You add an Exchange profile to the access policy to specify how to handle traffic from Microsoft Exchange clients.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
  4. Optional: In the Configurations area from the Exchange list, select an Exchange profile. Exchange profiles specify any SSO configurations for Microsoft Exchange services, such as Autodiscover, Outlook Anywhere, and so on. The configuration in the Exchange profile is used for Microsoft Exchange clients regardless of any SSO configuration you select from the SSO Configuration list in this access profile.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile appears in the Access Profiles List.

Configuring an access policy for Microsoft Exchange clients

Before you configure this access policy, you must have an AAA Active Directory server configured in Access Policy Manager.
You configure an access policy to support Microsoft Exchange clients with login, HTTP basic authentication, and SSO.
Note: This access policy does not support Microsoft Exchange clients that are configured to authenticate using NTLM.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. On an access policy branch, click the (+) icon to add an item to the access policy. A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
  5. Make any changes that you require to the properties and click Save. The properties screen closes and the visual policy editor displays.
  6. On the fallback branch after the previous action, click the (+) icon to add an item to the access policy. A popup screen opens.
  7. On the Authentication tab, select AD Auth. A properties screen displays.
  8. From the Server list, select a server.
  9. Click Save. The properties screen closes and the visual policy editor displays.
  10. On the Successful branch after the previous action, click the (+) icon. A popup screen opens.
  11. On the Assignment tab, select SSO Credential Mapping and click Add Item. A properties screen opens.
  12. Click Save. The properties screen closes and the visual policy editor displays.
  13. Click the Apply Access Policy link to apply and activate the changes to the access policy.

Adding the access profile to the virtual server

You associate the access profile with the virtual server so that Access Policy Manager can apply the profile to incoming traffic.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Access Policy area, from the Access Profile list, select the access profile.
  4. Click Update to save the changes.
Your access policy is now associated with the virtual server.