Forum Discussion
AndOs
Cirrostratus
Hi!
We recently started to use APM with activesync for some of our users.
Any new session from an activesync client will traverse the access policy the same way as any normal client.
The irule _sys_APM_activesync sets a flag "clientless mode" which somehow indicates to APM that it should not stop for logon pages etc.
The irule also sets a session variable, activesync = 1, which can be used to check if a client connecting is an activesync client.
Yes, the LDAP or AD query will act the same way for ActiveSync as any other client.
User credentials is sent with basic authentication from the activesync client, and those gets picked up and can be used with the authentication and query objects in the access policy.
Here's an example of an access policy we use for both normal web clients and activesync clients.
One thing I've noticed is that if an activesync client is denied by the access profile, say by a group check, the client will show a message saying that username and password is incorrect.
That caused some confusion for our users when some of them wasn't in the correct AD group.
That can probably be solved by an irule checking if access was denied and then sending a diffrent http response than the default 401-status.
/Andreas
AndOs
Jan 18, 2016Cirrostratus
Hi!
The box "Logon User pass" is a standard logon page with "Split domain from full Username" set to yes.
Our config was made on 11.2.1 with the iApp that was current back then in 2013 which used the irule _sys_APM_activesync to capture credentials.
From there we added on extra queries to check if a user was allowed Active Sync.
As far as I know _sys_APM_activesync made sure that active sync clients got handled separatly and didn't "stop" on the logon page.
We are still on 11.2.1 for our active sync setup. If you are using a fairly new version, I would suggest looking into the microsoft exchange profile which is available under Access Policy / Application Access.
To my knowledge that profile adds the same functionality as irule _sys_APM_activesync.
/Andreas