I need some input on this f5 deployment I am working on.
They currently use the normal APM AD auth (with AD query) for exchange, ActiveSync, /owa, etc.
This is the flow and diagrams, I am unable to find any similar deployment guides from f5 online.
I found this thread on Reddit asking about a similar config - https://www.reddit.com/r/networking/comments/258k7g/office_365_hybrid_deployment_with_f5_ltms/
MS vendor guys have also mentioned o365 cannot support SSL offloading, in which case I believe f5 can only work as an LTM load balancer for the CAS servers, however, we want to know what other options are available so we can have some control of the traffic on the f5 instead of letting the traffic directly hit the CAS servers.
Has anyone tried something similar or can share some best practice suggestions?
Flow and Diag:
https://i.imgur.com/5BwqnPF.png
-
The F5 APM will redirect the request to CAS Servers Pool. F5 at this stage should not do SSL Offloading or Present an NTLM Challenge.
-
The CAS Server will reject the request with 401 Unauthorized Error Response. However, will ask the client to authenticate against Azure Authentication Services [EVO STS and Azure AD].
-
Client will directly reach the Azure using the Public Internet and request the Token. At this time Azure will Encrypt the credentials and perform a Pass-Through Authentication.
-
Upon successful validation of credentials from the Local Active Directory. Azure will return an access token to the client.
-
Client will make another Autodiscover request with the new token.
-
F5 will again redirect the request to Exchange CAS Server. CAS will Accept the Token as it is Oauth relationship [Federation Trust] setup during Oauth Configuration through the Intra[1]Organization Connector.
-
User will get authenticated and fetch the Autodiscover XML and get connected to the corresponding Mailbox Server.
No comments:
Post a Comment