Thinking out loud. Load balancer out front balancing a group of reverse proxies. ________________________________________ From: [email protected] [[email protected]] on behalf of ccollins9 [[email protected]] Sent: Friday, May 09, 2014 12:34 PM To: exchange Subject: Re: [Exchange] CAS exposure - Exchange 2013 SP1
Yes, EX2013 supports client certs and we have them turned on and working. The issue with reverse proxy from the load balancers, it needs to decrypt the packet at the LB to read the header to know where to send the connection (owa vs. ActiveSync, vs. EWS, etc.), and for that it would need to support decrypting with respect to client certificate. We haven't been able to get it working. But i do see that with a recent software update, my LB supports client certs, so maybe it will work if I set the AS directory back to Basic Auth/No client certs and require the client cert at the LB. This is similar to what we had to do in order to have EX2013 proxy client cert connections to EX2010 CAS servers. We needed to reset EX2010 to basic auth/no certs and EX2013 took care of the connections coming in with client certs. FYI, EX2013 supports client certs and works, but the line I got from MS Premier support is that THEY won't support it until perhaps EX2013 SP1 CU1. Which I thought was just plain stupid. But it works so far. On Fri, May 9, 2014 at 12:05 PM, Michael B. Smith <[email protected]<mailto:[email protected]>> wrote: I suspect I need a diagram. Exchange 2013 supports client certs for ActiveSync (and for all the other web protocols also).
