Yeah, I thought of that too but I've been messing with this for months now and I'm growing weary lol. plus go live date its getting close. I also wanted something not too complex that could bite us in production. However, if I muster the time and energy to try it, would I need sever 2012 for the "free" proxy solution? It would be ARR? On May 9, 2014 1:05 PM, "Kennedy, Jim" <[email protected]> wrote:
> Thinking out loud. > > Load balancer out front balancing a group of reverse proxies. > ________________________________________ > From: [email protected] [[email protected]] on > behalf of ccollins9 [[email protected]] > Sent: Friday, May 09, 2014 12:34 PM > To: exchange > Subject: Re: [Exchange] CAS exposure - Exchange 2013 SP1 > > Yes, EX2013 supports client certs and we have them turned on and working. > The issue with reverse proxy from the load balancers, it needs to decrypt > the packet at the LB to read the header to know where to send the > connection (owa vs. ActiveSync, vs. EWS, etc.), and for that it would need > to support decrypting with respect to client certificate. We haven't been > able to get it working. But i do see that with a recent software update, > my LB supports client certs, so maybe it will work if I set the AS > directory back to Basic Auth/No client certs and require the client cert at > the LB. This is similar to what we had to do in order to have EX2013 proxy > client cert connections to EX2010 CAS servers. We needed to reset EX2010 > to basic auth/no certs and EX2013 took care of the connections coming in > with client certs. FYI, EX2013 supports client certs and works, but the > line I got from MS Premier support is that THEY won't support it until > perhaps EX2013 SP1 CU1. Which I thought was just plain stupid. But it > works so far. > > > On Fri, May 9, 2014 at 12:05 PM, Michael B. Smith <[email protected] > <mailto:[email protected]>> wrote: > I suspect I need a diagram. Exchange 2013 supports client certs for > ActiveSync (and for all the other web protocols also). > > > > >
