A customer wishes to issue their field service engineers with smartphones which will enable them to conenct to the MS Exchange CAS hosts installed in our data centres using MS Activesync. The connections will be using HTTPS and they wish to enable session persistence. The source IP addresses of the smartphones will be hidden behind a gateway and client authentciation will be used on the Exchange servers for security.
Source IP stickiness cannot be used due to the client NAT. SSL session ID stickiness is no longer recommended by Cisco or Microsoft due to the varying web browsers and associated techniques used to frequently re-negotiate the SSL session ID. Therefore, the customer wishes to use HTTP Header Authorisation stickiness. In order to do this, we need to terminate SSL on the ACE, inspect the header and then use SSL Initiation to the back end Exchange servers (End to End SSL).
We have configured End to End SSL on the ACE 4710 appliances and this seems to be working as we can see TLS negotiations, hits on the serverfarms and associated log entries on the Exchange servers. We have also configured HTTP Header Auth and associated Parameter Maps. However, from the server monitoring, we appear to be failing authentication on the Exchange servers, possibly due to Client Authentication.
The Exchange servers are expecting the smartphone to present it's SSL certificate in order to authenticate the user. The ACE is terminating the SSL session and then re-encrypting it during SSL Initiation to the back end server. I could configure an Authentication Group but this needs to contain a certificate list to present to the server which is not practical due to the number of smartphones deployed. I'm also not sure how this is used in SSL Initiation as I understand it is normally used in SSL Termination for the ACE to Authenticate the client.
So it begs the question can this be done? Is it possible to combine End to End SSL with Client Authentication and HTTP Header Authorisation Stickiness?
Pondering Automation has moved! It is now a part of the standard Cisco blogs in DevNet!
You can find the general blogs here: blogs.cisco.com
And you can find the newest pondering automation here: https://blogs.cisco.com/developer/ponderinga...
Here are some commonly asked questions and answers to help with your adoption of Cisco ACI solution. Subscribe to this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend.