Keyword CERTMATCH:type to check logon to Exchange/OWA and NTLM logon:
... type may be NTLM or OWA or NTLM|OWA if both checks should be done
For Outlook Web Access (OWA) by web browser, CERTMATCH:OWA
- SSL with CCR must be specified.
- If email address within user certificate does not match the OWA logon username (user@maildomain), the session will be terminated. Keyword RDR is supported in that case.
- To support multiple phone numbers a trailing identifier separated by # can be specified. See also OTP.
Example with OTP Logon (password sent via SMS): SourceIP ;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID ;Comment ;eMail
* ;1.1.1.1 ;443 ;10.10.10.2;10.10.10.66 ;* ;* ;OTPU:OWAuser,TTL:10,CERTMATCH:OWA,RDR:invalidUser.htm,OTPR:"C:\ApplicGate\OTPOWA",SENDOTP:"C:\ApplicGate\OTP\SendSMS.bat",TLS:TLS10|TLS11|TLS12,SSL:server.cer,SSLTARGET:NoCheck ;OWAOTP ; ;
Example with Certificate Logon: SourceIP ;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID ;Comment ;eMail
* ;1.1.1.1 ;443 ;10.10.10.2;10.10.10.66 ;* ;* ;CCR:Outlook,ISS:myCA,TTL:10,CERTMATCH:OWA,RDR:invalidCert.htm,TLS:TLS10|TLS11|TLS12,SSL:server.cer,SSLTARGET:NoCheck ;OWACert; ;
For Outlook Anywhere using secure RPC over http(s) by Outlook, CERTMATCH:NTLM
- User must logon to the application gateway (using smart card, certificate or one-time password).
- SSL must be specified.
- In field Source IP (or group) the email address followed by the NT domain account name must be specified, e.g. user@maildomain~accountname
- If during the NTLM handshake the login accountname does not mach the user logged on to the application gateway, the session will be terminated.
Example: SourceIP ;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMail
Outlook ;1.1.1.1 ;443 ;10.10.10.1;10.10.10.33 ;* ;* ;CERTMATCH:NTLM,TLS:TLS10|TLS11|TLS12,SSL:webmail.cer,SSLTARGET:webmail-xxx.com;* ;Outlook via RPC;
For Web sites using NTLM authentication (e.g. SharePoint), CERTMATCH:NTLM
- SSL with CCR must be specified.
- Logon with user@maildomain (UPN ... user principal name).
- If during the NTLM handshake the login accountname does not match the email address of the certificate, the session will be terminated.
- Keyword RDR is supported in that case.