ApplicGate

ApplicGate

(v12.0.8889.39591 started 2024-05-03 21:03:28 on VM2)

Keyword CERTMATCH:type to check logon to Exchange/OWA and NTLM logon:
... type may be NTLM or OWA or NTLM|OWA if both checks should be done

For Outlook Web Access (OWA) by web browser, CERTMATCH:OWA
- SSL with CCR must be specified.
- If email address within user certificate does not match the OWA logon username (user@maildomain), the session will be terminated. Keyword RDR is supported in that case.
- To support multiple phone numbers a trailing identifier separated by # can be specified. See also OTP.

Example with OTP Logon (password sent via SMS):

 SourceIP ;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type                                                                                                                                                                            ;UID    ;Comment ;eMail
 *        ;1.1.1.1  ;443        ;10.10.10.2;10.10.10.66  ;*              ;*         ;OTPU:OWAuser,TTL:10,CERTMATCH:OWA,RDR:invalidUser.htm,OTPR:"C:\ApplicGate\OTPOWA",SENDOTP:"C:\ApplicGate\OTP\SendSMS.bat",TLS:TLS10|TLS11|TLS12,SSL:server.cer,SSLTARGET:NoCheck ;OWAOTP ;        ;

Example with Certificate Logon:

 SourceIP ;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type                                                                                                                 ;UID    ;Comment ;eMail
 *        ;1.1.1.1  ;443        ;10.10.10.2;10.10.10.66  ;*              ;*         ;CCR:Outlook,ISS:myCA,TTL:10,CERTMATCH:OWA,RDR:invalidCert.htm,TLS:TLS10|TLS11|TLS12,SSL:server.cer,SSLTARGET:NoCheck ;OWACert;        ;

For Outlook Anywhere using secure RPC over http(s) by Outlook, CERTMATCH:NTLM
- User must logon to the application gateway (using smart card, certificate or one-time password).
- SSL must be specified.
- In field Source IP (or group) the email address followed by the NT domain account name must be specified, e.g. user@maildomain~accountname
- If during the NTLM handshake the login accountname does not mach the user logged on to the application gateway, the session will be terminated.

Example:

 SourceIP ;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type                                                                          ;UID;Comment        ;eMail
 Outlook  ;1.1.1.1  ;443        ;10.10.10.1;10.10.10.33  ;*              ;*         ;CERTMATCH:NTLM,TLS:TLS10|TLS11|TLS12,SSL:webmail.cer,SSLTARGET:webmail-xxx.com;*  ;Outlook via RPC;

For Web sites using NTLM authentication (e.g. SharePoint), CERTMATCH:NTLM
- SSL with CCR must be specified.
- Logon with user@maildomain (UPN ... user principal name).
- If during the NTLM handshake the login accountname does not match the email address of the certificate, the session will be terminated.
- Keyword RDR is supported in that case.

reinhold.leitner@applicgate.com (C) May 2024
www.applicgate.com