Hybrid Modern Authentication with VMware Boxer – Part 4 – Special use cases and FAQ
- Part 1: Introduction
- Part 2: Prerequisites
- Part 3: Configuration
- Part 4: Special use cases and FAQ
- Part 5: Troubleshooting
EWS and/or Autodiscover is not available over internet
If EWS and/or Autodiscover is not available over internet, we can use the per-app VPN VMware Tunnel to access those services. As VMware Tunnel check the compliance of the device and the enrolment status, it adds a security check before accessing the services.
It is worth noting that VMware Mobile SSO is compatible with this configuration and can be done like this:
Autodiscover not available or unreliable
Depending on the Exchange architecture it is possible that information returned is not the correct one. Also, it is possible that Autodiscover is not available at all due to restriction.
In this case, you have to use the following KVP:
|KVP Name||KVP Value Type||KVP Value|
EWS Endpoint is only available to Microsoft IP
Due to different issue around security and access, often organization restrict access to the EWS endpoint to Microsoft IPs, however, ENS and Boxer requires access to it, fortunately we can allow ENS IPs the same way we do for Microsoft as ENS uses specific IPs specially for this use cases.
The list of IPs is available in the documentation:
ENS Endpoints and IP Allowlist
For Boxer, we can use Per-App VPN as detailed above.
Secure Email Gateway is used
When SEG is used, the ActiveSync virtual directory URL (external or internal) on Exchange will have to match the URL used by SEG. The URL will also have to be as a SPN of the Azure app as defined in part 3.
What features on VMware Boxer are supported with Hybrid Modern Authentication?
All regular VMware Boxer features are supported with Hybrid Modern Authentication the same way as with Modern Authentication with Office 365.
Can a user access a shared mailbox or calendar?
Can Secure Email Gateway be used?
Yes, see above
Can SEG do certificate authentication and Hybrid Modern Auth at the same time?
Can EWS traffic pass by SEG?
No, EWS traffic is used by Office 365, and it needs to be available without proxy, this is a requirement for hybridity from Microsoft.
Can the Escrow Gateway for S/MIME be used?
Next: Part 5 – Troubleshooting
vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.