Hybrid Modern Authentication with VMware Boxer – Part 4 – Special use cases and FAQ

EWS and/or Autodiscover is not available over internet

If EWS and/or Autodiscover is not available over internet, we can use the per-app VPN VMware Tunnel to access those services. As VMware Tunnel check the compliance of the device and the enrolment status, it adds a security check before accessing the services.
It is worth noting that VMware Mobile SSO is compatible with this configuration and can be done like this:

Autodiscover not available or unreliable

Depending on the Exchange architecture it is possible that information returned is not the correct one. Also, it is possible that Autodiscover is not available at all due to restriction.
In this case, you have to use the following KVP:

KVP NameKVP Value TypeKVP Value
AccountOauthResourceURLStringhttps://activesync.domain.com/Microsoft-Server-ActiveSync

EWS Endpoint is only available to Microsoft IP

Due to different issue around security and access, often organization restrict access to the EWS endpoint to Microsoft IPs, however, ENS and Boxer requires access to it, fortunately we can allow ENS IPs the same way we do for Microsoft as ENS uses specific IPs specially for this use cases.
The list of IPs is available in the documentation:

ENS Endpoints and IP Allowlist

For Boxer, we can use Per-App VPN as detailed above.

Secure Email Gateway is used

When SEG is used, the ActiveSync virtual directory URL (external or internal) on Exchange will have to match the URL used by SEG. The URL will also have to be as a SPN of the Azure app as defined in part 3.

FAQ

What features on VMware Boxer are supported with Hybrid Modern Authentication?

All regular VMware Boxer features are supported with Hybrid Modern Authentication the same way as with Modern Authentication with Office 365.

Can a user access a shared mailbox or calendar?

Yes.

Can Secure Email Gateway be used?

Yes, see above

Can SEG do certificate authentication and Hybrid Modern Auth at the same time?

Yes.

Can EWS traffic pass by SEG?

No, EWS traffic is used by Office 365, and it needs to be available without proxy, this is a requirement for hybridity from Microsoft.

Can the Escrow Gateway for S/MIME be used?

Yes

Next: Part 5 – Troubleshooting

Written by

Website | + posts

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP