This feature is under consideration for a future release, though a target version or timeframe is not yet set.
ISA Server (and TMG, if you're actually using current [dead] technology) was never able to perform client certificate delegation, and NTLM doesn't allow delegation.
KCD is a Windows, not an ISA feature. It requires that your UTM/XG device actually join an AD domain.
This would be especially useful in blocking geo-distributed nastiness like cryptominers.
For example, coinhive uses a name structure like "ws###.coinhive.com", but because the protocol isn't http-based, the web filter is blind to it.
Being able to apply something as simple as a text filter to such obvious constructs would be very useful.
Spoofing is required.
Certificate authentication (whether client or server) occurs in the SSL/TLS protocol, not the the HTTP protocol, so it cannot be done in an HTTP header.
The only way for the UTM to accomplish this would be for it to build a spoof client cert based on the original client cert particulars and signing it with the a CA certificate that that the published server trusts.
- Mac Mail doesn't use ActiveSync - it uses a variant of RPC/HTTP (Outlook Anywhere).
- "reported cases of accounts being compromised" - is unlikely to be related to WAF behavior or cookie signing. Maybe a check on your password policies (behavioral as well as technical) is in order?
- "emails being sent from a device are coming up different addresses" - is also unrelated to WAF behavior.
Curious what you see as not working?
I'm using E2010SP3+ with WinPhone 7.5 and 8 through UTM 9.105 with no problems?
Sorry, but you've been misinformed. Beyond validating RPC/HTTP methods (RPC_IN_DATA, RPC_OUT_DATA), neither ISA nor TMG perform "security filtering" for RPC/HTTP traffic and never have.
To do this properly would require that the WAF also terminate and proxy the RPC sessions.
IOW - a rathole from which there is no escape
We are hard at work on this feature and will deliver the first implementation of front end authentication as part of our Web Server protection (reverse proxy) in UTM 9.2. The public beta will begin in October. Stay Tuned!