Forum Discussion

brepav123_22459's avatar
brepav123_22459
Icon for Cirrus rankCirrus
Jan 05, 2017
Solved

iRule to Allow Outlook users by Username

Hi All, ive been presented with an interesting request. Currently our users authenticate to outlook (whether by their browser to OWA, mobile active sync, or the outlook application) directly through ...
application delivery
BIG-IP
irule
LTM
outlook
  • brepav123_22459's avatar
    brepav123_22459
    Jan 06, 2017

    I think i may have figured it out. After spending some hours looking at packet captures I noticed in the URI active sync always sends the username as part of the string. So using an iRule it searches that URI for the specific user identity and if it matches, it lets it through. Seems to be working so for but have yet to do extensive testing on it. I just wonder how bad the resource usage on the F5s will be having to inspect the URI of every connection. Thanks for the replies! 

        "/Microsoft-Server-ActiveSync*" {
       if { [HTTP::uri] contains "username"}{
        persist cookie
        pool POOL
        }
        else {
                     discard
        }
AJ_01_135899's avatar
AJ_01_135899
Icon for Cirrostratus rankCirrostratus
Jan 05, 2017

This is definitely possible. Since you're using Exchange / OWA, your organization presumably is using Active Directory. I'm also assuming you're using APM.

 

Leaving the MDM solution out of the equation for the moment, here's a straightforward solution:

 

  1. create an Active Directory group containing the list of users that you'd like to allow through.
  2. add an AD Query object to the end of your APM access profile, retrieving the "members" attribute.
  3. create a success/failure branch on that AD Query object, that ensure that the success branch contains the "User is a member of (the group you just created) ".

The question mark is how the MDM solution comes into play. If the MDM solution does indeed (as you describe), handle authentication then send traffic to the F5 you'll need to figure out a mechanism to pass this traffic (perhaps via source IP, header, or some other mechanism). If the MDM solution interfaces directly with Exchange / OWA, you will probably be fine.

 

Hope this helps

 

  • brepav123_22459's avatar
    brepav123_22459
    Icon for Cirrus rankCirrus
    Jan 05, 2017

    Unfortunately no we are not using APM. We only have LTM so are limited to iRules for basically all of our advanced functionality. Perhaps i used the term authentication too loosely. More to say the F5 is the front end for all incoming connections but then it passes the actual connection and authentication piece back to our AD servers. Thanks