Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters

Allow file upload, deny file download, start ASM from APM


I plan to present a SharePoint page to remote users via Portal Access. Remote users, authenticated on APM, should be able to upload documents to this SharePoint page. They should NOT be able to download anything from this SharePoint back to their PCs while connected remotely.

The same users must be able to download these files from SahrePoint page once they are physically inside the same LAN. In this case no F5 is involved, the connection between PC and SharePoint is direct.

I assume this cannot be achieved directly in the SharePoint because from SharePoint perspective, these users need to have both read and write access. SharePoint does not know when the users comes from LAN and when from Internet (APM remote access).

But from F5 perspective, users should be able to ONLY upload files.

Could you suggest any way how restrict file download on the F5? If I need ASM for this task, is it possible to "call" ASM only when the user hits particular APM branch? Or is the ASM policy applied to every single connection for particular virtual server, ignoring the APM policy?

Thanks in advance for any help ;)


Rate this Question

Answers to this Question


If you know which exact uri is used for the file downloads (something like /_layouts/download.aspx?***) you can restrict access to this URI through an irule similar to this one

    if { [string tolower [HTTP::uri]] starts_with "/_layouts/download.aspx" } {
        HTTP::respond 403 content {<html>403 Unauthorized Access</html>}
Comments on this Answer
Comment made 31-Mar-2017 by Martin Vlasko 300

Hi Amine,

That's the thing, that I am not sure about the download URI, don't know SharePoint that much.

Do you think it will always include "download" in URI whenever a user wants to download a file from SharePoint?

Because SharePoint is simply a web page, the download is basically yet another GET request. But I cannot block GET method in general, otherwise the whole thing does not work of course. It would be much easier with uploads where I could simply block POST method or the specific upload URI. So yes, to know a string which occurs in every download URI would be great to know, the question is if there is a string occurring in every single download.

Comment made 31-Mar-2017 by Amine Kadimi 675

I have little to no knowledge of sharepoint, but I am pretty sure the download uri will always be the same one (or few ones). I searched google and there is always /*/download.aspx, you just need to confirm the exact one used in your environment.

So, basically you can block a specific uri, or if you want a specific uri when associated with a GET method but I think checking just the uri is sufficient.

To confirm the exact uri, you can browse through your sharepoint and while going through all the different download links available, you can grab the uri from the browser or for better analysis from fiddler or any other tool.



A download does not contain download keyword but is a direct link to the file ending with doc, docx, ppt, ...

If you want to block downloads of any documents except aspx, gif, png,css (web content), define explicit file type list without file types the user won't be autorized to download.