Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

How to disable ASM COMPLETELY for certain IPs.

Hi All,

I have a case where a device that connects to the Exchange VS to book meeting slots for the meeting rooms, after applying ASM it would connect one time and not the other.

This happened after applying ASM, so I did the following:

1- I made the policy transparent, however it didn't solve the problem.

2- I whitelsited the IPs of these devices, didn't work.

3- I tried removing the policy from the VS at all, and it worked.

So I took a packet capture between VS and Device, and it looks like ASM injects some Javascript that the Client can't execute since it doesn't support javascript, and then connection idles and it fails to connect.

I don't have the javascript on me right now but one of the elements inside that code (big code by the way) was a variable called "var l7dos" or something similar.

I guessed it is releated to either csrf, bruteforce or webscrapping.

I removed all of them from the policy and applied it and everything worked.. However the customer still needs it for other users so I'm trying to figure out how to really exclude some IPs from the ASM policy (no TSXXXXX Cookies, no Javascript Connections, nothing).

I tried to add an irule which says, when client accepted, and IP matches a datagroup, ASM::disable. . However, I still see the F5 setting cookies and I still see Javascript being injected.

So, appreciate your help here. Sorry for not having the configs as I'm not at the customer right now.

0
Rate this Discussion
Comments on this Discussion
Comment made 19-Dec-2016 by nathan 7337

it would probably be useful for ASM version and an anonymised version of the irule.

0
Comment made 19-Dec-2016 by waleed osama 117

The ASM version is 12.1.0 2.0.1468-Hotfix HF2

And the irule is similar to this

when CLIENT_ACCEPTED {

if {[class match [IP::client_addr] equals Evoko_Group ]} {
      log local0. "[IP::client_addr] is trying to access Calenders for Meeting Room."      
    ASM::disable
      return
}
}

when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
        "/microsoft-server-activesync*" {
            TCP::idletime 1800
            pool /Common/EXCHANGE2013.app/EXCHANGE2013_as_pool7
           COMPRESS::disable
         CACHE::disable
            return
        }
        "/owa*" {
            pool /Common/EXCHANGE2013.app/EXCHANGE2013_owa_pool7
            return
        }
        "/ecp*" {
            ## Exchange Control Panel.
            pool /Common/EXCHANGE2013.app/EXCHANGE2013_owa_pool7
            return
        }
        "/ews*" {
            ## Exchange Web Services.
            pool /Common/EXCHANGE2013.app/EXCHANGE2013_ews_pool7
           COMPRESS::disable
          CACHE::disable
            return
        }
        "/oab*" {
            ## Offline Address Book.
            pool /Common/EXCHANGE2013.app/EXCHANGE2013_ews_pool7
            persist none
            return
        }
        "/rpc/rpcproxy.dll*" {
            ## Outlook Anywhere
            pool /Common/EXCHANGE2013.app/EXCHANGE2013_oa_pool7
            COMPRESS::disable
            CACHE::disable
            return
        }
        "/autodiscover*" {
            ## Requests for Autodiscovery information.
            pool /Common/EXCHANGE2013.app/EXCHANGE2013_ad_pool7
            persist none
            return
        }
        default {
            pool /Common/EXCHANGE2013.app/EXCHANGE2013_owa_pool7
        }
    }
}
 when HTTP_RESPONSE {
    if { ( [HTTP::header exists "WWW-Authenticate"] &&
        [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate" ) ||
        ( [HTTP::header exists "Persistent-Auth"] &&
        [string tolower [HTTP::header "Persistent-Auth"]] contains "true" ) } {
ONECONNECT::reuse disable
       ONECONNECT::detach disable
NTLM::disable
 }
   if {[HTTP::header exists "Transfer-Encoding"]} {
        HTTP::payload rechunk
  }
}
0
Comment made 20-Dec-2016 by nathan 7337

Do you need to use the command ASM::enable to? Anyway, see Bypassing the BIG-IP ASM (11.4.0 and later) as it gives an example of how to use a local traffic policy to disable ASM. See if this is an option if the iRule isn't working.

0

Replies to this Discussion

placeholder+image

To me "var l7dos" would indicate the DoS profiles and not the ASM policy as the issue.

0
Comments on this Reply
Comment made 19-Dec-2016 by waleed osama 117

But the thing is, I don't have any DOS profiles enabled on the VS!

0