Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

irule to bypass Access Profile

Hi,
Need some help as this is getting beyond my knowledge....

We use the APM module to authenticate external users using Outlook Web Access.
We have a VIP with an access profile, and the following iRule. We needed the iRule because users authenticate from different domains.


when ACCESS_ACL_ALLOWED {
set domain [ACCESS::session data get "session.dc"]
log local0.alert "$domain"
if { $domain == "au" } {
WEBSSO::select CAS-SSO-NTLM-AU
#log local0.alert "CAS-AU"
} elseif { $domain == "CORP" } {
WEBSSO::select CAS-SSO-NTLM
#log local0.alert "CAS-CORP"
} elseif { $domain == "IE" } {
WEBSSO::select CAS-SSO-NTLM-IE
} elseif { $domain == "NZ" } {
WEBSSO::select CAS-SSO-NTLM-NZ
}
}

So that irule picks up the domain name that we set in a session variable, and assigns the correct SSO profile.  That all works well for OWA.

However, when a user takes their laptop home, they should be able to open Outlook 2007 and have it connect over the Internet to a CAS server.  This happens because outlook detects that it is 'on the internet' and tries to connect to a external URL such: 
www.our-emails.com.

The issue is that www.our-emails.com uses the same VIP that OWA uses, so the same access policy and iRule applies to users using outlook 2007 from home.  So the iRule does not match anything and they do not connect.

Is it possible to create another iRule or add to the existing iRule so that users using outlook 2007 from home bypass the Access Profile?
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Looking in the VPE of APM i added a 'client for Microsoft exchange' field at the start and put that to 'allow' however it seems SSO doesn't work with that as i get 'Could not find SSO username'
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I'm a newbie to F5 but I've been doing a lot of research and maybe this will help Try looking at the in coming uri and base your logic flow on that.

https://devcentral.f5.com/wiki/iRules.WEBSSO__select.ashx

Another possibilities is to used the iRule for this article Big-IP and ADFS Part 3 – “ADFS, APM, and the Office 365 Thick Clients”

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can also bypass APM all together. In the example below, you would change your If statement probably to use source IP address

when HTTP_REQUEST { if { ([HTTP::header User-Agent] contains "X") or ([HTTP::header User-Agent] contains "XY") or ([HTTP::header User-Agent] contains "XYZ") } { ACCESS::disable return } }

0