Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Restrict Access to ActiveSync to one IP when using Exchange 2013 iapp in combined mode

I am trying to find a way to restrict access to Active Sync services to only the IP of our MDM server. We are using the Exchange 2013 iapp template, this is configured in combinded services mode where all services share the same name/IP. Any guidance would be greatly appreciated.

The current iRule applied to the VS is: -Exchange 2013 iRule to select pool without persistence when all Exchange -HTTP-based services are accessed through the same virtual server. when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" { TCP::idletime 1800 pool /Common/LVCASARRAY.app/LVCASARRAY_as_pool7

        CACHE::disable
        return
    }

Would something like this work:

when HTTP_REQUEST { if { [string tolower [HTTP::path]] eq "/microsoft-server-activesync" and !([IP::client_addr] eq "x.x.x.x") } { drop }

        TCP::idletime 1800
        pool /Common/LVCASARRAY.app/LVCASARRAY_as_pool7

        CACHE::disable
        return
    }

Thanks in Advance

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

You can try this:

HTTP_REQUEST { 


set path [string tolower [HTTP::path]] 

if { $path starts_with "/microsoft-server-activesync" && !([IP::addr [IP::client_addr] equals 10.1.1.1/32]) } {

drop

} elseif { $path starts_with "/microsoft-server-activesync"  } {

TCP::idletime 1800 pool /Common/LVCASARRAY.app/LVCASARRAY_as_pool7

CACHE::disable
return

}
}
0
Comments on this Answer
Comment made 1 month ago by youssef 2392

you ca also use Data group if you have multiple IP to whitelist:

[class match [IP::client_addr] equals my_ip_dg]

HTTP_REQUEST { 


set path [string tolower [HTTP::path]] 

if { $path starts_with "/microsoft-server-activesync" && !([class match [IP::client_addr] equals my_ip_dg]) } {

drop

} elseif { $path starts_with "/microsoft-server-activesync"  } {

TCP::idletime 1800 pool /Common/LVCASARRAY.app/LVCASARRAY_as_pool7

CACHE::disable
return

}
}
0
Comment made 1 month ago by JT 1

Thank you youssef, I will give that a try and let you know. I like the Data Group idea.

0
Comment made 1 month ago by JT 1

Youssef. Reading thru the logic would this irule drop everything in the DataGroup or only allow item in the DataGroup access and drop everything else?

After the match statement on the DG the action appears to be drop?

Am I reading that wrong? Thanks

0
Comment made 1 month ago by youssef 2392

This irule allow item in the DataGroup to access to AS service

IF user or a server try to access to "/microsoft-server-activesync" and it is not in DG it will be drop

else IF user or a server try to access to "/microsoft-server-activesync" it will be access

I decide to built irule like this because you can use the same VS for all your service (OA, OWA, ...).

So if a user try to access to OWA he will not match condition in my Irule...

Hope it's clear. keep me update.

Regards

0
Comment made 1 month ago by youssef 2392

Hi,

Can you give me an update on this subject. need still help ?

0
Comment made 1 month ago by JT 1

Hi youssef, We are planning to test the irule this week. I will post an update and let you know if everything worked as planned. Thanks for your help!

0
Comment made 1 month ago by JT 1

youssef, We applied the following rule: when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::path]] { {"/microsoft-server-activesync" && !([class match [IP::client_addr] equals ActiveSync_Allowed_DG])} { drop } "/microsoft-server-activesync" { TCP::idletime 1800 pool /Common/LVCASARRAY.app/LVCASARRAY_as_pool7 CACHE::disable return }


The results were all connections were still being allowed to create activesync connections even thou our DataGroup only has 1 IP - the MDM. Not sure why the block is not taking affect.

0