Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters

Trying to mimic the webmail private and public computer settings using an irule

Found this article online:


However it seems to only work with Basic forms and I am using an NTLM format. Basically i can setup the radio buttons for the users to select if they are either at a public or private PC. From there i need to change the timeout settings from 8 hours (private) to 15 minutes (public).

Is there a way to do this with an irule or with APM. by changing the APM timeout session based on the selection?

Rate this Question
Comments on this Question
Comment made 04-Jan-2016 by Rosieodonell 368
By default it is set to 8 hours for more information.

Answers to this Question


If you're not using forms in OWA, you have to access those options by inserting some special headers. This is the same thing that Forefront/TMG/whatever does when it does Forms Auth --> HTTP Auth. Like you're doing with APM.

Two headers "X-Experience" and "X-LogonType" control it:

X-Experience can be "premium" or "light". X-LogonType can be "public" or "private".

To append the headers, you'd set a custom (whatever you want) session variable during Access Policy execution, then you can use something like this on the APM vs:

  if { [ACCESS::session data get "session.somecustomvariableyoucansetintheaccesspolicy"] contains "somevalueyousetforlightmode" } {
    HTTP::header replace "X-Experience" "light"
  else {
   HTTP::header replace "X-Experience" "premium"
Comments on this Answer
Comment made 05-Jan-2016 by Kai Wilke 7293
Hi Lucas, the outlined code to mimic the "X-Experience" functionality of Forefront TMGs is not complete/correct. The valid "X-Experience" header values are "Premium" or "Basic". In addition a Forefront TMG changes the User-Agent-header value to a non-MSIE browser if Light-Mode is selected. The Public/Private-Mode setting of Forefront TMGs has beside of the "X-LogonType"-Headers some additional server-side (aka. TMG) and also client-side (aka. Browser) functionality. Basically it enables two independent TMG-Login-Cookie profiles to controll the Max-Session-Lifetime/Max-Session-Timeout and also enables persistent cookies for the private mode (e.g. required for SharePoint Browser/Office SSO Scenarios). In addition the Private-Mode stores the last-entered username string into a client-side generated cookie to autofill the username for subsequent logons. Cheers, Kai

Hi Rosieodonell,

your provided link outlines the required APM-Forms customizations to include Public/Private-Mode radio buttons and a Light-Mode checkbox, and then continues to outline a Forms-based SSO-Object to relay the collected Public/Private/Light-Mode selections to an OWA-Forms-Login site.

So if you're aiming for Kerberos/NTLM/Basic cedential delegation (as performed by Forefront TMG), you don't need to relay the collected Public/Private/Light-Mode selections to your OWA. Just insert the X-Experience and X-LogonType headers in transit (as shown by Lucas) and change the User-Agent to as needed. In addition you may want to implement a mechanism in VPE to validate the collected Public/Private-Mode selection and then overwrite the predefined session variables "Inactivity Timeout" and "Maximum Session Timeout" using an additional "Variable Assign" action. To selectively enable/disable cookie persistence for Private/Public Mode you may want to use a HTTP_RESPONSE_RELEASE iRule to add cookie expires values to the MRHSession and LastMRH_Session cookies.

Cheers, Kai

Comments on this Answer
Comment made 1 month ago by Rick 53

is it possible if OWA authentication is done via SAML ? to differentiate public / private ; since apm logon page wont be in the vpe for saml auth