Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Trying to mimic the webmail private and public computer settings using an irule

Found this article online:

https://devcentral.f5.com/articles/add-outlook-web-access-login-options-to-the-apm-logon-page

However it seems to only work with Basic forms and I am using an NTLM format. Basically i can setup the radio buttons for the users to select if they are either at a public or private PC. From there i need to change the timeout settings from 8 hours (private) to 15 minutes (public).

Is there a way to do this with an irule or with APM. by changing the APM timeout session based on the selection?

0
Rate this Question
Comments on this Question
Comment made 04-Jan-2016 by Rosieodonell 368
By default it is set to 8 hours for more information.
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you're not using forms in OWA, you have to access those options by inserting some special headers. This is the same thing that Forefront/TMG/whatever does when it does Forms Auth --> HTTP Auth. Like you're doing with APM.

Two headers "X-Experience" and "X-LogonType" control it:

X-Experience can be "premium" or "light". X-LogonType can be "public" or "private".

To append the headers, you'd set a custom (whatever you want) session variable during Access Policy execution, then you can use something like this on the APM vs:

when ACCESS_ACL_ALLOWED {
  if { [ACCESS::session data get "session.somecustomvariableyoucansetintheaccesspolicy"] contains "somevalueyousetforlightmode" } {
    HTTP::header replace "X-Experience" "light"
  }
  else {
   HTTP::header replace "X-Experience" "premium"
  }
}
1
Comments on this Answer
Comment made 05-Jan-2016 by Kai Wilke 7293
Hi Lucas, the outlined code to mimic the "X-Experience" functionality of Forefront TMGs is not complete/correct. The valid "X-Experience" header values are "Premium" or "Basic". In addition a Forefront TMG changes the User-Agent-header value to a non-MSIE browser if Light-Mode is selected. The Public/Private-Mode setting of Forefront TMGs has beside of the "X-LogonType"-Headers some additional server-side (aka. TMG) and also client-side (aka. Browser) functionality. Basically it enables two independent TMG-Login-Cookie profiles to controll the Max-Session-Lifetime/Max-Session-Timeout and also enables persistent cookies for the private mode (e.g. required for SharePoint Browser/Office SSO Scenarios). In addition the Private-Mode stores the last-entered username string into a client-side generated cookie to autofill the username for subsequent logons. Cheers, Kai
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Rosieodonell,

your provided link outlines the required APM-Forms customizations to include Public/Private-Mode radio buttons and a Light-Mode checkbox, and then continues to outline a Forms-based SSO-Object to relay the collected Public/Private/Light-Mode selections to an OWA-Forms-Login site.

So if you're aiming for Kerberos/NTLM/Basic cedential delegation (as performed by Forefront TMG), you don't need to relay the collected Public/Private/Light-Mode selections to your OWA. Just insert the X-Experience and X-LogonType headers in transit (as shown by Lucas) and change the User-Agent to as needed. In addition you may want to implement a mechanism in VPE to validate the collected Public/Private-Mode selection and then overwrite the predefined session variables "Inactivity Timeout" and "Maximum Session Timeout" using an additional "Variable Assign" action. To selectively enable/disable cookie persistence for Private/Public Mode you may want to use a HTTP_RESPONSE_RELEASE iRule to add cookie expires values to the MRHSession and LastMRH_Session cookies.

Cheers, Kai

0
Comments on this Answer
Comment made 1 month ago by Rick 53

is it possible if OWA authentication is done via SAML ? to differentiate public / private ; since apm logon page wont be in the vpe for saml auth

0