Forum Discussion

Peter_L_71637's avatar
Peter_L_71637
Icon for Nimbostratus rankNimbostratus
May 07, 2014

APM ActiveSync - Block or Allow DeviceID

Hello,

I'm setting up a F5 APM with ActiveSync. ActiveSync is working fine. But to add some extra security i want to allow devices by their DeviceID I followed the document "Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform" Section: "Device Validation Methode 1 - Organization Device Pool"

Step 1: Create a Data Group List (devices) that includes all relevant device IDs Step 2: F5 IRule when HTTP_REQUEST {

Apply DeviceID restriction to all ActiveSync directory traffic if {[HTTP::path] == "/Microsoft-Server-Activesync"} {

 Determine whether connection is Base64 encoded, (Windows Phone) and if necessary begin decoding process
set string_b64encoded [HTTP::query]
if {[catch {b64decode $string_b64encoded} string_b64decoded] == 0 and $string_b64decoded ne ""} {
  log local0.info "Successful login with deviceID: "
  binary scan $string_b64decoded x4H2 IDlenHEX
  scan $IDlenHEX %x IDlenDEC
  set IDlen {expr "$IDlenDEC * 2"}
  binary scan $string_b64decoded x5H$IDlen HEXdeviceID
  set string_sentid [string toupper $HEXdeviceID]
} else {
  set string_sentid [string toupper [URI::query [HTTP::uri]]]
}

log local0.info "String b64decoded = $string_b64decoded"

 compare deviceID presented in HTTP::query with BigIP Data Group List - 'devices'
if {[matchclass $string_sentid contains devices]} {
  log local0.info "Successful login with deviceID: $string_sentid"
} else {
  log local0.info "Failed login with deviceID: $string_sentid"

}

} }

Step 3 Add iRule to the virtual server

No mather what ID i add to the data group it is not working . Every device can access activesync. Can anyone help me with this.

application delivery
devops
iRules

3 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 07, 2014

    What log messages are you actually seeing?

    I've added some logging below:

    when HTTP_REQUEST {
     Apply DeviceID restriction to all ActiveSync directory traffic 
    if {[HTTP::path] == "/Microsoft-Server-Activesync"} {
        log local0. "Activesync URI = [HTTP::uri]"
         Determine whether connection is Base64 encoded, (Windows Phone) and if necessary begin decoding process
        set string_b64encoded [HTTP::query]
        if { [catch { b64decode $string_b64encoded } string_b64decoded] == 0 and $string_b64decoded ne "" } {
            log local0.info "Successful login with deviceID"
            log local0.info "String b64decoded = $string_b64decoded"
            binary scan $string_b64decoded x4H2 IDlenHEX
            scan $IDlenHEX %x IDlenDEC
            set IDlen { expr "$IDlenDEC * 2" }
            binary scan $string_b64decoded x5H$IDlen HEXdeviceID
            set string_sentid [string toupper $HEXdeviceID]
        } else {
            set string_sentid [string toupper [URI::query [HTTP::uri]]]
        }

        if { [class match $string_sentid contains devices] } {
            log local0.info "Successful login with deviceID: $string_sentid"
        } else {
            log local0.info "Failed login with deviceID: $string_sentid"
        }
    }
}
  • Peter_L_71637's avatar
    Peter_L_71637
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2015
    Hello TJ, We decided to not implement this NOT in our F5 APM. We move this function to our Mobile Device Manager. Sorry i can not help you with this problem. Greeting Peter