Forum Discussion

Davey7_252193's avatar
Davey7_252193
Icon for Nimbostratus rankNimbostratus
Mar 01, 2016

F5 filter for Exchange

Hello, I'm a MS Exchange admin, and I don't have much knowledge about F5.

 

Let me try to describe my problem. We have 2 Client Access servers behind the F5 BigIP. A couple of weeks ago we started to get millions of hits for one mailbox. Regular IIS log file size were 80MB now it is over 1GB. This mailbox is not in use, I have already tried everything in Exchange to disable the access to it, but we still get POST /autodiscover/autodiscover.xml. Unfortunately this is a Mac OS machine, and every time the hits are going for a common mailbox where multiple users have access. We were not able to identify the owner, or who uses this mailbox. configuring advanced logging we have identified the IP address but it is a public external IP address.

 

My question is, that is there a way to limit the number of requests we get by cs-username? If we filter the IP address that works for a week or two, but when the IP changes the hits are back.

 

I don't really know how to address this issue.

 

Thank you very much in advance.

 

BIG-IP
devops
iRules

2 Replies

Sort By
  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Mar 01, 2016

    Definitely. Just add an Empty box to the VPE and add a Branch Rule to it. In the Branch Rule, check the session variable (username) that you don't want. Then send that branch to the reject ending.

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Mar 02, 2016

    Hi Davey,

    in the case you don't use APM to pre-authenticate your users (or you don't want to change the VPE sequence), you may try the iRule below. The iRule parses the username on the wire and sends a 502 response if the given username is found. The provided iRule is able to inspect Basic, NTLM and NEGOTIATE-NTLMSSP authentication schemes... 

    when RULE_INIT {
    set static::username_basic "domain\\username"
    set static::username_ntlm "domainusername"
}

when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] equals "/autodiscover/autodiscover.xml" } then {
        if { [set temp(auth_header) [string tolower [HTTP::header value Authorization]]] starts_with "basic" } then {
            if { [string tolower [HTTP::username]] contains $static::username_basic } then {
                HTTP::respond 502 content "Invalid Mailbox"
            }
        } elseif { $temp(auth_header) starts_with "ntlm" } then {
            if { [string tolower [string map [list [binary format H* 00] ""] [b64decode [string range [HTTP::header value Authorization] 5 end]]]] contains $static::username_ntlm } then {
                HTTP::respond 502 content "Invalid Mailbox"
            }
        } elseif { $temp(auth_header) starts_with "negotiate" } then {
            if { [set temp(auth_header) [string tolower [b64decode [string range [HTTP::header value Authorization] 10 end]]]] starts_with "ntlmssp" } then {
                if { [string tolower [string map [list [binary format H* 00] ""] $temp(auth_header)]] contains $static::username_ntlm } then {
                    HTTP::respond 502 content "Invalid Mailbox"
                }
            } else {
                 You can't inspect Kerberos Session Tickets. But its very unlikely that the client provides one... ;-)
            }
        }
    }
}

    Note: You have to change the 

    $static::
    variables to match the username. The format of the username have to match the outlined patterns and must be lowercase.

    Cheers, Kai