APM/MsOFFICE: ACCESS:disable after decision box

Question

I have a VS with an APM policy.
Policy starts with a decision box.&nbsp;
OptionA =&gt; Domain users (multiple forests). &nbsp;
OptionsB =&gt; External user. &nbsp;
Authentication for option B in interna domains. Authentication for OptionB is a non-Microsoft ldap.&nbsp;
When user chooses optionA I set a cookie and after the access policy allowed event the browser picks the cookie and the ACCESS::disable works fine on subsequent requests. Browser tested: IE/FireFox/Chrome. 
Now the fun starts when it's an office client request.
The request is redirected to the APM policy decision box. User picks optionA. Cookie is set. Access is allowed but the next office client request (excel or word) persist on using the apm session. The request gets a "WWW-Authenticate NTLM" reply form the server but does not reply with the authorization header. 
I tried ACCESS:session remove but no luck. 
The goal here is to not used APM at all when a user chooses optionA.&nbsp;

joethefifth · Answer

Still fighting with the ACCESS::disable after a decisionbox choice for office clients. 
I delete the mrhsession cookie but it keeps popping in the requests.&nbsp;

joethefifth · Answer

iRule is here: formatting is a bit off for now. when CLIENT_ACCEPTED {  
set client_id [format %09d [expr int(rand() * 1e9)]] 
log local0. "--------------------------------- CLIENT_ACCEPTED ---------------- $client_id ------------------------------ [ACCESS::session sid]"    
set office 0
set connectiontype 3 }
when HTTP_REQUEST { 
log local0. "--------------------------------- REQUEST ---------------- $client_id ------------------------------ [ACCESS::session sid]"    
set request "http://[HTTP::host][HTTP::uri]"
log local0. "requesteduri: [HTTP::uri]"
foreach aHeader [HTTP::header names] {
    log local0. "Header $aHeader [HTTP::header value $aHeader]"
}
foreach cookie [HTTP::cookie names] {
    log local0. "Cookie $cookie [HTTP::cookie value $cookie]"   }   
switch -glob [string tolower [HTTP::header "User-Agent"]] {
        "*webdav-miniredir*" -
        "*word*" -
        "*excel*" -
        "*office upload*" -
        "*office existence discovery*" -
        "*office protocol discovery*" -
        "*soap toolkit*" -
        "*ms-office*" -
        "*microsoft office onenote*" -    
        "*frontpage*" -
        "*msfrontpage*" -
        "*shareplus*" {
            set office 1
    }
}
if { [string tolower [HTTP::header "User-Agent"]] eq "mswac" or [HTTP::cookie "Trusted"] eq 1} {
    log local0. "We have an office Web Apps Call or a Trusted cookie"
    switch -glob [string tolower [HTTP::uri] ] {
        "*reauthpage*"  {
            log local0. "reauthpage here"
            HTTP::redirect https://[HTTP::host]/_layouts/15/error.aspx                  
        }
    }       
    ACCESS::disable
    log local0. "APM disabled"
}
else {
    if { [HTTP::uri] contains "*reauthpage*" } {
        if { [HTTP::cookie exists "MRHSession"] } {
            HTTP::redirect https://[HTTP::host]/_layouts/15/error.aspx       
        }
    }
&nbsp;
    if { $office eq 1 } {
        if {not [HTTP::cookie exists "MRHSession"] } {
            set office 1 
            set head1 "X-Forms_Based_Auth_Required" 
            set val1 "https://[HTTP::host]/reauthpage?ReturnUrl=/_layouts/15/error.aspx"
            set head2 "X-Forms_Based_Auth_Return_Url" 
            set val2 "https://[HTTP::host]/_layouts/15/error.aspx"
            HTTP::respond 403 -version "1.1" $head1 $val1 $head2 $val2}}}}
            when HTTP_RESPONSE {
log local0. "--------------------------------- RESPONSE ---------------- $client_id ------------------------------" 
foreach aHeader [HTTP::header names] {
log local0. "Header $aHeader [HTTP::header value $aHeader]"
}
foreach cookie [HTTP::cookie names] {
    log local0. "Cookie $cookie [HTTP::cookie value $cookie]"
}   
log local0. "Response status: [HTTP::status]"}
when HTTP_RESPONSE_RELEASE {
log local0. "--------------------------------- RESPONSE_RELEASE ---------------- $client_id ------------------------------" 
foreach aHeader [HTTP::header names] {
log local0. "Header $aHeader [HTTP::header value $aHeader]"
}
foreach cookie [HTTP::cookie names] {
    log local0. "Cookie $cookie [HTTP::cookie value $cookie]"
}       
if { $connectiontype eq 0}
{
    log local0. "adding Trust cookie here."     
    HTTP::cookie insert name Trusted value 1 path "/"
    HTTP::cookie expires Trusted 28000 relative
    HTTP::header insert "Set-Cookie" "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; domain=mydomain.com;path=/" 
    HTTP::header insert "Set-Cookie" "LastMRH_Session=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; domain=mydomain.com;path=/"}} 
    when ACCESS_SESSION_STARTED {
log local0. "--------------------------------- SESSION_STARTED ---------------- $client_id ------------------------------ [ACCESS::session sid]"
if { $office equals 1 } {       
    ACCESS::session data set session.custom.office 1}} 
    when ACCESS_POLICY_COMPLETED {
log local0. "--------------------------------- POLICY_COMPLETED $client_id ---------------------------------------------- [ACCESS::session sid]"
foreach aHeader [HTTP::header names] {
    log local0. "Header $aHeader [HTTP::header value $aHeader]"
}
foreach cookie [HTTP::cookie names] {
    log local0. "Cookie $cookie [HTTP::cookie value $cookie]"
}   
set connectiontype [ACCESS::session data get session.decision_box.last.result]  
log local0. "connectiontype: $connectiontype"   
if {$connectiontype eq 0} {
    ACCESS::respond 302 noserver Location [ACCESS::session data get session.server.landinguri]}}

joethefifth · Answer

Policy flow is here:
&nbsp;
The 401 response sent to the office client is generating a 401 auth popup to which the client is not responding.&nbsp;
So mainly what I do is:
First request of browser with no cookie (cookie named truted) =&gt; enable APM and present a decision box.
If AD is chosen then set the cookie and redirect the request so it the client retries and with the cookie set APM is disabled and sso with current user is done.
If you run office now and you used IE in the first request you're ok =&gt; office uses the "trusted cookie" and does work with apm disabled.
If you use firefox or chrome the sso does not work after apm is enabled to make the choice.
I tried forcing office to retry the request but no luck.&nbsp;

Forum Discussion

APM/MsOFFICE: ACCESS:disable after decision box

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Load balancing method specific decision

Decision box design using js

Modern Template "Decision Box" modify "title" item

VIP Type decision

Configuring Decision Logging for the F5 BIG-IP Global Traffic Manager