Forum Discussion

Martin_Vlasko's avatar
Martin_Vlasko
Icon for Altocumulus rankAltocumulus
Mar 31, 2017

Allow file upload, deny file download, start ASM from APM

Hi,

 

I plan to present a SharePoint page to remote users via Portal Access. Remote users, authenticated on APM, should be able to upload documents to this SharePoint page. They should NOT be able to download anything from this SharePoint back to their PCs while connected remotely.

 

The same users must be able to download these files from SahrePoint page once they are physically inside the same LAN. In this case no F5 is involved, the connection between PC and SharePoint is direct.

 

I assume this cannot be achieved directly in the SharePoint because from SharePoint perspective, these users need to have both read and write access. SharePoint does not know when the users comes from LAN and when from Internet (APM remote access).

 

But from F5 perspective, users should be able to ONLY upload files.

 

Could you suggest any way how restrict file download on the F5? If I need ASM for this task, is it possible to "call" ASM only when the user hits particular APM branch? Or is the ASM policy applied to every single connection for particular virtual server, ignoring the APM policy?

 

Thanks in advance for any help ;)

 

Martin

 

application delivery
ASM Advanced WAF
file download
iRules
security
sharepoint

2 Replies

Sort By
  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Mar 31, 2017

    If you know which exact uri is used for the file downloads (something like /_layouts/download.aspx?***) you can restrict access to this URI through an irule similar to this one

    when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] starts_with "/_layouts/download.aspx" } {
        HTTP::respond 403 content {403 Unauthorized Access}
    }
}
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Mar 31, 2017

    Hi,

     

    A download does not contain download keyword but is a direct link to the file ending with doc, docx, ppt, ...

     

    If you want to block downloads of any documents except aspx, gif, png,css (web content), define explicit file type list without file types the user won't be autorized to download.