Forum Discussion
M451_315544
Cirrus
CirrusBlock Active-Sync on Virtual Server
Currently we have updated the iRule that was created via a template (probably through iApps at some point) with this code.
switch -glob -- [string tolower [HTTP::path]] {
"/microsoft-server-activesync*" {
drop
} This seemed to work at first but we noticed that if the user appends a "/" character to the end of the server address it lets them right in.
So "myemailserver.com" gets blocked by the iRule. but "myemailserver.com/" is allowed.
Any suggestions?
I was able to resolve this using this updated iRule.
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/microsoft-server-activesync" } { drop } }
youssef1Cumulonimbus
Hi,
Can you display all your Irule, because the code shown refer to following URI: /microsoft-server-activesync* only.
In your post you talk about this request (in fact it's exactly the same):
and
regards.
M451_315544Full iRule here.
when HTTP_REQUEST { Offline Address Book and Autodiscover do not require persistence. switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" { drop } "/microsoft-server-activesync*" { reject } "/owa*" { Outlook Web Access if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source_addr 255.255.255.255 3600 } pool email.REDACTED_owa_pool return } "/ecp*" { Exchange Control Panel. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source_addr 255.255.255.255 3600 } pool email.REDACTED_owa_pool return } "/ews*" { Exchange Web Services. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source_addr } pool email.REDACTED_owa_pool COMPRESS::disable return } "/oab*" { Offline Address Book. pool email.REDACTED_owa_pool return } "/rpc/rpcproxy.dll" { Outlook Anywhere. if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } elseif { [string tolower [HTTP::header "Authorization"]] starts_with "basic" } { persist uie [HTTP::header "Authorization"] 7200 } else { persist source_addr } pool oa_pool_name COMPRESS::disable return } "/autodiscover*" { Autodiscover. pool email.REDACTED_autodiscover_pool return } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source_addr } pool email.REDACTED_owa_pool } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable this command disables NTLM conn pool for connections where OneConnect has been disabled NTLM::disable } this command rechunks encoded responses if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } }- youssef1
Hello,
Can you tell me how you test your AS service from outside? As a reminder, this irule allows to pool several services...
you can not access the AS service without the URI that starts with /microsoft-server-activesync*.
So if you test your service from outside with a browser, you don't test AS if you enter just: https://myemailserver.com and https://myemailserver.com
You will fallback in this condition:
default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source_addr } pool email.REDACTED_owa_pool }For information, AS is used trough AS client (in mobile device) and this service use a specific UserAgent and URI...
Tell me how I can help you.
Regards,
- M451_315544
I was able to resolve this using this updated iRule.
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/microsoft-server-activesync" } { drop } }