For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SysTopher's avatar
SysTopher
Icon for Nimbostratus rankNimbostratus
Jul 08, 2016

Block user or device within APM.

Hello,   We currently utilize both LTM and APM on the F5. We have APM fronting our OWA access from the outside. We apparently have an ex employee who has a device that's still connected to our ...
BIG-IP Access Policy Manager (APM)
security
Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Jul 08, 2016

Hi,

In APM, depending on your VPE, you should be able to redirect the user in a Deny ending by injecting expression in a branch after the logon page or 401. The user is stored in session.logon.last.username.

As you are talking about ActiveSync, I assume that basic authentication will be used. So you can check for the username with an irule : 

when HTTP_REQUEST {
        if { [HTTP::header exists Authorization] and [HTTP::username] contains "usernameX" } {
                    drop
        }
}
  • SysTopher's avatar
    SysTopher
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2016

    Great suggestions! I tested the irule and I'm not seeing any further logon attempts showing up in the APM reports in the last 30 minutes. I was at least once per minute before, so I think that did it. I'll keep an eye on it Thanks again!