This is more informative, the last few hours we started experenceing issues with Apple iOS 6.1, essentially malformed meetings on a device cause the device to get into a sync loop which causes excessive transaction log growth on the Exchange mailbox servers which will cause Exchange performance issues and potentially transaction log drives to run out of disk space. Exchange has a limited ability in blocking options when using the internal blocking features users are presented with "Your password may be incorrect", however this solution provides a simple "The server refused connection" as an alternative, this was added to our previous /microsoft-server-activesync irule. if {[HTTP::header "User-Agent"] matches_regex {^Apple.*1002.*}} { reject } -Dan

Hi Dan, Thanks for the info. I thought the main iOS 6 bug with Exchange meetings was fixed in 6.0.1. Are you still seeing issues with iOS 6.1 clients? http://news.cnet.com/8301-13579_3-57543794-37/apple-releases-ios-6.0.1-with-over-the-air-update-tool/ Aaron

Hi Aaron, This is a newly discovered issue with iOS 6.1, more details (http://www.windowsitpro.com/blog/tony-redmonds-exchange-unwashed-50/exchange-server/apple-ios-61-upgrade-excessive-transaction-log-growth-145223) Subsequently we have re-opened our environment to iOS 6.1 devices but disable the Meeting Response ActiveSync command from 6.1 devices as this appears to be the cause. The code below puts the effected devices calendar into Ready Only mode until Apple release an update. if {[HTTP::header "User-Agent"] matches_regex {^Apple.*1002.*} } { if { [HTTP::uri] contains "Cmd=MeetingResponse" } { reject } } Please use this at your own risk. Dan.

I'm a newb - Where do I add this code? I haven't seen our logs grow abnormally yet - but I'd like to use it just incase... I'm just not experienced enough to know where to put it. Guidance please? Thanks in advance!

Posted By Gleep52 on 02/08/2013 10:51 AM I'm a newb - Where do I add this code? I haven't seen our logs grow abnormally yet - but I'd like to use it just incase... I'm just not experienced enough to know where to put it. Guidance please? This is iRule code for an F5 LTM virtual server. (This post has been referenced externally in several places now so people reading might not be aware this discussion is specifically referring to using iRules on F5 BIG-IP:LTM in front of Exchange). This is just a snippet of code as well, it needs to be encapsulated in the HTTP_REQUEST event to form a complete iRule to be added to the virtual server. Gleep52, if by chance I have misinterpreted your request and you still need assistance with forming this into a complete iRule on an LTM, please post back.

when HTTP_REQUEST { if {[HTTP::header "User-Agent"] matches_regex {^Apple.*1002.*} } { if { [HTTP::uri] contains "Cmd=MeetingResponse" } { log 10.10.10.1 local0.info "Denied iOS 6.1 Device SNAT src=[IP::client_addr] src_port=[TCP::client_port], snat_src=[IP::local_addr] snat_src_port=[TCP::local_port], dst=[IP::server_addr] dst_port=[TCP::server_port]" reject } } } Above is the complete iRule we placed in the TMG virtual server. We see several client IP's that are looped with above 60,000 denies and it goes down from there to about 7 cilents with denies above 3,000 the rest are below 300.

Blocking iOS 6.1 Devices on Exchange 2010

38 Replies

Mike_Maher
Nimbostratus
Feb 15, 2013
Barry,

This rule is not to restrict access to Mail but rather to specifically block access to them using the MeetingResponse Cmd within Exchange. So essentially they can't Accept or Decline meeting but they can still do all other Exchange sync functionality.
Jan_Rockstedt_4
Nimbostratus
Feb 19, 2013
Hi all,

As IOS 6.1.2 is out, anybody who know the new version number?

Jan

Goat_60322

Nimbostratus

Feb 19, 2013

Updated to allow iOS 6.1.2 (which is 1002.146). This rule will match versions 1002.1 through 1002.145:

if {[HTTP::header "User-Agent"] matches_regex {^Apple.*1002.([1-9]|[1-9][0-9]|1[0-3][0-9]|14[0-5])$} } { if { [HTTP::uri] contains "Cmd=MeetingResponse" } { reject } }

Firewater_29708
Nimbostratus
Feb 19, 2013
Hi Mike

appreciate the code share, we will be applying this shortly.

-Daniel
Doug_23220
Nimbostratus
Feb 19, 2013
Here's what we have right now, seems to be working for the moment:

~~priority 100~~

~~when HTTP_REQUEST {~~

~~if {[HTTP::header "User-Agent"] matches_regex {^Apple.*1002.146} } {~~

~~if { [HTTP::uri] contains "Cmd=MeetingResponse" } {~~

~~pool~~

}

}

~~elseif {[HTTP::header "User-Agent"] matches_regex {^Apple.*1002.*} } {~~

~~if { [HTTP::uri] contains "Cmd=MeetingResponse" } {~~

~~reject~~

}

}

}
Doug_23220
Nimbostratus
Feb 19, 2013
I like Goat's iRule better, using it now, works great.

Thanks Goat!
Jan_Rockstedt_4
Nimbostratus
Feb 20, 2013
Anybody who can review this irule and see any problem, before I try this live?

priority 100

when HTTP_REQUEST {

if {[HTTP::header "User-Agent"] matches_regex {^Apple.*1002.([Z1-9]|[Z1-9][Z0-9]|1[Z0-3][Z0-9]|14[Z0-5])$} } { if { [HTTP::uri] contains "Cmd=MeetingResponse" } { reject } }

log local0. "Denied iOS 6.1 Device SNAT src=[IP::client_addr] src_port=[TCP::client_port], dst=[IP::local_addr] dst_port=[TCP::local_port], virtual=[virtual name]"

event disable all

}
What_Lies_Bene1
Cirrostratus
Feb 20, 2013
Jan, from a functionality perspective;

1) The log and event disable all commands are outside the second if statement, it will run these every time even if there is no match, they need to be moved to after the reject and before the } }

Regarding performance;

1) Would it not be better to check for "Cmd=MeetingResponse" first to save running the 'expensive' regex every time the rule is fired

2) Do you really need to log that level of information?
Jan_Rockstedt_4
Nimbostratus
Feb 20, 2013
Hi Steve,

I can skip the event disable all.

No I would like to check the Apple version first and then MeetingResponse, but you right regex maybye not the best tool for match.

The log is good to have for troubleshooting, but the level could be less.

This is what I use right now, but I need to allow 1002.146 and block between 1002.140 > 1002.145

Any sugestion to solve it?

priority 100

when HTTP_REQUEST {

if {[string match -nocase "apple*1002*" [HTTP::header "User-Agent"]] and [HTTP::uri] contains "Cmd=MeetingResponse" } {

log local0. "Denied iOS 6.1.x src=[IP::client_addr] src_port=[TCP::client_port], dst=[IP::local_addr] dst_port=[TCP::local_port], virtual=[virtual name]"

reject

event disable all

}

}

Jan

What_Lies_Bene1

Cirrostratus

Feb 20, 2013

This should do it;


when HTTP_REQUEST {
 switch -glob [string tolower [HTTP::header User-Agent]] {
  "*1002.140*" -
  "*1002.141*" -
  "*1002.142*" -
  "*1002.143*" -
  "*1002.144*" -
  "*1002.145*" {
   if { [HTTP::uri] contains "Cmd=MeetingResponse" } {
    reject
    log local0. "Denied iOS 6.1 Device SNAT src=[IP::client_addr] src_port=[TCP::client_port], dst=[IP::local_addr] dst_port=[TCP::local_port], virtual=[virtual name]"
   }
  }
 }
}

Forum Discussion

Blocking iOS 6.1 Devices on Exchange 2010

38 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

Related Content

MS Exchange ProxyNotShell block implemented via iRules

Service Extensions with SSL Orchestrator: Advanced Blocking Pages

MS Exchange Active Sync Device Auth

Exchange 2016

Block IP after a number of ASM Blocks

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS