Forum Discussion
NimbostratusBlocking iOS 6.1 Devices on Exchange 2010
This is more informative, the last few hours we started experenceing issues with Apple iOS 6.1, essentially malformed meetings on a device cause the device to get into a sync loop which causes excessive transaction log growth on the Exchange mailbox servers which will cause Exchange performance issues and potentially transaction log drives to run out of disk space.
Exchange has a limited ability in blocking options when using the internal blocking features users are presented with "Your password may be incorrect", however this solution provides a simple "The server refused connection" as an alternative, this was added to our previous /microsoft-server-activesync irule.
if {[HTTP::header "User-Agent"] matches_regex {^Apple.*1002.*}} {
reject
}
-Dan
38 Replies
Joe_46421Hi, welcome and it would be best to look up the F5 bigip LTM F5's product page because the F5s accomplish a lot of things in one package.
We have the certificate used by activesync residing on the F5 BIGIP LTM for SSL offload, so yes we are using SSL. You can also re-encrypt connections to servers from the F5 if you so desire...
We implement this IOS 6.1 workaround via real time application layer manipulation of data as it transits the F5 BigIP LTM using a TCL based scripting language (iRules).
- Stefan_Klotz
Cumulonimbus
We also have implemented this iRule now and it seems to work fine, but the client isn't getting any notification.
Is this normal or are there any other possibilities, that the client get's informed about this issue?
Ciao Stefan :)
Firewater_29708Stefan,
The first iRule mentioned will give the client the following message "The connection has been refused" however the second option only rejects "Cmd=MeetingResponse" no errors or warnings are presented to the user. I suggest informing your users that their device can no longer accept, tentatively accept, or decline a meeting requests.
Daniel- Jan_Rockstedt_4Hi,
I tried the script below, but I get no good logging in ltm.
Any sugestion to fix it?
Jan
Thu Feb 14 19:04:55 CET 2013 err f5-db tmm[7737] 01220001 TCL error: /Common/iphone_6.1 - no serverside connection established (line 1) invoked from within "IP::server_addr"
Thu Feb 14 19:04:56 CET 2013 err f5-db tmm[7737] 01220001 TCL error: /Common/iphone_6.1 - no serverside connection established (line 3) invoked from within "IP::server_addr"
Thu Feb 14 19:04:57 CET 2013 err f5-db tmm[7737] 01220001 TCL error: /Common/iphone_6.1 - no serverside connection established (line 3) invoked from within "IP::server_addr"
Thu Feb 14 19:04:57 CET 2013 err f5-db tmm[7737] 01220001 TCL error: /Common/iphone_6.1 - no serverside connection established (line 3) invoked from within "IP::server_addr"
Thu Feb 14 19:04:58 CET 2013 err f5-db tmm1[7738] 01220001 TCL error: /Common/iphone_6.1 - no serverside connection established (line 1) invoked from within "IP::server_addr"
priority 100
when HTTP_REQUEST {
if {[HTTP::header "User-Agent"] matches_regex {^Apple.*1002.*} } {
if { [HTTP::uri] contains "Cmd=MeetingResponse" } {
log local0. "Denied iOS 6.1 Device SNAT src=[IP::client_addr] src_port=[TCP::client_port], snat_src=[IP::local_addr] snat_src_port=[TCP::local_port], dst=[IP::server_addr] dst_port=[TCP::server_port]"
reject
}
}
} - hoolio
Cirrostratus
A serverside connection hasn't been established in HTTP_REQUEST for the first request on a TCP connection. So you'll get a runtime error if you try to run commands to return the server IP and/or port.
Can you try this version which should be more efficient using a string comparison instead of a regex?priority 100 when HTTP_REQUEST { if {[string match -nocase "apple*1002*" [HTTP::header "User-Agent"] and [HTTP::uri] contains "Cmd=MeetingResponse" } { log local0. "Denied iOS 6.1 Device SNAT src=[IP::client_addr] src_port=[TCP::client_port], dst=[IP::local_addr] dst_port=[TCP::local_port], virtual=[virtual name]" reject event disable all } }
Aaron - Jan_Rockstedt_4Aaron,
Missing some bracket on line 3.
Any sugestion for fix?
Jan - hoolioSorry... forgot to close the string match command. Here's an update:
priority 100 when HTTP_REQUEST { if {[string match -nocase "apple*1002*" [HTTP::header "User-Agent"]] and [HTTP::uri] contains "Cmd=MeetingResponse" } { log local0. "Denied iOS 6.1 Device SNAT src=[IP::client_addr] src_port=[TCP::client_port], dst=[IP::local_addr] dst_port=[TCP::local_port], virtual=[virtual name]" reject event disable all } }
Aaron - Jan_Rockstedt_4Thank you. :-)
I will test it and see if the logging work better with your irule.
-J- 
Mike_MaherDoes the meeting request in Exchange stay in tact with this iRule. So normally I respond to a meeting a meeting from my iPhone and it gets moved to deleted items. Would that be the case here or would the meeting stay in my inbox until I accepted or denied it from another client?
barry_8239I add the following rule, but users are still able to accesse their mail via iphones. Am i doing something wrong?
when HTTP_REQUEST {
if {[string match -nocase "apple*1002*" [HTTP::header "User-Agent"]] and [HTTP::uri] contains "Cmd=MeetingResponse" } {
log local0. "Denied iOS 6.1 Device SNAT src=[IP::client_addr] src_port=[TCP::client_port], dst=[IP::local_addr] dst_port=[TCP::local_port], virtual=[virtual name]"
reject
event disable all
}
}
