For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shiraz's avatar
Shiraz
Icon for Altostratus rankAltostratus
Dec 06, 2015

Bypass APM for specific User Agent

        Dears,

        We want to bypass the Access Policy based on User Agent.

        Virtual Server has a default Pool and the Virtual Policy Editor is as follows.

        Start >> Logon >> AD >> SSO Mapping >> Allow

        When the application is accessed by Browser, it will provide the Logon page and the credentials are authenticated against AD,  it will take you to the default pool with the SSO.

        However, when the same application is accessed by Microsoft Project (Project Web App), its not working.
        So, we have used the below irules to bypass the Access Policy and forward the traffic directly to the pool members.

        when HTTP_REQUEST {
          switch -glob [string tolower [HTTP::header User-Agent]] {
            "*office*" -
            "*microsoft*" {
            log local0. "Microsoft Project user agent :[HTTP::header User-Agent]"
            ACCESS::disable
            } default { 
            ACCESS::enable } 
          }
          }

    We also tried using a session variable on the VPE stating that if the user agent contains office, Fallback to Allow..

We need to bypass the Access policy as its not gonna work when its enabled and that too only if the request is coming from Project Web App.

Regards,
Mohammed Mukram
BIG-IP Access Policy Manager (APM)
security

3 Replies

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Dec 07, 2015

    So you're saying that it's not working through Project even with this iRule? What kind of error are you getting from Project? If you use something the Fiddler, can you see the traffic and what's failing?

     

    Do you have other iRules associated with the VIP?

     

  • Shiraz's avatar
    Shiraz
    Icon for Altostratus rankAltostratus
    Dec 07, 2015

    Thanks for the response Michael,

     

    There are no additional iRules on the VIP.

     

    Without iRule, the Project Web APP is not even asking for the Username and Password Prompt.

     

    When we assign the iRule, its asking for the username and password. So, I believe its taking to the pool member. However, after entering the username and password, its giving some network related error as access denied, please check your network connectivity.

     

    Regards,

     

    Mohammed Mukram

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Dec 07, 2015

    In order to get irules to fire on each request when APM is enabled on the vip, you have to use this irule command:

     

    https://devcentral.f5.com/wiki/iRules.ACCESS__restrict_irule_events.ashx

     

    Add more logging into your irule so you can understand what exactly is going on. Here's a good post that covers this topic:

     

    https://devcentral.f5.com/articles/-the101-irules-101-logging-amp-comments

     

    Also, most Microsoft Office clients prefer to use NTLM authentication, so the flows have to be kept keyed to the same virtual. BIG-IP has some specific settings for that. A good starting point may be this article:

     

    https://support.f5.com/kb/en-us/solutions/public/10000/400/sol10477.html