Forum Discussion
Hawary
Altostratus
AltostratusControl access to Exchange services
hi folks,
i would like to control access to mail service (mail.abc.com). if user connected from internet, it should not work but allow it from inside network or someone who connected from VPN. i'm thinking of 2 solution,
1- remove the public DNS entry for mail.abc.com
2- write a policy or an irule to control access like if the users are trying to access mail.abc.com and client IP is of private IPs, allow this connection. else drop the connection (actually, i need your help with the irule.)
thanks in Advance
boneyardMVP
the first option will work if mail.abc.com is only used for client access. if it is also used for other email servers to send you email you probably dont want to delete it.
the second is possible if the F5 BIG-IP is located somewhere to make this possible. does mail.abc.com point to the BIG-IP? do internal clients actually connect to it from inside?
as for the iRule there really are 100s of examples for this, look some up, try it and if it doesnt work post what you got and someone will certainly help to fixed it.
- Hawary
hi boneyard,
thanks for your answer. what if i need to block only /owa from outside?. how can i achieve that? Regarding inside, the users are accessing the exchange directly, they are not passing through the F5. i appreciate if you give example for irule to block /owa and allow the other services.
- boneyard
there are quite some examples with a quick search
https://devcentral.f5.com/s/question/0D51T00006i7iJf/block-activesync-on-virtual-server
https://devcentral.f5.com/s/question/0D51T00006i7NzlSAE/how-to-block-a-specific-url
https://devcentral.f5.com/s/question/0D51T00006i7Y8w/blocking-a-specific-url-on-a-specific-vip-with-irule
https://support.f5.com/csp/article/K74012450
in your case you dont even have to do something special for inside or outside as inside users dont reach the big-ip
give it a try and / or post what you believe will work.
