For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jamie_50833's avatar
Jamie_50833
Icon for Nimbostratus rankNimbostratus
Oct 04, 2010

Custom Protected Configuration

I have a resource (Outlook Web Access) that's common to everyone in my organization. We are migrating users to a new OWA resource that is assigned through AD group membership. I would like to restrict migrated users from the general OWA resource by way of a protected configuration. I not sure if the following expression will work:

 

(session.ad.groupmapping.memberof != "CN=OWA2010,OU=Groups,OU=blah,DC=blah,DC=com" )

 

My concern is that users are members of many groups and the FirePass will categorize everyone as meeting this condition.
BIG-IP Access Policy Manager (APM)
remote access
security

3 Replies

  • Don_Ryles_52501's avatar
    Don_Ryles_52501
    Icon for Nimbostratus rankNimbostratus
    Oct 04, 2010
    Hi Jamie,

     

     

    In Advanced session variables you can set conditions with tests like CONTAINS(session.ad.auth.memberof, "OWA 2010 Users").

     

     

    Maybe you could use that to set the URL for the 2010 OWA server while others get the URL for 2007 OWA server.

     

     

    Once you've got the test of group membership worked out the the name of the test is used in the URL field where the web application favorite is defined. This would be entered as something like %session.asv.owa_version% or whatever you named the test in the definition of the ASV.

     

     

    Hope that helps.

     

     

    Kevin S.
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Oct 05, 2010
    So it seems you like using LDAP for variables. While this can be done it is a resource hog on the Firepass. I would recommend adding new 2010 OWA users into an AD group called OWA-2010 and dynamically assign the resources based on the AD group membership.