For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

16 Replies

Show More
  • Joshua_Bines_12's avatar
    Joshua_Bines_12
    Icon for Cirrus rankCirrus
    Jan 25, 2017

    Added a new irule, I was hoping to display this page after the user is authenticated via the apm. Any thought's?

    Thanks in advance. Josh

     

    priority 899
when HTTP_REQUEST {
        switch -glob -- [string tolower [HTTP::path]] {
        "/ecp*" {
             Respond with a splash page with redirection.
            HTTP::respond 200 content {
              
                 
                    External ECP Access Disabled
                 
                 
                    External Exchange Control Pannel (ECP)
                    We are sorry, for security reasons external ECP access is disabled. 
                    To return click 
                 
              
                }   
            }

    }

}

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jan 25, 2017

     

    priority 899
when HTTP_REQUEST {
     Bar admin access:
    if { [HTTP::uri] starts_with "/ecp/?ExchClientVer=15" } {
        HTTP::respond 403 content {
            
               
                  External ECP Access Disabled
               
               
                  External Exchange Control Pannel (ECP)
                  We are sorry, for security reasons external ECP access is disabled.
                  To return click 
               
            
        } "Content-Type" "text/html" Connection close
    } 
}

     

    [Edited]

     

  • Joshua_Bines_12's avatar
    Joshua_Bines_12
    Icon for Cirrus rankCirrus
    Jan 29, 2017

    Hi Guys,

    Any comments on the EAC function of the iapp? as per the below 2 points. Are we looking at updating the deployment guide and iapp at some point or are we missing something?

     

    "Anyway, there seems to be 2 things here: 1) The APM acl function does not work (not matching a certain string); and 2) it seems pointless to have this function from your perspective."

     

     

  • Joshua_Bines_12's avatar
    Joshua_Bines_12
    Icon for Cirrus rankCirrus
    Mar 08, 2017

     

    priority 899
when HTTP_REQUEST {
     Bar admin access:
    if { [string tolower [HTTP::uri]] starts_with "/ecp/?exch" } {
     Bar access from everybody:
    if { [HTTP::uri] starts_with "/ecp" } {
        HTTP::respond 403 content {
            
               
                  External ECP Access Disabled
               
               
                  External Exchange Control Pannel (ECP)
                  We are sorry, for security reasons external ECP access is disabled.
                  To return click 
               
            
        } "Content-Type" "text/html" Connection close
    } 
}

     

    • JG's avatar
      JG
      Icon for Cumulonimbus rankCumulonimbus
      Mar 08, 2017

      Well, you may well add the "string tolower" bit, but I should think such a URL ought to be case-sensitive. I never tested it though.

       

    • Joshua_Bines_12's avatar
      Joshua_Bines_12
      Icon for Cirrus rankCirrus
      Mar 08, 2017

      Thanks for the reply. From our testing, it showed that if you used "ecp/?exchclientver=15" or "ECP/?ExchClientVer=15" the irule would not match and grant users access.

       

      Once all our mailboxes have been migrated to exchange 2016 we will bar all external users to the ecp directory