Forum Discussion
NimbostratusExchange 2010 ACL for Web Services
Our Data security Dept has tasked us with disabling ActiveSync via F5 for Exchange 2010 webservices for all users, however, we use a Product Mcafee EMM that requires Activesync connectivity for Mobile device management.
Our setup is as follows:
Public IP NAT --> F5 LTM Virtual Server over 443 --> Exchange 2010 web pool port 80 on (2) exchange 2010 servers.
While Disabling Activesync for All External users, and only allowing Activesync for EMM server, we also host other webservies on this Virtual server those are:
OWA, Autodiscover, Outlook Anywhere.
We're looking for a solution that will allow us to block Activesync while allowing those webservices.
a quick search on dev central returned this result:
https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2163273/showtab/groupforums/Default.aspx
looks like the contents of the iRule used in this solution is:
when HTTP_REQUEST {
if {[IP::addr [IP::client_addr] equals "172.22.21.13" or [HTTP::uri] starts_with "/owa" } {
pool
} else {
reject
}
}
Looks like the IF statement checks if the IP is 172.22.21.13 or /owa, then rejects everything else.
Would a modified If statement with /autodiscover and /outlookanywhere (not sure the actual uri for it is) work?
Wondering if anyone else encountered a similar request or had other possible solutions.
Thanks.
1 Reply
- Hi, which version of BIG-IP are you running? Did you use a template or iApp to deploy Exchange? If you are using the combined persistence iRule from the iApp or deployment guide, you should be able to add this logic into the section that checks for the ActiveSync URI:
"/microsoft-server-activesync" {
if { your condtion here } {
pool ex2010_ntlm_as_pool
persist uie $sessionid 7200
COMPRESS::disable
CACHE::disable
} else {
drop
}
}
