Forum Discussion
adambaack_13393
Nimbostratus
NimbostratusExchange 2013 iApp - Block Activesync except from one IP
Have only used the iApp templates with their defaults in the past but now I'm needing to allow only one IP to ActiveSync to it. We are using MobileIron for mobile devices and I want to only allow MobileIron to talk to the F5 for ActiveSync traffic. I believe they will be pointing their MobileIron server to the F5 VIP.
Any easy way to do this? I've seen one post with code for an iRule to 'block' all activesync traffic but not allow only one IP.
This is what I was referring to:
when HTTP_REQUEST {
switch -glob -- [string tolower [HTTP::path]] {
"/microsoft-server-activesync*" {
drop
}
}
}Hi,
You are right, find a corrected irule below :
when HTTP_REQUEST { if { [string tolower [HTTP::path]] eq "/microsoft-server-activesync" and !([IP::client_addr] eq "x.x.x.x") } { drop } }
Yann_Desmarest_Nacreous
Hi,
You have an option in the VS to specify allowed source addr. You can also define an irule :
when HTTP_REQUEST { if { !([IP::client_addr] eq "x.x.x.x") } { drop } }
adambaack_13393Would that not restrict all applications (OWA, OA, AS)? I just want ActiveSync restrict to the MobileIron IP Address. All other applications (OWA, OA) need to be unrestricted to the outside.
Yann_DesmarestCirrus
Hi,
You have an option in the VS to specify allowed source addr. You can also define an irule :
when HTTP_REQUEST { if { !([IP::client_addr] eq "x.x.x.x") } { drop } }- adambaack_13393Would that not restrict all applications (OWA, OA, AS)? I just want ActiveSync restrict to the MobileIron IP Address. All other applications (OWA, OA) need to be unrestricted to the outside.
- Yann_Desmarest
Hi,
You are right, find a corrected irule below :
when HTTP_REQUEST { if { [string tolower [HTTP::path]] eq "/microsoft-server-activesync" and !([IP::client_addr] eq "x.x.x.x") } { drop } }- adambaack_13393Not to sound like a complete idiot, but I don't have a ton of familiarity with iRules. To implement this, I would have to uncheck 'strict updates' in the Application Services? I see where I can create the iRule but how would I apply it to the Exchange iApp?
- Yann_DesmarestHi, you are right. You need to uncheck strict update on the iapp, then apply the irule in the resource section of your VS configuration
- adambaack_13393Would this also work? I noticed in the iApp if I choose advanced there is an area where it says 'Do you want to add any iRules to this combined virtual server?' and it lists all the iRules. Can I just select the newly created iRule and not have to uncheck 'strict updates?'
- Yann_Desmarest_
Hi,
You are right, find a corrected irule below :
when HTTP_REQUEST { if { [string tolower [HTTP::path]] eq "/microsoft-server-activesync" and !([IP::client_addr] eq "x.x.x.x") } { drop } }- adambaack_13393Not to sound like a complete idiot, but I don't have a ton of familiarity with iRules. To implement this, I would have to uncheck 'strict updates' in the Application Services? I see where I can create the iRule but how would I apply it to the Exchange iApp?
- Yann_Desmarest_Hi, you are right. You need to uncheck strict update on the iapp, then apply the irule in the resource section of your VS configuration
- adambaack_13393Would this also work? I noticed in the iApp if I choose advanced there is an area where it says 'Do you want to add any iRules to this combined virtual server?' and it lists all the iRules. Can I just select the newly created iRule and not have to uncheck 'strict updates?'