Forum Discussion
riraccuia
Cirrus
CirrusF5 APM OWA o365 SSO Form Based Authentication Issues
Hello there,
we'd like to configure our v11.6 F5 box to provide access to an Exchange 2013 / MS o365 web based email using APM to enforce two factor authentication (AD + OTP) on an HTTPS Virtual Ser...
For everyone's information, this is how I solved the problem:
when HTTP_REQUEST { For OWA 2013 if { [HTTP::uri] starts_with "/owa/manifests/appCacheManifestHandler.ashx" }{ HTTP::respond 200 content {} noserver } }
riraccuiaCirrus
CirrusThe Policy:
apm policy access-policy /Common/WEBMAIL {
default-ending /Common/WEBMAIL_end_deny
items {
/Common/WEBMAIL_act_empty { }
/Common/WEBMAIL_act_empty_1 { }
/Common/WEBMAIL_act_empty_2 { }
/Common/WEBMAIL_act_empty_3 { }
/Common/WEBMAIL_act_irule_event { }
/Common/WEBMAIL_act_ldap_auth { }
/Common/WEBMAIL_act_ldap_auth_1 { }
/Common/WEBMAIL_act_ldap_query { }
/Common/WEBMAIL_act_ldap_query_1 { }
/Common/WEBMAIL_act_logon_page { }
/Common/WEBMAIL_act_message_box { }
/Common/WEBMAIL_act_message_box_1 { }
/Common/WEBMAIL_act_message_box_2 { }
/Common/WEBMAIL_act_message_box_3 { }
/Common/WEBMAIL_act_message_box_4 { }
/Common/WEBMAIL_act_message_box_5 { }
/Common/WEBMAIL_act_radius_auth { }
/Common/WEBMAIL_act_radius_auth_1 { }
/Common/WEBMAIL_act_resource_assign { }
/Common/WEBMAIL_act_resource_assign_1 { }
/Common/WEBMAIL_act_resource_assign_2 { }
/Common/WEBMAIL_act_resource_assign_3 { }
/Common/WEBMAIL_act_sso_credential_mapping { }
/Common/WEBMAIL_act_sso_credential_mapping_1 { }
/Common/WEBMAIL_act_variable_assign { }
/Common/WEBMAIL_act_variable_assign_1 { }
/Common/WEBMAIL_act_variable_assign_2 { }
/Common/WEBMAIL_end_allow {
priority 1
}
/Common/WEBMAIL_end_deny {
priority 2
}
/Common/WEBMAIL_end_redirect { }
/Common/WEBMAIL_ent { }
}
start-item /Common/WEBMAIL_ent
}
apm profile access /Common/WEBMAIL {
accept-languages { en ja zh-cn zh-tw }
access-policy /Common/WEBMAIL
app-service none
customization-group /Common/WEBMAIL_logout
default-language en
domain-cookie none
eps-group /Common/WEBMAIL_eps
errormap-group /Common/WEBMAIL_errormap
exchange-profile none
framework-installation-group /Common/WEBMAIL_frameworkinstallation
general-ui-group /Common/WEBMAIL_general_ui
generation 64
generation-action noop
inactivity-timeout 2700
logout-uri-include { /owa/auth/logoff.aspx }
logout-uri-timeout 5
max-failure-delay 0
min-failure-delay 0
modified-since-last-policy-sync true
secure-cookie true
sso-name none
type all
user-identity-method http
}
And here are the relevant ending items of my policy, everything I do before is just AD and OTP/Radius authentication.
apm policy policy-item /Common/WEBMAIL_act_empty {
caption "User Agent"
color 1
item-type action
rules {
{
caption "Test Branch"
expression "expr { [mcget {session.user.agent}] contains \"test-o365\"}"
next-item /Common/WEBMAIL_act_resource_assign_2
}
{
caption "Mobile Phones"
expression "expr { [mcget {session.user.agent}] contains \"BlackBerry\" } "
next-item /Common/WEBMAIL_act_resource_assign_1
}
{
caption fallback
next-item /Common/WEBMAIL_act_resource_assign
}
}
}
apm policy policy-item /Common/WEBMAIL_act_resource_assign_2 {
agents {
/Common/WEBMAIL_act_resource_assign_2_ag {
type resource-assign
}
}
caption TEST_OWA
color 1
item-type action
rules {
{
caption fallback
next-item /Common/WEBMAIL_end_allow
}
}
}
apm policy agent resource-assign /Common/WEBMAIL_act_resource_assign_2_ag {
rules {
{
pool /Common/mail.o365.mydomain.com
portal-access-resources { /Common/OWA_TEST }
webtop /Common/WebTop_Test
}
}
}