F5 filter for Exchange

Hi Davey,

in the case you don't use APM to pre-authenticate your users (or you don't want to change the VPE sequence), you may try the iRule below. The iRule parses the username on the wire and sends a 502 response if the given username is found. The provided iRule is able to inspect Basic, NTLM and NEGOTIATE-NTLMSSP authentication schemes...

when RULE_INIT {
    set static::username_basic "domain\\username"
    set static::username_ntlm "domainusername"
}

when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] equals "/autodiscover/autodiscover.xml" } then {
        if { [set temp(auth_header) [string tolower [HTTP::header value Authorization]]] starts_with "basic" } then {
            if { [string tolower [HTTP::username]] contains $static::username_basic } then {
                HTTP::respond 502 content "Invalid Mailbox"
            }
        } elseif { $temp(auth_header) starts_with "ntlm" } then {
            if { [string tolower [string map [list [binary format H* 00] ""] [b64decode [string range [HTTP::header value Authorization] 5 end]]]] contains $static::username_ntlm } then {
                HTTP::respond 502 content "Invalid Mailbox"
            }
        } elseif { $temp(auth_header) starts_with "negotiate" } then {
            if { [set temp(auth_header) [string tolower [b64decode [string range [HTTP::header value Authorization] 10 end]]]] starts_with "ntlmssp" } then {
                if { [string tolower [string map [list [binary format H* 00] ""] $temp(auth_header)]] contains $static::username_ntlm } then {
                    HTTP::respond 502 content "Invalid Mailbox"
                }
            } else {
                 You can't inspect Kerberos Session Tickets. But its very unlikely that the client provides one... ;-)
            }
        }
    }
}

Note: You have to change the

$static::

Cheers, Kai