For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

LordTanamo_3750's avatar
LordTanamo_3750
Icon for Nimbostratus rankNimbostratus
May 14, 2009

Filter users authenticatiing via NTLM (MOSS) by domain name

Hello, I was asked to filter certain users by their domain name (domain2\user or user@domain2) which are prohibited to connect to MOSS from the public internet, even though they may connect to the...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 19, 2009
Hi Jackson,

 

 

A regex is going to be less efficient than a string comparison. That particular regex which matches the domain name letters with any single character between each letter won't match the first (type 1) NTLM message where the domain isn't separated by null characters. If you replace the regex check with a string comparison looking just for *testdomain*, you should be able to block the first message. The third message has the domain name letters separated by nulls.

 

 

If you really want to use a regex, you could replace it with something like this which does a case insensitive match for testdomain with or without nulls between the letters. This would match the type 1 or type 3 messages.

 

 

(?i)t\000?e\000?s\000?t\000?d\000?o\000?m\000?a\000?i\000?n

 

 

But again, a string comparison will be more efficient than a regex and you would only need to check for the type 1 message string.

 

 

Aaron