Forum Discussion

MichaelJordan_1's avatar
MichaelJordan_1
Icon for Nimbostratus rankNimbostratus
Mar 17, 2016

Forward ActiveSync Requests if user is member of BLABLA

Hi   I'm trying to deploy an APM policy for Exchange ifrastructure. Here is the hard part for my knowledge. I have to check user's membership and then forward them to "deny||allow" branch. Since, ...
application delivery
BIG-IP Access Policy Manager (APM)
Cory_O's avatar
Cory_O
Icon for Cirrostratus rankCirrostratus
Mar 17, 2016

What I did was add an LDAP Query (or AD Query if you like).

At first, I pulled the memberOf attribute and created a Deny Branch Rule with the following syntax: 

expr { [string tolower [mcget {session.server.landinguri}]] contains "/microsoft-server-activesync" && [string match -nocase *CN=YOURGROUPHERE,OU=GRP-WorkGRP,OU=USA-Groups,OU=USA,DC=na,DC=yourdomain,DC=com* [mcget {session.ldap.last.attr.memberOf}]] == 0 }

Then I create an Allow Branch at the bottom that sets the SSO and moves forward.

The problem with the above method is that the LDAP Query pulls a literal group membership. If the user is a member of a group that is NESTED within the group mentioned in the Branch Rule above, it will not be considered. With that said, I moved on to setting an AD Attribute for those I wanted to allow or deny access.

Here's the new Deny branch I created: 

expr { [mcget {session.ldap.last.attr.extensionAttribute15}] == "External-Access-Restricted" }
(Change the attribute and return string to whatever you'd like to use)

The second has worked very well for me so far, but feel free to experiment with either!

-Cory