Forum Discussion

laerm_151742's avatar
laerm_151742
Icon for Nimbostratus rankNimbostratus
Aug 08, 2014

IE choking on exchange iRule

Hello community,

Bit of a strange issue, and it's most probably an IE bug but I was wondering if anyone had tips on how to mitigate by tweaking the iRule in the Exchange 2013 iApp. We can't reproduce the problem on other browsers (tested FF, Chrome and Safari), the problem, ironicly is only with IE:

We're protecting unauthorised access to /ECP. That part works. The problem arises when in the ECP and a user wants to at/change a messagebox rule. This opens up a popup. On IE, the pop up contains the error page, whereas it works with other browsers.

Here the iRule code:


    when HTTP_REQUEST {
    if { [HTTP::uri] contains "/ecp" } {
    s
    et response "
    EAC Access Denied
    
    We are sorry, but access to the Exchange
    Administration Center is restricted to approved client IP addresses. Your IP address, [IP::client_addr], is not
    approved.
    "
    if { [HTTP::header exists "Referer"] } {
    if { [HTTP::header "Referer"] contains "rfr=owa" } {
    pool
    my_iapp_2013_owa_pool
    }
    } elseif { [class match [IP::client_addr] equals "
    trustedAddresses
    "]} {
    pool
    my_iapp_2013_owa_pool
    } else {
    HTTP::respond 200 content $response
    }
    unset response
    }
    }

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
exchange 2013
iApps
iRules
LTM
security
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Aug 08, 2014

    Hi laerm, the popup isn's using the referer header that we key on to tell us that the request came from OWA instead of EAC. Try modifying your rule to include the URL for the rule editor:

     

    when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] contains "/ecp" } {
        set response "EAC Access Denied
        We are sorry, but access to the Exchange Administration Center is
        restricted to approved client IP addresses. Your IP address, 
        [IP::client_addr], is not approved."
        if { [HTTP::header exists "Referer"] } {
            if {[HTTP::header "Referer"] contains "rfr=owa" } {
                pool my_owa_pool
            }               
        } elseif {[string tolower [HTTP::uri]] contains "/ruleseditor/editinboxrule.aspx" || [class match [IP::client_addr] equals "exchange_2013_trustedAddresses"]} {
            pool my_owa_pool
        } else {
            HTTP::respond 200 content $response
        }
        unset response
    }
}

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Aug 08, 2014

    Hi laerm, the popup isn's using the referer header that we key on to tell us that the request came from OWA instead of EAC. Try modifying your rule to include the URL for the rule editor:

     

    when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] contains "/ecp" } {
        set response "EAC Access Denied
        We are sorry, but access to the Exchange Administration Center is
        restricted to approved client IP addresses. Your IP address, 
        [IP::client_addr], is not approved."
        if { [HTTP::header exists "Referer"] } {
            if {[HTTP::header "Referer"] contains "rfr=owa" } {
                pool my_owa_pool
            }               
        } elseif {[string tolower [HTTP::uri]] contains "/ruleseditor/editinboxrule.aspx" || [class match [IP::client_addr] equals "exchange_2013_trustedAddresses"]} {
            pool my_owa_pool
        } else {
            HTTP::respond 200 content $response
        }
        unset response
    }
}

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Aug 08, 2014
    I've found a few more instances where access is denied for resources when the Referer header is not sent. We'll take care of that in a future version of the iApp, but for now you should redeploy and disable that feature.