Forum Discussion

Cirrus

Jan 05, 2017

iRule to Allow Outlook users by Username

Hi All, ive been presented with an interesting request. Currently our users authenticate to outlook (whether by their browser to OWA, mobile active sync, or the outlook application) directly through ...

brepav123_22459
Jan 06, 2017
I think i may have figured it out. After spending some hours looking at packet captures I noticed in the URI active sync always sends the username as part of the string. So using an iRule it searches that URI for the specific user identity and if it matches, it lets it through. Seems to be working so for but have yet to do extensive testing on it. I just wonder how bad the resource usage on the F5s will be having to inspect the URI of every connection. Thanks for the replies!

"/Microsoft-Server-ActiveSync*" { if { [HTTP::uri] contains "username"}{ persist cookie pool POOL } else { discard }

AJ_01_135899

Cirrostratus

This is definitely possible. Since you're using Exchange / OWA, your organization presumably is using Active Directory. I'm also assuming you're using APM.

Leaving the MDM solution out of the equation for the moment, here's a straightforward solution:

create an Active Directory group containing the list of users that you'd like to allow through.
add an AD Query object to the end of your APM access profile, retrieving the "members" attribute.
create a success/failure branch on that AD Query object, that ensure that the success branch contains the "User is a member of (the group you just created) ".

The question mark is how the MDM solution comes into play. If the MDM solution does indeed (as you describe), handle authentication then send traffic to the F5 you'll need to figure out a mechanism to pass this traffic (perhaps via source IP, header, or some other mechanism). If the MDM solution interfaces directly with Exchange / OWA, you will probably be fine.

Hope this helps

brepav123_22459

Cirrus

Jan 05, 2017

Unfortunately no we are not using APM. We only have LTM so are limited to iRules for basically all of our advanced functionality. Perhaps i used the term authentication too loosely. More to say the F5 is the front end for all incoming connections but then it passes the actual connection and authentication piece back to our AD servers. Thanks

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

iRule to Allow Outlook users by Username

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Office 365 SAML idp and Outlook 2016 solution?

iRULE regsub error

Prefix domain name to username session variable for outlook web access

owa iapp assign irule

Irule to insert username/password into HTTP header

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS