Forum Discussion

brepav123_22459's avatar
brepav123_22459
Icon for Cirrus rankCirrus
Jan 05, 2017

iRule to Allow Outlook users by Username

Hi All, ive been presented with an interesting request. Currently our users authenticate to outlook (whether by their browser to OWA, mobile active sync, or the outlook application) directly through ...
application delivery
BIG-IP
irule
LTM
outlook
  • brepav123_22459's avatar
    brepav123_22459
    Jan 06, 2017

    I think i may have figured it out. After spending some hours looking at packet captures I noticed in the URI active sync always sends the username as part of the string. So using an iRule it searches that URI for the specific user identity and if it matches, it lets it through. Seems to be working so for but have yet to do extensive testing on it. I just wonder how bad the resource usage on the F5s will be having to inspect the URI of every connection. Thanks for the replies! 

        "/Microsoft-Server-ActiveSync*" {
       if { [HTTP::uri] contains "username"}{
        persist cookie
        pool POOL
        }
        else {
                     discard
        }
AJ_01_135899's avatar
AJ_01_135899
Icon for Cirrostratus rankCirrostratus
Jan 05, 2017

Well, this gets much more complex. At first thought, you'd need to:

 

  1. Inspect the OWA logon to determine username. This may not be easy.
  2. Match the username against a datagroup, OR Create a sideband call in the iRule to your AD's LDAP service to determine if it's a member of the allow group.
  3. Determine a way to persist the session to ensure this call doesn't occur for every HTTP call, potentially by setting a session cookie from within the iRule. (i.e. put the logic inside an if exist session::cookie block)

APM is very well suited to this, but if you have a way to get the username out of the http payload this is definitely possible in iRules.