iRule to block\reject connections from Lync client

Question

We have a VIP intended to for Sharepoint but would like to reject connections that are coming from MS Lync clients. It's causing our Lync clients to re-authenticate over and over due to 2FA that's setup on this VIP. Hoping to reach out on Dev central experts for iRule to get this done.

cthulhucalling_ · Answer

If Lync has a User-Agent that identifies it as Lync, you can write an iRule to drop the incoming connection. You may want to look at the HTTP_REQUEST or SERVER_CONNECTED events
when HTTP_REQUEST {
        if {[string tolower[HTTP::header "User-Agent"]] eq "lync user agent" } {
                drop
        }
}

abraham_126135 · Answer

Thank you for the response Cthulhucalling.
I forgot to include that we are trying to reject connection from both Lync and Exchange clients.
What do you think of this iRule below?&nbsp;
when HTTP_REQUEST {
 log local0.debug "Client  IP:[IP::client_addr]  attempt with user agent :[HTTP::header User-Agent]"
if { [ string tolower [HTTP::header User-Agent]] contains "microsoft lync"} {
drop
log local0.info "Client  IP:[IP::client_addr]  has been blocked with  user agent :[HTTP::header User-Agent]"
} elseif { [ string tolower [HTTP::header User-Agent]] contains "microsoft outlook"} {
drop
log local0.info "Client  IP:[IP::client_addr]  has been blocked with  user agent :[HTTP::header User-Agent]"
} else {
log local0.debug "Client  IP:[IP::client_addr]  attempt with user agent :[HTTP::header User-Agent] successful"
}
}&nbsp;

cthulhucalling_ · Answer

That way will work. The switch statement may make things simpler and faster. 
when HTTP_REQUEST {
        switch -glob  [string tolower [HTTP::header "User-Agent"]]
        "microsoft lync*" -
        "microsoft outlook*" {
                log local0.info "Client IP:[IP::client_addr] has been blocked with user agent :[HTTP::header User-Agent]
                drop
        }
        default {
                log local0.debug "Client IP:[IP::client_addr] attempt with user agent :[HTTP::header User-Agent] successful"
        }
}

abraham_126135 · Answer

I received an error&nbsp;
01070151:3: Rule [ExternalSP_rule_drop_lync_exchange] error: line 2: [wrong  args] [switch -glob [string tolower [HTTP::header "User-Agent"]]] line 3: [undefined procedure: microsoft lync] ["microsoft lync" -] line 4: [undefined procedure: microsoft outlook] ["microsoft outlook" { log local0.info "Client IP:[IP::client_addr] has been blocked with user agent :[HTTP::header User-Agent] drop }] line 8: [undefined procedure: default] [default { log local0.debug "Client IP:[IP::client_addr] attempt with user agent :[HTTP::header User-Agent] successful" }] &nbsp;

cthulhucalling_ · Answer

when HTTP_REQUEST {
        switch -glob  [string tolower [HTTP::header "User-Agent"]] {
                "microsoft lync" -
                "microsoft outlook*" {
                        log local0.info "Client IP:[IP::client_addr] has been blocked with user agent :[HTTP::header User-Agent]"
                        drop
                }
                default {
                        log local0.debug "Client IP:[IP::client_addr] attempt with user agent :[HTTP::header User-Agent] successful"
                }
        }
}

Forum Discussion

iRule to block\reject connections from Lync client

5 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

F5 BIG IP laboratory license

F5 mssql health monitor failing

How can I get started with iCall

Connection Rest f5

Related Content

Log client to vip connections

Limit Connections From Client

Connect to the F5 VPN with BIG-IP Edge Client

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

F5 Distributed Cloud Kubernetes Integration: Securing Services with Direct Pod Connectivity

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS