Forum Discussion

Luca_55898's avatar
Luca_55898
Icon for Nimbostratus rankNimbostratus
Sep 19, 2011

irule to bypass Access Profile

Hi,

Need some help as this is getting beyond my knowledge....

 

 

 

We use the APM module to authenticate external users using Outlook Web Access.

 

We have a VIP with an access profile, and the following iRule. We needed the iRule because users authenticate from different domains.

 

 

 

 

 

when ACCESS_ACL_ALLOWED {

 

set domain [ACCESS::session data get "session.dc"]

 

log local0.alert "$domain"

 

if { $domain == "au" } {

 

WEBSSO::select CAS-SSO-NTLM-AU

 

log local0.alert "CAS-AU"

 

} elseif { $domain == "CORP" } {

 

WEBSSO::select CAS-SSO-NTLM

 

log local0.alert "CAS-CORP"

 

} elseif { $domain == "IE" } {

 

WEBSSO::select CAS-SSO-NTLM-IE

 

} elseif { $domain == "NZ" } {

 

WEBSSO::select CAS-SSO-NTLM-NZ

 

}

 

}

 

 

 

 

So that irule picks up the domain name that we set in a session variable, and assigns the correct SSO profile. That all works well for OWA.

 

 

 

However, when a user takes their laptop home, they should be able to open Outlook 2007 and have it connect over the Internet to a CAS server. This happens because outlook detects that it is 'on the internet' and tries to connect to a external URL such:

 

www.our-emails.com.

 

 

 

The issue is that www.our-emails.com uses the same VIP that OWA uses, so the same access policy and iRule applies to users using outlook 2007 from home. So the iRule does not match anything and they do not connect.

 

 

 

Is it possible to create another iRule or add to the existing iRule so that users using outlook 2007 from home bypass the Access Profile?

 

3 Replies

  • Looking in the VPE of APM i added a 'client for Microsoft exchange' field at the start and put that to 'allow' however it seems SSO doesn't work with that as i get 'Could not find SSO username'
  • You can also bypass APM all together. In the example below, you would change your If statement probably to use source IP address

     

    when HTTP_REQUEST { if { ([HTTP::header User-Agent] contains "X") or ([HTTP::header User-Agent] contains "XY") or ([HTTP::header User-Agent] contains "XYZ") } { ACCESS::disable return } }