Forum Discussion
Nimbostratusirule to disable APM access profile
I am trying to disable the APM (my only choice with Outlook for Mac), I have disabled the APM in the past with IP classes and then I throw ACCESS::DISABLE which works fine.
I am trying an irule that picks up the user-agent header as "MacOutlook*" and the moment it's found it should bypass APM and connect me directly to the pool (mimicking removal of access profile on the virtual server).
So i have tried this but it only kicks in once inside the access policy. the irule executes yet it still does not get me out of the access policy that doesnt work. (I cant get rid of the access policy on the virtual server as it preauthenticates every other flavour of client as it should, i just need to create this back door for outlook 2011.
Anyone with a suggestion would be appreciated~!
8 Replies
Outlook 2011 should work with the Access Policy created by the iApp.
What's happening that's causing you to want to disable APM?
Which event are you using ACCESS::disable in?
This page has an example of using ACCESS::disable inside the HTTP_REQUEST event. https://devcentral.f5.com/wiki/iRules.ACCESS__disable.ashx
The HTTP_REQUEST event should work fine for what you need.
This page lists the ACCESS events, these are "Inside" the policy, all other events are "outside" the policy. https://devcentral.f5.com/wiki/iRules.ACCESS.ashx
HTH
Rabbit23_116296Thing is native Mail.app works without a hitch for any NTLM domain I come from in the format of \user. With Mail.app and when looking at the debug apm log, it receives the NTLM encoded auth header, proceeds straight to SSO mapping and an APM allow event.
With Outlook 2011, the APM only receives the basic authentication header and then fails over to the AAA server, which authenticates only if the requesting NTLM domain is in the same domain as the actual Exchange servers. This presents an issue in a resource forest deployment as what we are in. I tried LDAP failover, got an APE allow but no access for the client. I also tried the requesting domain in the AAA server but then I get errors logged about the realm not being local to the KDC, which I can understand because of Kerberos constrained delegation issues when going cross-forest.
So trying to find something to capture the HTTP traffic on the MacOutlook client to see if it is sending NTLM or whether it's something on the F5.
Looking at the older exchange iApp template it appears as if there were issues with MailApp and OutlookMac but since addressed.
- Rabbit23_116296
correction above on the first line (meant in the format of domain'slash'user)
- Rabbit23_116296
@John thanks for your responses, I bound this irule the VS with no luck earlier today. It does pick up that header but still goes on uninterrupted with the access policy.
Again, it's desperate measures with going down this route:
when HTTP_REQUEST { switch -glob [HTTP::header "User-Agent"] { "MacOutlook" { ACCESS::disable } default { ACCESS::enable } } }
I would download the latest iApps and try it. I would also try to hunt down the reason you are getting the errors. Try configuring a Multi-domain domain policy.
As to the iRule, try this: put a star before and after "MacOutlook" in the switch command.
- Rabbit23_116296
It seems the problem is with Mac Outlook, it only sends basic headers when looking at an HTTP interception tool. So I will try this one more time with LDAP as a failback auth source.
- Rabbit23_116296
I have managed to get this to work for Mac Outlook, I set up a 401 authorization rule with branch outputs, if basic authentication I pick up the domain by using an MCGET expression. If the domain is not set then I manually set the session.logon.last.domain variable and then proceed to basic SSO credential mapping, if the domain is set then the SSO mapping sets the authorization headers correctly.
