when HTTP_REQUEST { set header [HTTP::header "User-Agent"] log local0. "Before Match --- Header is: $header" if {[string tolower [HTTP::header "User-Agent"]] contains "mac os x" && [string tolower [HTTP::uri]] equals "/ews/exchange.asmx"} { ACCESS::disable log local0. "one time" log local0. "URI: [HTTP::uri]" pool /Common/exchange.app/exchange_oa_pool6 } }

Cannot save or edit the post so: APM is still causing grief for Mac clients. I am trying to disable the policy for Mac User-Agent headers. This is killing the session but resulting in a apm loop (it just creates an immediate subsequent session ID). Any ideas?

If your request has any of the apm cookies, you may need to remove them from that request. I've had weird issues like that. so, perhaps your iRule could do something like this: when HTTP_REQUEST { if {[string tolower [HTTP::header "User-Agent"]] contains "mac os x" && [string tolower [HTTP::uri]] equals "/ews/exchange.asmx"} { log local0. " Disable access for [HTTP::uri]" ACCESS::disable HTTP::cookie remove "MRHSession" HTTP::cookie remove "LastMRH_Session" } else { log local0. " [HTTP::uri]" } }

May want to try with when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }

Don't I need to have an iRule event in the access policy event for this then?

Forum Discussion

Rabbit23_116296

Nimbostratus

Apr 01, 2015

iRule to disable APM not working as expected

when HTTP_REQUEST {

   set header [HTTP::header "User-Agent"]
    log local0. "Before Match --- Header is: $header"
    if {[string tolower [HTTP::header "User-Agent"]] contains "mac os x"  && [string tolower [HTTP::uri]] equals "/ews/exchange.asmx"} {
            ACCESS::disable 
            log local0. "one time"
            log local0. "URI: [HTTP::uri]"

            pool /Common/exchange.app/exchange_oa_pool6

    }   
}

BIG-IP Access Policy Manager (APM)

security

25 Replies

kunjan
Nimbostratus
Apr 08, 2015
I think it's triggered for the Exchange Web Service(EWS) by the exchange profile attached the access policy. You might see this in the APM logs. If you are using a 11.4 version you might be able to modify the iRule _Sys attached.
- Rabbit23_116296
  Nimbostratus
  Apr 12, 2015
  I think you are right here. I am using 11.6.0 with the latest iApp (think 1.4.0) , does this mean I have options?
kunjan_118660
Cumulonimbus
Apr 08, 2015
I think it's triggered for the Exchange Web Service(EWS) by the exchange profile attached the access policy. You might see this in the APM logs. If you are using a 11.4 version you might be able to modify the iRule _Sys attached.
- Rabbit23_116296
  Nimbostratus
  Apr 12, 2015
  I think you are right here. I am using 11.6.0 with the latest iApp (think 1.4.0) , does this mean I have options?
kunjan
Nimbostratus
Apr 13, 2015
You can try HTTP:disable in the iRule with priority 0 for the iRule. But not sure about the implications.

The other 'dirty' trick is to change the uri in HTTP_REQUEST to temp value and change it back in HTTP_REQUEST_SEND
Rabbit23_116296
Nimbostratus
May 18, 2015
I have entirely given up with support with f5 as there is ZERO apm support.

I believe looking at tcpdumps my issue is ntlm related as our mac clients are domain joined. they send a combination of ntlm+basic headers and we are still experiencing major issues.