Forum Discussion

Karthik_Krishn1's avatar
Karthik_Krishn1
Icon for Cirrostratus rankCirrostratus
Feb 19, 2016

iRule to match multiple conditions

Hello,

 

We are in the process of setting 2 factor for OWA only if the users are coming in from the Internet. When a user comes in from the internet and hits the page "https://webmail.company.com/owa" they should get redirected to a pool which has the servers configured for 2 factor. Any other URLS should be redirected to the pool that does not have 2 factor configured.

 

The rule I was working on would have a logic like this.

 

when HTTP_REQUEST { if { ([HTTP::uri] contains "/owa/") && not ([[class match [IP::client_addr] equals OWA-NO-2FA]]) } { pool OWA_2FA_Pool } else { pool OWA_SSL_POOL } }

 

If URI starts with /OWA/ and Source IP does not match datagroup (Internal networks) pool OWA-2FA-Pool

 

All other URL's ( eg /rpc/ ) should be sent to the default pool assigned to the VIP.

 

This rule would follow the http-https /owa redirect rule.

 

Any help would be appreciated.

 

thanks,

 

karthik

 

application delivery
iRules
LTM
security
  • CharlesCS's avatar
    CharlesCS
    Icon for Cirrus rankCirrus
    Feb 19, 2016
    Instead of comparing ([HTTP::uri] contains "/owa") this ([HTTP::path] starts_with "/owa") would be more efficient. You might also want to ensure that you're looking at lower-case data by using ([[string tolower [HTTP::path]] starts_with "/owa") so you don't miss URLs like "https://webmail.company.com/OWA".
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 19, 2016

    Hi Karthik,

    I've optimized a little your iRule based on some experiences...

    when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals OWA-NO-2FA] } then {
        set OWA-2FA 0
    } else {
        set OWA-2FA 1
    }
}
when HTTP_REQUEST {
    set low_uri [string tolower [HTTP::uri]]
    if { ( $OWA-2FA ) and 
         (( $low_uri starts_with "/owa" ) or 
          ( $low_uri starts_with "/ecp" )) } then { 
        pool OWA_2FA_Pool
    } elseif { $low_uri equals "/" } then {
        HTTP::redirect "/owa/"
    } else {
        pool OWA_SSL_POOL
    }
}

    Note: I've moved the 

    [class match [IP::client_addr]]
    to the 
    CLIENT_ACCEPTED
    event to save some CPU cycles for 
    keep-alive
    connections.

    Note: I'v added the 

    [string tolower]
    command so that case-sensitive URI (e.g. /oWa/) wouldn't bypass your 2FA requirement.

    Note: I'v added the 

    ($low_uri starts_with "/ecp")
    condition to force 2FA also for Exchange Control Panel (aka. OWA Settings).

    Note: I'v added a 

    [HTTP::redirect "/owa/"]
    syntax to assist your users getting to their Inbox.

    Cheers, Kai

  • Karthik_Krishn1's avatar
    Karthik_Krishn1
    Icon for Cirrostratus rankCirrostratus
    Feb 19, 2016
    Thanks guys. I will test this out later tonight and will post a reply here on whether it worked or not.