Forum Discussion

Karthik_Krishn1's avatar
Karthik_Krishn1
Icon for Cirrostratus rankCirrostratus
Feb 19, 2016

iRule to match multiple conditions

Hello,   We are in the process of setting 2 factor for OWA only if the users are coming in from the Internet. When a user comes in from the internet and hits the page "https://webmail.company.com...
application delivery
iRules
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 19, 2016

Hi Karthik,

I've optimized a little your iRule based on some experiences...

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals OWA-NO-2FA] } then {
        set OWA-2FA 0
    } else {
        set OWA-2FA 1
    }
}
when HTTP_REQUEST {
    set low_uri [string tolower [HTTP::uri]]
    if { ( $OWA-2FA ) and 
         (( $low_uri starts_with "/owa" ) or 
          ( $low_uri starts_with "/ecp" )) } then { 
        pool OWA_2FA_Pool
    } elseif { $low_uri equals "/" } then {
        HTTP::redirect "/owa/"
    } else {
        pool OWA_SSL_POOL
    }
}

Note: I've moved the 

[class match [IP::client_addr]]
to the 
CLIENT_ACCEPTED
event to save some CPU cycles for 
keep-alive
connections.

Note: I'v added the 

[string tolower]
command so that case-sensitive URI (e.g. /oWa/) wouldn't bypass your 2FA requirement.

Note: I'v added the 

($low_uri starts_with "/ecp")
condition to force 2FA also for Exchange Control Panel (aka. OWA Settings).

Note: I'v added a 

[HTTP::redirect "/owa/"]
syntax to assist your users getting to their Inbox.

Cheers, Kai