Forum Discussion

Monty_S__237327's avatar
Monty_S__237327
Icon for Nimbostratus rankNimbostratus
Dec 06, 2015

iRule to restrict activesync traffic to particular IPs but allow all other Exchange traffic

Hi All,

 

I am currently working on an MDM project, in which we are moving to AirWatch to proxy all Active Sync traffic.

 

In order to force all users to use Airwatch for all ActiveSync, we need to be able to drop all ActiveSync Traffic on our Exchange CAS Pool.

 

As we are currently on Exchange 2013, virtually all traffic goes via https_443, hence we need to be able to drop only ActiveSync traffic that is not coming from our two AirWatch Servers but allow all other traffic (ie OWA, RPC, AutoDiscovery, etc..)

 

Below is a sample of code I have created to hopefully achieve this, would this work? and any recommendations?

 

  when HTTP_REQUEST {
    log local0. "Client IP: [IP::client_addr]"
    log local0. "URI: [HTTP::uri]"
    if {string tolower [HTTP::uri] contains "/Microsoft-Server-ActiveSync*" and not ([class match [IP::client_addr] equals Airwatch_SEG_Servers]) } 
        {
        log local0. "dropped connection"
        reject 
        }
    else
        {
        pool EXCHANGE_2013_https_int_pool
        }
    }

I have a Data Group called Airwatch_SEG_Servers containing the IPs of my two Airwatch Servers which will proxy the ActiveSync Traffic

 

Thanks in Advance,

 

Monty

 

airwatch
application delivery
exchange 2013
iRules
LTM
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 07, 2015

    Hi Monty,

    the Rule has a little problem with the tolower formating, but in general it would work. When formating a string to lower the compare string has to be lower case too, otherwise it won't match.

     

    when HTTP_REQUEST {
        log local0. "Client IP: [IP::client_addr]"
        log local0. "URI: [HTTP::uri]"
        if {string tolower [HTTP::uri] contains "/microsoft-server-activesync*" and not ([class match [IP::client_addr] equals Airwatch_SEG_Servers]) } then {
            log local0. "dropped connection"
            reject 
        } else {
            pool EXCHANGE_2013_https_int_pool
        }
}

     

    Cheers, Kai

  • Monty_S__237327's avatar
    Monty_S__237327
    Icon for Nimbostratus rankNimbostratus
    Dec 07, 2015

    Thank you Kai,

    I did end up ending my code with the below:

     

    if {([string tolower [HTTP::uri]] contains "/microsoft-server-activeSync") and not ([class match [IP::client_addr] equals Airwatch_SEG_Servers]) }

     

    I will test it and let you know.

    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Dec 07, 2015
      Hi Monty, the wildcard character (*) is used for -glob search patterns. So you're absolutely right that its not requiered when using a "contains" comparsion. Cheers, Kai