Forum Discussion
Vsevolod_Petrov
Cirrostratus
CirrostratusOWA bruteforce protection with ASM
Hi,
Have you ever tried to protect MS Outlook Web Access login page with ASM? I'm trying to set up brute force protection but don't have any luck.
I made a login page with the following parameters:
Login URL Explicit HTTPS /owa/auth.owa
Authentication Type HTML Form
Username Parameter Name username
Password Parameter Name password
Expected HTTP response status code 302With this configuration I can see all requests including usernames in the Event Viewer. I expected that after enabling brute force protection for my login page I will have this page protected. But I don't.
Could you please share with me your experience?
Vsevolod_PetrovThis is Exchange 2013 version- Vsevolod_Petrov
Learn, alarm and blocking flags are enabled.
- Vsevolod_PetrovSession based brute force parameters are set to allow maximum of 2 login attempts and timeout 30 seconds. Maybe I should try dynamic protection.
- Vsevolod_Petrov
Hm.. it seems that dynamic protection wasn't designed to solve this.
I still need to configure Session-based Brute Force Protection.
I didn't have such problems with other applications than Microsoft. Every time brute force protections was working as expected.
Your assistance is much appreciated.
- Vsevolod_Petrov
I've found that if I change the value of "Login Attempts From The Same Client" parameter to 1 I will have my OWA login page blocked after 3-4 of log in attempts.
And in this case Event Viewer shows the following violation:
Brute Force: Maximum login attempts are exceeded Number of Login Attempts 1But again I made 3-4 attempts.
As I can see such behaviour is not a BIG-IP issue but characteristic of OWA login procedure.
That's why I'm asking for a best practice for this kind of task.
Or all I need just use APM in this case?