OWA with external logon page and SSO select

Question

Hi there,&nbsp;
&nbsp;I have been trying to setup OWA with a custom logon screen to allow the various flags to be set for Light, Public and Private, and then depending on the flags set to select the appropriate SSO settings.  This logon page is hosted on the F5 using iFiles.&nbsp;
&nbsp;The initial VS deployment was done using the iApp template:    f5.microsoft_exchange_2010_cas.2012_04_06 and we are using OWA, Outlook Anywhere, ActiveSync and Autodiscover and are running 11.1.0 HF3&nbsp;
&nbsp;This is working to a large extent but only if the user goes straight to the logon page (which is hosted on a different port).&nbsp;
&nbsp;User connects to https://mail.acme.com:8443/owa_custom_logon
&nbsp;User submits credentials which are posted to a fake URI on https://mail.acme.com/owa_fake_capture , an iRule is in place to capture the content and populates a number of variables:
&nbsp;The iRule is:
&nbsp;        when HTTP_REQUEST {
&nbsp;            check for post request
&nbsp;            set url 0
&nbsp;            if  {[HTTP::uri] starts_with "/owa_fake_capture" and [HTTP::method] eq "POST"}{
&nbsp;             The above URI ???/??? should be true based on the iFiles LOGON.ASPX file POST contents
&nbsp;             Ensure this is the case
&nbsp;            set url 1
&nbsp;            set my_content_length [HTTP::header "Content-Length"]
&nbsp;            HTTP::collect $my_content_length
&nbsp;            }}&nbsp;
&nbsp;        when HTTP_REQUEST_DATA {
&nbsp;             Set the collected POST variables into keys in the LTM session table 
&nbsp;            if { $url ==1} {
&nbsp;            table set key_owa_flags [findstr [HTTP::payload] flags 6 "&amp;"] 0 indefinite 
&nbsp;            table set key_owa_trusted [findstr [HTTP::payload] trusted 8 "&amp;"] 0 indefinite
&nbsp;            table set key_owa_username [findstr [HTTP::payload] username 9 "&amp;"] 0 indefinite
&nbsp;            table set key_owa_password [findstr [HTTP::payload] password 9 "&amp;"] 0 indefinite
&nbsp;            HTTP::release
&nbsp;         redirect is required as user landing uri was /owa_fake_capture
&nbsp;        HTTP::redirect https://mail.acme.com/owa
&nbsp;        }}&nbsp;
&nbsp;APM kicks in and using the captured variables signs the user in and gets them into the appropriate SSO using WEBSSO::select depending on the flags set.&nbsp;
&nbsp;If a user was to go directly to https://mail.acme.com/owa APM would deny access as there is no logon page configured in the VPE.&nbsp;
&nbsp;Now what I was trying to do was to add an external logon page to the VPE, and modifying the external logon page to post to /my.policy, which would do the following:&nbsp;
&nbsp;User connects to https://mail.acme.com/
&nbsp;User is redirected to https://mail.acme.com/owa
&nbsp;APM kicks in and user is sent to external logon page on https://mail.acme.com:8443/owa_custom_logon, APM is expecting username and password to be posted to post_url https://mail.acme.com/my.policy (according to the documentation)
&nbsp;User submits credentials which are posted to https://mail.acme.com/my.policy , an iRule is in place to capture the additional content.
&nbsp;The iRule is:
&nbsp;        when HTTP_REQUEST {
&nbsp;            check for post request
&nbsp;            set url 0
&nbsp;            if  {[HTTP::uri] starts_with "/my.policy" and [HTTP::method] eq "POST"}{
&nbsp;             The above URI ???/??? should be true based on the iFiles LOGON.ASPX file POST contents
&nbsp;             Ensure this is the case
&nbsp;            set url 1
&nbsp;            set my_content_length [HTTP::header "Content-Length"]
&nbsp;            HTTP::collect $my_content_length
&nbsp;            }}&nbsp;
&nbsp;        when HTTP_REQUEST_DATA {
&nbsp;             Set the collected POST variables into keys in the LTM session table 
&nbsp;            if { $url ==1} {
&nbsp;            table set key_owa_flags [findstr [HTTP::payload] flags 6 "&amp;"] 0 indefinite 
&nbsp;            table set key_owa_trusted [findstr [HTTP::payload] trusted 8 "&amp;"] 0 indefinite
&nbsp;            table set key_owa_username [findstr [HTTP::payload] username 9 "&amp;"] 0 indefinite
&nbsp;            table set key_owa_password [findstr [HTTP::payload] password 9 "&amp;"] 0 indefinite
&nbsp;            HTTP::release
&nbsp;             redirect is not required as users landing uri is /owa
&nbsp;            }}&nbsp;
&nbsp;However nothing else is captured by the F5 (I enabled logging at various stages in the iRule and it just returns with blank entries).  Username and Password are captured but I suspect that is the workings of the javascript it inserts when redirecting the user to the external logon page and the fact that APM has started.&nbsp;
&nbsp;I realise I could setup a separate VS for OWA (https://owa.acme.com) capture the creds there and then redirect them to the APM enabled VS (https://mail.acme.com), but I would prefer to have everything under the one.&nbsp;
&nbsp;Has anyone else found a nice way around this?

mark_van_d · Answer

See this post for the answer: iRule to capture APM External Logon Page Variables&nbsp;

Forum Discussion

OWA with external logon page and SSO select

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

CSV to Address External Datagroup File

External Monitor Information and Templates

TACACS+ External Monitor (Python)

snmp-check external monitor

F5 BIG-IP and NGINX - Securing Your AWS VPC Lattice Applications for External Clients

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS