F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

steve_87999's avatar
steve_87999
Icon for Nimbostratus rankNimbostratus
Nov 27, 2013

Securing Exchange ical url

Hi Guys,

 

I am trying to secure a url with ldap or radius authentication https://mydomain.com/owa/calendar/user@mydomain/Calendar/calendar.ics

 

All our https traffic comes in over a single virtual server which also has outlook web access traffic https://mydomain.com/owa

 

We have LTM amd APM 11.3

 

I have added an Access Profile to the https virtual server which uses the Landing URI field to match the ics url. If it matches -> 401 Response -> LDAP Auth. If it doesn't match then ical url is blocked but access is allowed to the rest of owa. This works OK but the breaks Exchange Autodiscover service https://mydomian.com/Autodiscover/Autodiscover.xml.

 

Should I be using the method above or is there a better way to have login for https://mydomain.com/owa/calendar/user@mydomain/Calendar/calendar.ics and allow everything else?

 

Cheers,

 

Steve

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
microsoft
security

4 Replies

  • steve_87999's avatar
    steve_87999
    Icon for Nimbostratus rankNimbostratus
    Nov 28, 2013

    I am now trying to use an irule with ACCESS::enable to enable the Access Profile for that url only.

     

    After I successfully authenticate I am getting a "cannot display the webpage" in Internet Explorer.

     

    Does anyone have any ideas on how to resolve this?

     

    Cheers,

     

    Steve

     

    when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/owa/calendar/user@mydomain/Calendar/calendar.ics" { Enable Access Profile for these paths ACCESS::enable } default { ACCESS::disable } } }

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Dec 02, 2013

    Hi Steve, in your iRule you are using string tolower, which means the value you match on needs to be lower case:

    when HTTP_REQUEST { 
    switch -glob [string tolower [HTTP::path]] {                                                 "/owa/calendar/user@mydomain/calendar/calendar.ics" { 
             Enable Access Profile for these paths 
                ACCESS::enable 
        } 
        default { 
            ACCESS::disable 
        } 
    } 
}
    • steve_87999's avatar
      steve_87999
      Icon for Nimbostratus rankNimbostratus
      Dec 12, 2013
      Thanks Mike, That was a typo in my post. My rule is all lower case... The irule is working correctly it think there is something going on with the access policy. I am getting the login page, logging in and then getting page can't be displayed (the url is correct though). It might be the page is calling another url but this is being blocked? I will investigate this...
  • steve_87999's avatar
    steve_87999
    Icon for Nimbostratus rankNimbostratus
    Dec 23, 2013

    I found that everytime I added the irule above I got page can't be displayed after successfully activating and processing the access policy on the virtual server.

     

    After logging a support call and going thru my config several times with support it just wouldn't work.

     

    I had the idea to write an irule to only disable the access policy - not enable it because it is enabled by default.

     

    If the path doesn't match the url disable the access policy as per below

     

    when HTTP_REQUEST { if { not ([string tolower [HTTP::path]] equals "/owa/calendar/user@mydomain/calendar/calendar.ics") } { ACCESS::disable log local0. "APM Disabled" } }

     

    This works!