Setting up ASM policy to protect Outlook Web Access (OWA)

Question

I have used the  iApp to create a the setup for some Exchange 2016 backend servers. Users from outside are supposed to use Outlook Web App (OWA), and I thought it should be possible to protect the virtual server using ASM and only allowing access to specific URLs.&nbsp;
However, if I want to create a new policy in Security -&gt; Application Security -&gt; Security Policies -&gt; Create... I am not able to select the virtual server. The information text next to the input field states: "Select an Existing Virtual Server if you already configured one (An existing Virtual Server is displayed only if it has an HTTP Profile assigned to it and it is not using any Local Traffic Policy controlling ASM)..."&nbsp;
The iApp created a virtual server and assigned an HTTP profile to it. I verified that the parent profile is "http". So which important bit might I be missing?&nbsp;
I have seen there is a specific template for just OWA and ASM (https://devcentral.f5.com/articles/new-asm-outlook-web-access-owa-2016-template-for-bigip-v13-29413), but is it possible to combine the two somehow?&nbsp;

gscholz · Answer

I have done some further testing. I am using the Partner Vlab setup in its most basic form. I have manually created a virtual server for HTTPs, and I have assigned the profile to it that was created from the iApp:
&nbsp;
ltm virtual /Common/https_virtual {
    destination /Common/10.1.10.20:443
    ip-protocol tcp
    mask 255.255.255.255
    pool /Common/https_pool
    profiles {
        /Common/App-Exchange-2016.app/App-Exchange-2016_http_profile { }
        /Common/clientssl {
            context clientside
        }
        /Common/serverssl {
            context serverside
        }
        /Common/tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}
ltm profile http /Common/App-Exchange-2016.app/App-Exchange-2016_http_profile {
    app-service /Common/App-Exchange-2016.app/App-Exchange-2016
    defaults-from /Common/http
    insert-xforwarded-for enabled
    redirect-rewrite all
}

&nbsp;
For comparison, this is what the virtual server looks like that was created from the iApp:
&nbsp;
ltm virtual /Common/App-Exchange-2016.app/App-Exchange-2016_combined_https {
    app-service /Common/App-Exchange-2016.app/App-Exchange-2016
    destination /Common/10.1.10.30:443
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        /Common/App-Exchange-2016.app/App-Exchange-2016_caching_profile { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_clientssl {
            context clientside
        }
        /Common/App-Exchange-2016.app/App-Exchange-2016_http_profile { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_lan-optimized_tcp_profile {
            context serverside
        }
        /Common/App-Exchange-2016.app/App-Exchange-2016_oneconnect { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_serverssl {
            context serverside
        }
        /Common/App-Exchange-2016.app/App-Exchange-2016_wan-optimized-compression_profile { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_wan-optimized_tcp_profile {
            context clientside
        }
        /Common/ntlm { }
    }
    rules {
        /Common/App-Exchange-2016.app/App-Exchange-2016_owa_redirect_irule7
        /Common/App-Exchange-2016.app/App-Exchange-2016_combined_pool_irule7
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

&nbsp;
When I want to create a new application security policy https_virtual shows up in the dropdown menu of eligible virtual servers, but App-Exchange-2016_combined_https does not. Would anybody know the reason?

gsharri · Answer

Does the application service have Strict Updates enabled? This setting can be found on the application service Properties tab. It is usually enabled by default in the templates and prevents the objects created by the template from being modified directly. I'm wondering if it is preventing ASM from seeing the VS. Disable it and test.&nbsp;
Scott&nbsp;

gscholz · Answer

I disabled the option, and indeed I could see the virtual server now, thank you very much!&nbsp;
Is there a way to mark your comment as the right answer?&nbsp;

gsharri · Answer

Does the application service have Strict Updates enabled? This setting can be found on the application service Properties tab. It is usually enabled by default in the templates and prevents the objects created by the template from being modified directly. I'm wondering if it is preventing ASM from seeing the VS. Disable it and test.&nbsp;
Scott&nbsp;

gsharri · Answer

Added comment as answer. &nbsp;

Forum Discussion

Setting up ASM policy to protect Outlook Web Access (OWA)

5 Replies

Recent Discussions

Pool Members communication with B-party via F5 VIP

Find GSLB pool membership from vip IP

Server 2 causing application slowness

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Related Content

Beyond REST: Protecting GraphQL

L7 DoS Protection with NGINX App Protect DoS

Managing NGINX App Protect WAF for Beginners

F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions

Cookie-based DDoS protection