For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gscholz's avatar
gscholz
Icon for Nimbostratus rankNimbostratus
Oct 17, 2018

Setting up ASM policy to protect Outlook Web Access (OWA)

I have used the iApp to create a the setup for some Exchange 2016 backend servers. Users from outside are supposed to use Outlook Web App (OWA), and I thought it should be possible to protect the vi...
ASM Advanced WAF
exchange 2016
iApps
owa
security
gscholz's avatar
gscholz
Icon for Nimbostratus rankNimbostratus
Oct 19, 2018

I have done some further testing. I am using the Partner Vlab setup in its most basic form. I have manually created a virtual server for HTTPs, and I have assigned the profile to it that was created from the iApp:

 

ltm virtual /Common/https_virtual {
    destination /Common/10.1.10.20:443
    ip-protocol tcp
    mask 255.255.255.255
    pool /Common/https_pool
    profiles {
        /Common/App-Exchange-2016.app/App-Exchange-2016_http_profile { }
        /Common/clientssl {
            context clientside
        }
        /Common/serverssl {
            context serverside
        }
        /Common/tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}
ltm profile http /Common/App-Exchange-2016.app/App-Exchange-2016_http_profile {
    app-service /Common/App-Exchange-2016.app/App-Exchange-2016
    defaults-from /Common/http
    insert-xforwarded-for enabled
    redirect-rewrite all
}

 

For comparison, this is what the virtual server looks like that was created from the iApp:

 

ltm virtual /Common/App-Exchange-2016.app/App-Exchange-2016_combined_https {
    app-service /Common/App-Exchange-2016.app/App-Exchange-2016
    destination /Common/10.1.10.30:443
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        /Common/App-Exchange-2016.app/App-Exchange-2016_caching_profile { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_clientssl {
            context clientside
        }
        /Common/App-Exchange-2016.app/App-Exchange-2016_http_profile { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_lan-optimized_tcp_profile {
            context serverside
        }
        /Common/App-Exchange-2016.app/App-Exchange-2016_oneconnect { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_serverssl {
            context serverside
        }
        /Common/App-Exchange-2016.app/App-Exchange-2016_wan-optimized-compression_profile { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_wan-optimized_tcp_profile {
            context clientside
        }
        /Common/ntlm { }
    }
    rules {
        /Common/App-Exchange-2016.app/App-Exchange-2016_owa_redirect_irule7
        /Common/App-Exchange-2016.app/App-Exchange-2016_combined_pool_irule7
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

 

When I want to create a new application security policy https_virtual shows up in the dropdown menu of eligible virtual servers, but App-Exchange-2016_combined_https does not. Would anybody know the reason?