Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Seth_Cooper
F5 Employee
F5 Employee

Outlook Web Access is the web interface to the Microsoft Exchange environment, and many customers have secured the portal behind their BIG-IP APM architecture. In looking at the OWA logon page, however, you'll notice that there are a couple extra options than the default APM logon page supports:

0151T000003d5iLQAQ.jpg

This article will show you how to add these options to a custom BIG-IP APM logon page, however, it assumes the portal app with SSO is already configured and working. If you need help with that, drop a comment below.

Configuration Steps

First, enable two additional text boxes on the APM Logon page

0151T000003d5iMQAQ.jpg

Now that you have the variables where they will be part of the session you need to modify the logon page to display radio boxes and checkboxes for the fields we added instead of the textbox. You do this by first going to the customization section of the access policy module.

0151T000003d5iNQAQ.jpg

Next, change the Edit Mode to Advanced.

0151T000003d5iOQAQ.jpg

Then navigate to the logon page.

0151T000003d5iPQAQ.jpg

Find this section of code in logon.inc:

foreach( $fields_settings as $id=>$field_settings )
{
    if( $field_settings["type"] != "none" )
    {

Immediately after the opening curly brace in that section of code, add these lines (highlighted in red) so that the section of code now looks like this:

foreach( $fields_settings as $id=>$field_settings )
{
    if( $field_settings["name"] == "pubpriv" ) { continue; }
    if( $field_settings["name"] == "lightversion" ) { continue; }

    if( $field_settings["type"] != "none" )
    {

The section should look like this now:

0151T000003d5iQQAQ.jpg

 

 

 

 

Note the closing four curly braces at the bottom of the screen shot. You need to add this section of code below between the third and fourth curly brace:

?>
<tr>
  <td colspan=2 class="credentials_table_unified_cell" >
    <label for="text">Security</label>
      <input type="radio" name=pubpriv value="public" checked> This is a public or shared computer<br>
      <input type="radio" name=pubpriv value="private"> This is a private computer
  </td>
</tr>
<tr>
  <td colspan=2 class="credentials_table_unified_cell" >
    <label for="text">Light Version?</label>
      <input type="checkbox" name=lightversion value="yes"> Use the light version of Outlook Web App
  </td>
</tr>
<?

Now the section, complete, should look like this:

0151T000003d5iRQAQ.jpg

Now click Save Draft, the click Save in the editor tool bar.

0151T000003d5iSQAQ.jpg

Now that the customizations are done, we need to create an iRule to see what the form values are and then set the values will push into the SSO object. The values are found by looking at the post variables OWA uses. Go to "Local Traffic" section in the menu, then iRules and click "Create". I named my iRule "owa_form_values_iRule" and pasted the following code

when ACCESS_POLICY_AGENT_EVENT {
  if {[ACCESS::session data get "session.logon.last.pubpriv"] eq "private"} {
    if {[ACCESS::session data get "session.logon.last.lightversion"] eq "yes"} {
      ACCESS::session data set "session.custom.owa.flags" 5
      ACCESS::session data set "session.custom.owa.trusted" 4
    } else {
        ACCESS::session data set "session.custom.owa.flags" 4
        ACCESS::session data set "session.custom.owa.trusted" 4
    }
  } else {
      if {[ACCESS::session data get "session.logon.last.lightversion"] eq "yes"} {
        ACCESS::session data set "session.custom.owa.flags" 1
        ACCESS::session data set "session.custom.owa.trusted" 0
      } else {
          ACCESS::session data set "session.custom.owa.flags" 0
          ACCESS::session data set "session.custom.owa.trusted" 0
      }
  }
}

Next go back to the visual policy editor and add an iRule Event after the logon page in the process flow but before the resource assign and enter the name of the iRule we created in the ID field.

0151T000003d5iTQAQ.jpg

Finally, edit the SSO configuration object. In the hidden form parameters modify the values of "flags" and "trusted" to use the new session variables created in the iRule. The other variables should remain the same.

flags %{session.custom.owa.flags}
trusted %{session.custom.owa.trusted}

Shown in the SSO object:

0151T000003d5iUQAQ.jpg

Now apply the policy and you are good to go! OWA through APM will provide the same functions as the direct OWA logon page!

Comments
gbbaus_104974
Historic F5 Account
Very Cool, thanks for sharing. This is a common problem
Andrew_Garvin_1
Nimbostratus
Nimbostratus
This is great, but assumes you are using forms-based authentication on your OWA/CAS Exchange servers. This will not work if you use Basic/NTLM authentication on the servers. Is there another way to make it work if you use Basic/NTLM?
Lucas_Thompson_
Historic F5 Account
The other way to accomplish this is to simply add headers into the client request, in case you need to use HTTP authentication instead of Forms. Two headers "X-Experience" and "X-LogonType" control OWA's behavior:

 

 

X-Experience can be "premium" or "light".

 

X-LogonType can be "public" or "private".

 

 

This is the method that ISA server uses.

 

 

To append the headers, you can use something like the following on the APM vs:

 

 

when ACCESS_ACL_ALLOWED {

 

if { [ACCESS::session data get "session.somecustomvariableyoucansetintheaccesspolicy"] contains "somevalueyousetforlightmode" } {

 

HTTP::header replace "X-Experience" "light"

 

}

 

else {

 

HTTP::header replace "X-Experience" "premium"

 

}

 

}

 

Roo_150490
Nimbostratus
Nimbostratus
Hi Seth,

 

 

"assumes the portal app with SSO is already configured and working. If you need help with that, drop a comment below."

 

 

Yes... I need help with this setup... If you could provide me any guidance that would be really appreciated.
Seth_Cooper
F5 Employee
F5 Employee
Hi Roo,

 

 

Here is a Manual entry for Configuring Portal Access (http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-portal-access-11-1-0/2.html) and here is the SSO config guide (http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-2-0.html).

 

 

If you have issues or need help I would suggest creating a post on devcentral to solicit feedback from the community.

 

 

Seth
AP_129594
Nimbostratus
Nimbostratus
what is the token field use for? I am getting some error passing the SSO credential to the backend cast servers.

 

2014-04-14 11:17:41

 

\N: Could not find SSO username, check SSO credential mapping agent setting

 

2014-04-14 11:17:41

 

\N: Could not find SSO password, check SSO credential mapping agent setting

 

2014-04-14 11:17:41

 

Master Decyrpt failed for ckDecrypt: Ciphertext does not begin with master key prefix

 

2014-04-14 11:17:41

 

checking start uri match, start uri: '/owa/auth/logon.aspx?url=https://mail.xxxxx.com/owa/&reason=0', request: '/owa/14.3.174.1/themes/resources/lgnbotm.gif'

 

2014-04-14 11:17:41

 

\N: no start uri match
AP_129594
Nimbostratus
Nimbostratus
So I figured out the SSO credential mapping issue, but still questioning about the token field?
AP_129594
Nimbostratus
Nimbostratus
That is nice and everything work now except Light Version.
Steven_Baker_15
Nimbostratus
Nimbostratus
I am totally stuck trying to get the options for Light Version, Public/Private Access, and the ability to change password at logon, just like ISA serves up as OWA options, using APM. We are using APM, 11.5.2, with iApp template f5.microsoft_exchange_2010_2013_cas_v1.3.0. The Application we created using the template successfully serves out OWA access to our internal CAS servers, however, we are completely unable to pass the options for Light mode, Public/Private, and most importantly, the ability to change password at logon, which is how ISA works when providing delegated authentication as a gateway. The default SSO configuration for authentication appears to be NTLM, even though we are using FBA on all our CAS servers. Is there an official process to put in place that can make happen what we need? I need as much detail as possible in the explanation, as I am new to F5. I've tried all the steps in this post and it appears it gets stuck at the SSO configuration object.... Please help....
Rene_Bader_1308
Nimbostratus
Nimbostratus
Hi Seth,

 

 

I followed your approach but was nbot able to get the radio buttons or checkbox to be displayed with the preview inside APM's editor. Also all CSS and images are still missing? Do I have to upload them on the F5?

 

(I'm using TMOS 11.5.1)

 

 

Thanks

 

René
Seth_Cooper
F5 Employee
F5 Employee
Hi Rene,

 

 

I'm not sure why it wouldn't preview in the editor as I never previewed the page in the editor. Does it show the radio button and check box when you save the policy and view it though IE?

 

 

As for the CSS and images, the document will just add the options and pass them though the SSO. This will not modify the login page to have the same exact look as OWA.

 

 

Seth
Sundar_Sivasank
Nimbostratus
Nimbostratus
Hi, I am having a deployment with exchange 2013 environment and there is an APM deployed to perform pre-authentication. My query is whether there is an document that explains how to make the APM produce the same OWA login page instead of the default F5 APM logon page for OWA? Any inputs/resource for this purpose will be very helpful. Regards Sundar
The-messenger
Cirrostratus
Cirrostratus

I would like to do the same but change the results for pubpriv to public - apm branch leads to radius (2 factor) private - apm branch leads to machine cert check.

 

I have this working with a single check box on the login page but would like to use the radio buttons so the options appear more like the owa page from Exchange.

 

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

Hi,

 

This code was written when APM did not support radio button in logon page.

 

This can be now done without editing logon.inc file starting with version 11.6.

 

another improvement can be to use variable assign instead of irule event (use this variable assign order because flags expression uses trusted value):

 

session.custom.owa.trusted =

 

expr {[mcget {session.logon.last.pubpriv}] == "private" ? 4 : 0}

session.custom.owa.flags =

 

expr {[mcget {session.logon.last.lightversion}] == "yes" ? [mcget {session.custom.owa.trusted}]+1 : [mcget {session.custom.owa.trusted}] }

Note : Updated with variable assign optimized code (15/05/2018)

 

Version history
Last update:
‎23-Apr-2013 08:03
Updated by:
Contributors