cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Nir_Ashkenazi
F5 Employee
F5 Employee

F5 has created a specialized ASM template to simplify the configuration process of OWA 2016 with the new version of BIG-IP v13

Click here and download the latest version of XML file that contains the template:  Outlook Web Access 2016 Ready Template v6.x

Goal: Quick OWA 2016 base line policy which set to Blocking from Day-One tuned to OWA 2016 environment.

Ready Template Deployment Steps

  1. Download the latest version of the policy XML file (click on the file --> Raw --> Save As) from the link above
  2. Update Attack Signature to the latest version: Click "Security Update" --> "Application Security" --> "Check for Updates" --> "Install Updates"
  3. Click "Application Security" --> "Import Policy" --> Select File" and choose the XML file
  4. Edit the policy name to the protected application name and click "Import Policy"
  5. Attach the policy to the appropriate virtual server
  6. Refine learning new records in "Application Security" --> "Policy Building" --> Traffic Learning"
  7. Observe no false positive occur by validating event logs: "Event Logs" --> "Application" --> "Request"

Important: If the policy is not working properly, please ensure you are using the latest version.  If you have any issues or questions, please send any feedback to my email: n.ashkenazi@f5.com

Comments
Walter_Kacynski
Cirrostratus
Cirrostratus

How is this different than the "OWA Template" in the 13.1 base product?

 

Nir_Ashkenazi
F5 Employee
F5 Employee

Thanks Walter for reaching out, we are always in ongoing process to improve security and reduce false positive of the templates. The update touch multiple areas of the policy but mainly updated attack signatures sets and change positive models to compact mode with staging state. As well URL`s was updated with common content types.

 

Walter_Kacynski
Cirrostratus
Cirrostratus

So, this would be considered a patched version of that template then? Is there a section of the F5 download site for updated (supported) ASM Templates like there is for iApps?

 

Walter_Kacynski
Cirrostratus
Cirrostratus

Also, will this new template support OWA 2013?

 

Nir_Ashkenazi
F5 Employee
F5 Employee

Yes, it a patched version that would finally will be updated into the device template repository. The template was tested on OW16K so there is no guaranty it would work as expected in OWA13K.

 

draco
Nimbostratus
Nimbostratus

Hi

 

will this work with 12.1.2 ?

 

Nir_Ashkenazi
F5 Employee
F5 Employee

The template was tested on v13 so unfortunately there is no backward comparability guarantee

 

am_gli
Altostratus
Altostratus

Hi,

 

I've implemented a policy in transparent mode with this template, but I'm facing some issues during traffic learning:

 

a) ActiveSync triggers strange SQL-Injection Suggestions: SQL-INJ "' --" (SQL comment) (Parameter) (2)

 

b) ActiveSync triggers strange Execution attempts (ftp, del, sfc, ...) since it detects these strings in the string of a JPG or similar...

 

Is there any suggestion how to handle these suggestions in a good and secure manner?

 

Nir_Ashkenazi
F5 Employee
F5 Employee

Thanks Amir for updating about the issue with active-sync, As far as I understand you are testing in clear environment? could you please export the illegal logs and send it to my email nashkenazi@ so I will take a look (via Events Logs -> Applications -> Request -> Select All -> Export) ?

 

am_gli
Altostratus
Altostratus

Hi Nir, thanks for the quick reply. Unfortunately I had no logging profiles bound currently. I've just changed it and I'm waiting for a few events to occur. I hope to send you the logs latest by tomorrow.

 

gscholz_370150
Nimbostratus
Nimbostratus

I am using the template for v13.1. I updated the attack signatures as described in step 2, and this is the first line of the readme:

 

Update: v13.1.0/ASM-SignatureFile_20180925_171453:

Importing the policy (step 3) completes successfully, but gives me 64 lines of the following before the success message:

 

signature with id xxxxxxxxx (previously used in this security policy) does not exist on this system.

I searched for a few IDs via Security ›› Application Security : Attack Signatures and saw that none of them seem to have an entry. What effect, if any, does it have on the policy if the XML file refers to attack signatures that are not defined on the box?

 

And does that mean the XML file is outdated (and with it the policy) every time the signature file gets updated?

 

Nir_Ashkenazi
F5 Employee
F5 Employee

Thanks for the update Mr. Gundemarie, the logs are related to signatures that was removed, so it safe to ignore the logs. I would suggest to take the latest template 6.1.6 that was updated recently.

 

Andre-Germany
Nimbostratus
Nimbostratus

Hello, have tried the Tamplate correspond. At the beginning, the call of OWA was also, but now I get a blocking. "Modiefied domain cookie Cookie Name: Clientid Reason: New Cookie" Why?

 

Nir_Ashkenazi
F5 Employee
F5 Employee

Thanks Udo for reaching out, usually the alert is raised only after upgrading/changing the policy but it should stop after existing sessions are expired.

 

See https://support.f5.com/csp/article/K20323120 for more information.

 

If you think that is still occurs and it is a false-positive, you can remove the block protection: Security ›› Application Security : Policy Building : Learning and Blocking Settings >> Cookies >> Modified ASM cookie

 

Andre-Germany
Nimbostratus
Nimbostratus

Modified ASM cookie is unplayed.

 

Now have Security >> Application Security: Headers: Cookies List ClientID set by Enforced Coolies to Allowed Cookies. Then the call goes again

 

Ahmed_Al-Dhim_1
Nimbostratus
Nimbostratus

Thank you Nir for your great efforts. Can we know if this template for http or https ? or both ? As well as supporting OWA with ActiveSYNC or donot ?

 

Nir_Ashkenazi
F5 Employee
F5 Employee

Thanks Ahmed, the policy support both "http"/"https" protocols and "ActiveSync".

 

Balasundaram_32
Nimbostratus
Nimbostratus

Dear All,

 

I have BIG-IP 14.1.0 version will this Outlook Web Access 2016 Ready Template v6.x template be suitable;e as we have a customer where they want to go to OWA BLOCKING mode very urgently/Fastly . Kindly suggest..

 

Nicol4s
Nimbostratus
Nimbostratus

Interesting.

 

We are gonna deploy this template in a few weeks.

 

I will let you know how it went.

efouli
Nimbostratus
Nimbostratus

Page was not found , any alternative source of the template?

Thanks.

Nicol4s
Nimbostratus
Nimbostratus

Check this link : https://github.com/f5devcentral/f5-asm-policy-templates/tree/master/application_ready_template/Outlo...

 

This is the official Devcentral Github Repository.

efouli
Nimbostratus
Nimbostratus

Just to confirm , this template applied only to OWA or all the Exchange services ?

Thanks a lot. 

Nir_Ashkenazi
F5 Employee
F5 Employee

 Thanks for helping, I fixed the link.

 The template is for front end exchange user access (OWA/Outlook) applications and the exchange servers.

gu3rr3ir0
Nimbostratus
Nimbostratus

Hi  

 

Just a quick question, does this template works for versions 14?

Version history
Last update:
‎23-Jan-2018 18:46
Updated by:
Contributors