cancel
Showing results for 
Search instead for 
Did you mean: 

ASM or AWAF Exchange 2019 OWA Protection against Brute force Attacks!

Joe_Brandon
Nimbostratus
Nimbostratus

Hi everyone

I am trying to figure out how is this possible to protect Exchange 2019 OWA from brute force attacks. for now we deployed iApps of the latest version of 16.x Virtual Edition (trial period).

I cannot find a way to stop wrong passwords coming in and passing to Servers.

any help would be appreciated. I tried configuring Sessions and Logins, Security Profile and also allowed URLs. IP Geolocation works well so i can say my security profile is getting assigned.

 

1 ACCEPTED SOLUTION

Hi Joe, not this is not a bug, as your policy is created from a template the setting to differentiate between HTTP and HTTPS URLs has been disabled in that template (which makes sense as OWA really should be served over HTTPS only).

 

When this setting is disabled you will not see HTTP/HTTPS dropdowns anywhere in the policy as it is assumed that all policy entities are of the same protocol . If you check the General Settings on the policy and scroll down you should see that the "Differentiate" setting is Disabled:

 

0691T00000F8dtpQAB.png 

Don't let this confuse you - please note that F5 WAF was created in 2004 when many websites used to have a mixture of HTTP and HTTPS pages (e.g. only the credit card payment page on Amazon would be served over HTTPS) - that is the reason why WAF policies could be configured differently for pages served over HTTP and HTTPS.

 

 

Regards,

Sam

 

 

 

 

 

View solution in original post

6 REPLIES 6

samstep
MVP
MVP

You can stop Brute-force attacks against any web application (not necessarily OWA) using F5 ASM/AWAF.

 

The mitigation mechanism includes returning a blocking page, dropping the TCP connection, challenging the client with a CAPTCHA or injecting Client-Side Integrity JavaScript to identify a human user (moving mouse and pressing keys on the keyboard) vs a bot.

 

Here is the KnowledgeBase article "K18650749: Configuring brute force attack protection":

 

https://support.f5.com/csp/article/K18650749

 

Hope this helps,

Sam

Joe_Brandon
Nimbostratus
Nimbostratus

Dear Samstep,

Thanks for information. but I've read it before. the problem is I cannot find HTTP/HTTPS selection box in login page creation page. I tried latest version of Virtual edition directly from download section of site. and there is 30 day license. how is this possible?

i watched many videos on YouTube and read a lot of document where all of them referencing to select http or https when creating login page!

thanks again

Hi Joe, F5 has changed some of the menus in the User Interface of version 16.1, so things are not where they are supposed to be (yes I know - it is annoying!). Most of the documentation and videos I have seen refer to version 13.x

 

Here is how you can get to the login pages in v16.1:

  1. in the main Security menu click on the "Session Tracking"
  2. in Session Tracking click on the cog icon next to your ASM policy name (as shown on the screenshot):
  3. 0691T00000F8dRRQAZ.png

 

Then click on Sessions and Logins and then click on the "+ Add Page" button for login pages - you will see the HTTP/HTTPS selection box:

 

 

0691T00000F8dS5QAJ.png 

0691T00000F8dSAQAZ.png 

Hope this helps!

Regards,

Sam

Joe_Brandon
Nimbostratus
Nimbostratus

Thanks again Sam,

here is what i have even after checking new interface changes:

0691T00000F8dbaQAB.png0691T00000F8ddrQAB.pngI don't see what you mentioned !

is this about resource provisioning or some bug!

Kind regards,

Joe

Hi Joe, not this is not a bug, as your policy is created from a template the setting to differentiate between HTTP and HTTPS URLs has been disabled in that template (which makes sense as OWA really should be served over HTTPS only).

 

When this setting is disabled you will not see HTTP/HTTPS dropdowns anywhere in the policy as it is assumed that all policy entities are of the same protocol . If you check the General Settings on the policy and scroll down you should see that the "Differentiate" setting is Disabled:

 

0691T00000F8dtpQAB.png 

Don't let this confuse you - please note that F5 WAF was created in 2004 when many websites used to have a mixture of HTTP and HTTPS pages (e.g. only the credit card payment page on Amazon would be served over HTTPS) - that is the reason why WAF policies could be configured differently for pages served over HTTP and HTTPS.

 

 

Regards,

Sam

 

 

 

 

 

Joe_Brandon
Nimbostratus
Nimbostratus

Thanks Dear Sam,

 

That was the exact issue. now we can follow our adventure to this product.

Happy New Year everyone btw 🙂

 

 

Regards,

Joe