Block user or device within APM.

Question

Hello, &nbsp;
We currently utilize both LTM and APM on the F5.  We have APM fronting our OWA access from the outside.  We apparently have an ex employee who has a device that's still connected to our Active Sync.  The user has multiple failed attempts from the device attempting to connect to email with an account that no longer exists.  We apparently do not have a way to contact this user to get them to remove the account settings.&nbsp;
Is there a way within APM that I can block this user either by username or by device?  I notice the APM reports can see it's a Motorola device from the User-Agent header, but I'm doubting it can identify the device beyond that.  
&nbsp;
We do also have the ASM module license, but we haven't done anything with ASM yet.  If this isn't possible with APM perhaps I can create an ASM policy to block them based on the number of failed login attempts?&nbsp;

yann_desmarest_ · Answer

Hi,
In APM, depending on your VPE, you should be able to redirect the user in a Deny ending by injecting expression in a branch after the logon page or 401. The user is stored in session.logon.last.username.
As you are talking about ActiveSync, I assume that basic authentication will be used. So you can check for the username with an irule : 
when HTTP_REQUEST {
        if { [HTTP::header exists Authorization] and [HTTP::username] contains "usernameX" } {
                    drop
        }
}

yann_desmarest · Answer

Hi,
In APM, depending on your VPE, you should be able to redirect the user in a Deny ending by injecting expression in a branch after the logon page or 401. The user is stored in session.logon.last.username.
As you are talking about ActiveSync, I assume that basic authentication will be used. So you can check for the username with an irule : 
when HTTP_REQUEST {
        if { [HTTP::header exists Authorization] and [HTTP::username] contains "usernameX" } {
                    drop
        }
}

systopher · Answer

Great suggestions! I tested the irule and I'm not seeing any further logon attempts showing up in the APM reports in the last 30 minutes. I was at least once per minute before, so I think that did it. I'll keep an eye on it Thanks again!

systopher · Answer

Great suggestions! I tested the irule and I'm not seeing any further logon attempts showing up in the APM reports in the last 30 minutes. I was at least once per minute before, so I think that did it. I'll keep an eye on it Thanks again!

Forum Discussion

Block user or device within APM.

4 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Related Content

Device Management

Block traffic

domain blocking

Device ID not working for IOS iPhone devices

Block IP after a number of ASM Blocks