Forum Discussion

Hawary's avatar
Hawary
Icon for Nimbostratus rankNimbostratus
Feb 20, 2021

Control access to Exchange services

hi folks,

i would like to control access to mail service (mail.abc.com). if user connected from internet, it should not work but allow it from inside network or someone who connected from VPN. i'm thinking of 2 solution,

1- remove the public DNS entry for mail.abc.com

2- write a policy or an irule to control access like if the users are trying to access mail.abc.com and client IP is of private IPs, allow this connection. else drop the connection (actually, i need your help with the irule.)

 

thanks in Advance

application delivery
iRules
LTM

3 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Feb 27, 2021

    the first option will work if mail.abc.com is only used for client access. if it is also used for other email servers to send you email you probably dont want to delete it.

     

    the second is possible if the F5 BIG-IP is located somewhere to make this possible. does mail.abc.com point to the BIG-IP? do internal clients actually connect to it from inside?

     

    as for the iRule there really are 100s of examples for this, look some up, try it and if it doesnt work post what you got and someone will certainly help to fixed it.

  • Hawary's avatar
    Hawary
    Icon for Nimbostratus rankNimbostratus
    Feb 28, 2021

    hi boneyard,

    thanks for your answer. what if i need to block only /owa from outside?. how can i achieve that? Regarding inside, the users are accessing the exchange directly, they are not passing through the F5. i appreciate if you give example for irule to block /owa and allow the other services.

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Feb 28, 2021

      there are quite some examples with a quick search

       

      https://devcentral.f5.com/s/question/0D51T00006i7iJf/block-activesync-on-virtual-server

       

      https://devcentral.f5.com/s/question/0D51T00006i7NzlSAE/how-to-block-a-specific-url

       

      https://devcentral.f5.com/s/question/0D51T00006i7Y8w/blocking-a-specific-url-on-a-specific-vip-with-irule

       

      https://support.f5.com/csp/article/K74012450

       

      in your case you dont even have to do something special for inside or outside as inside users dont reach the big-ip

       

      give it a try and / or post what you believe will work.