cancel
Showing results for 
Search instead for 
Did you mean: 

Control access to Exchange services

Hawary
Nimbostratus
Nimbostratus

hi folks,

i would like to control access to mail service (mail.abc.com). if user connected from internet, it should not work but allow it from inside network or someone who connected from VPN. i'm thinking of 2 solution,

1- remove the public DNS entry for mail.abc.com

2- write a policy or an irule to control access like if the users are trying to access mail.abc.com and client IP is of private IPs, allow this connection. else drop the connection (actually, i need your help with the irule.)

 

thanks in Advance

3 REPLIES 3

boneyard
MVP
MVP

the first option will work if mail.abc.com is only used for client access. if it is also used for other email servers to send you email you probably dont want to delete it.

 

the second is possible if the F5 BIG-IP is located somewhere to make this possible. does mail.abc.com point to the BIG-IP? do internal clients actually connect to it from inside?

 

as for the iRule there really are 100s of examples for this, look some up, try it and if it doesnt work post what you got and someone will certainly help to fixed it.

Hawary
Nimbostratus
Nimbostratus

hi boneyard,

thanks for your answer. what if i need to block only /owa from outside?. how can i achieve that? Regarding inside, the users are accessing the exchange directly, they are not passing through the F5. i appreciate if you give example for irule to block /owa and allow the other services.

there are quite some examples with a quick search

 

https://devcentral.f5.com/s/question/0D51T00006i7iJf/block-activesync-on-virtual-server

 

https://devcentral.f5.com/s/question/0D51T00006i7NzlSAE/how-to-block-a-specific-url

 

https://devcentral.f5.com/s/question/0D51T00006i7Y8w/blocking-a-specific-url-on-a-specific-vip-with-irule

 

https://support.f5.com/csp/article/K74012450

 

in your case you dont even have to do something special for inside or outside as inside users dont reach the big-ip

 

give it a try and / or post what you believe will work.