Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Setting up ASM policy to protect Outlook Web Access (OWA)

gscholz
Nimbostratus
Nimbostratus

‎17-Oct-2018 08:47

I have used the iApp to create a the setup for some Exchange 2016 backend servers. Users from outside are supposed to use Outlook Web App (OWA), and I thought it should be possible to protect the virtual server using ASM and only allowing access to specific URLs.

 

However, if I want to create a new policy in Security -> Application Security -> Security Policies -> Create... I am not able to select the virtual server. The information text next to the input field states: "Select an Existing Virtual Server if you already configured one (An existing Virtual Server is displayed only if it has an HTTP Profile assigned to it and it is not using any Local Traffic Policy controlling ASM)..."

 

The iApp created a virtual server and assigned an HTTP profile to it. I verified that the parent profile is "http". So which important bit might I be missing?

 

I have seen there is a specific template for just OWA and ASM (https://devcentral.f5.com/articles/new-asm-outlook-web-access-owa-2016-template-for-bigip-v13-29413), but is it possible to combine the two somehow?

 

Labels:
0 Kudos
5 REPLIES 5

gscholz
Nimbostratus
Nimbostratus

‎19-Oct-2018 06:04 - last edited on ‎05-May-2023 07:39 by Community Manager

I have done some further testing. I am using the Partner Vlab setup in its most basic form. I have manually created a virtual server for HTTPs, and I have assigned the profile to it that was created from the iApp:

 

ltm virtual /Common/https_virtual {
    destination /Common/10.1.10.20:443
    ip-protocol tcp
    mask 255.255.255.255
    pool /Common/https_pool
    profiles {
        /Common/App-Exchange-2016.app/App-Exchange-2016_http_profile { }
        /Common/clientssl {
            context clientside
        }
        /Common/serverssl {
            context serverside
        }
        /Common/tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}
ltm profile http /Common/App-Exchange-2016.app/App-Exchange-2016_http_profile {
    app-service /Common/App-Exchange-2016.app/App-Exchange-2016
    defaults-from /Common/http
    insert-xforwarded-for enabled
    redirect-rewrite all
}

 

For comparison, this is what the virtual server looks like that was created from the iApp:

 

ltm virtual /Common/App-Exchange-2016.app/App-Exchange-2016_combined_https {
    app-service /Common/App-Exchange-2016.app/App-Exchange-2016
    destination /Common/10.1.10.30:443
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        /Common/App-Exchange-2016.app/App-Exchange-2016_caching_profile { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_clientssl {
            context clientside
        }
        /Common/App-Exchange-2016.app/App-Exchange-2016_http_profile { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_lan-optimized_tcp_profile {
            context serverside
        }
        /Common/App-Exchange-2016.app/App-Exchange-2016_oneconnect { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_serverssl {
            context serverside
        }
        /Common/App-Exchange-2016.app/App-Exchange-2016_wan-optimized-compression_profile { }
        /Common/App-Exchange-2016.app/App-Exchange-2016_wan-optimized_tcp_profile {
            context clientside
        }
        /Common/ntlm { }
    }
    rules {
        /Common/App-Exchange-2016.app/App-Exchange-2016_owa_redirect_irule7
        /Common/App-Exchange-2016.app/App-Exchange-2016_combined_pool_irule7
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

 

When I want to create a new application security policy https_virtual shows up in the dropdown menu of eligible virtual servers, but App-Exchange-2016_combined_https does not. Would anybody know the reason?

0 Kudos

gsharri
Altostratus
Altostratus

‎19-Oct-2018 10:29

Does the application service have Strict Updates enabled? This setting can be found on the application service Properties tab. It is usually enabled by default in the templates and prevents the objects created by the template from being modified directly. I'm wondering if it is preventing ASM from seeing the VS. Disable it and test.

 

Scott

 

0 Kudos

gscholz
Nimbostratus
Nimbostratus

‎19-Oct-2018 11:13

I disabled the option, and indeed I could see the virtual server now, thank you very much!

 

Is there a way to mark your comment as the right answer?

 

0 Kudos

gsharri
Altostratus
Altostratus

‎19-Oct-2018 13:01

Does the application service have Strict Updates enabled? This setting can be found on the application service Properties tab. It is usually enabled by default in the templates and prevents the objects created by the template from being modified directly. I'm wondering if it is preventing ASM from seeing the VS. Disable it and test.

 

Scott

 

0 Kudos

gsharri
Altostratus
Altostratus

‎19-Oct-2018 13:03

Added comment as answer.

 

0 Kudos
Copyright © 2023 Khoros, LLC