How to avoid "Access policy evaluation is already in progress"
Hello, I am using the iRule below to close Outlook Web App 2013 sessions. At the first sight it works correctly and shows the F5 logoff page (/vdesk/hangup.php3). However, OWA 2013 has a javascript that performs a hidden POST to the server on the onunload event to close the session on the server side. This happens right after the session is closed by the F5 logoff page. So it automatically creates a new APM session and when the user clicks on "Click here to login again" he/she sees the message below coming from APM: "Access policy evaluation is already in progress" How can I avoid this message? I tried to do ACCESS::session remove on in response to this last hidden POST but it didn't help. I also tried to introduce some delay before redirecting the user to the F5 logout page in order to let it perform the last POST but it did not work either. when HTTP_REQUEST { Set the uri variable set uri [string tolower [HTTP::uri]] Check if the user clicked the OWA signout link and redirect to the F5 logout page if { $uri contains "/logoff.owa" || $uri contains "/logoff.aspx" } { HTTP::redirect "/vdesk/hangup.php3" } }
Setting up ASM policy to protect Outlook Web Access (OWA)
I have used the iApp to create a the setup for some Exchange 2016 backend servers. Users from outside are supposed to use Outlook Web App (OWA), and I thought it should be possible to protect the virtual server using ASM and only allowing access to specific URLs. However, if I want to create a new policy in Security -> Application Security -> Security Policies -> Create... I am not able to select the virtual server. The information text next to the input field states: "Select an Existing Virtual Server if you already configured one (An existing Virtual Server is displayed only if it has an HTTP Profile assigned to it and it is not using any Local Traffic Policy controlling ASM)..." The iApp created a virtual server and assigned an HTTP profile to it. I verified that the parent profile is "http". So which important bit might I be missing? I have seen there is a specific template for just OWA and ASM (https://devcentral.f5.com/articles/new-asm-outlook-web-access-owa-2016-template-for-bigip-v13-29413), but is it possible to combine the two somehow?
OWA Exchange 2016 - Problems with Autodiscover from external access
Hey F5 Community! At the Exchange-Server of the customers, the Login-Syntax from the Outlook-Autodiscovery, like its usually pre-configured from Microsoft, does not work. The customers have an outlook.customer.com OWA Access, and also an autodiscover.customer.com URL. They login with "domain\SamAccountName" or "UserPrincipalName". The Login possibilities at the F5 should have the same Login-Syntax like OWA for AutoDiscover. On the testconnectivity.microsoft.com site belongs to the SamAccountName also the intern domain, which should not be missing. Because without it will not work. At the moment the the Autodiscovery works only with the SamAccountName, without entering the local "domain\" infront of the username. This leads to conflicts with other internal structures at the Outlook-Autodiscovery. I work in public services, this is the case: There are problems with Outlook-Autodiscovery for the "public utility" but with the "townhall" it works fine. Independent from the Windowsdomain, the Exchange-Server have to find the intern domain or? Exchange Server is placed in the Townhall. Public Utility used the old OWA 2013 via TMG from the Townhall. Now Autodiscover does not work for Public Utility but works fine in the Townhall. The Access Policy is pretty basic: Logon Page -> AD Query (with Cross Domain enabled) -> AD Auth (with Cross Domain enabled) -> SSOCredentialMapping (with custom mcget {session.logon.last.logonname}) -nothing else changed Published on F5 BigIP v13.1.1 with Exchange 2016 template.
OWA bruteforce protection with ASM
Hi, Have you ever tried to protect MS Outlook Web Access login page with ASM? I'm trying to set up brute force protection but don't have any luck. I made a login page with the following parameters: Login URL Explicit HTTPS /owa/auth.owa Authentication Type HTML Form Username Parameter Name username Password Parameter Name password Expected HTTP response status code 302 With this configuration I can see all requests including usernames in the Event Viewer. I expected that after enabling brute force protection for my login page I will have this page protected. But I don't. Could you please share with me your experience?
Outlook Web Access : Client Cache with APM
Problem this snippet solves: The iApp / Deployment guide suggest to disable App Cache for OWA when using F5 APM. This irule provide a solution to prevent "Access policy evaluation is already in progress" page and keep cache App cache enabled. How to use this snippet: enable this irule on the exchange virtual server. Code : when ACCESS_SESSION_STARTED { set landinguri [ACCESS::session data get session.server.landinguri] switch -glob $landinguri { "/owa/plt1.ashx?*" - "/owa/sessiondata.ashx?appcacheclient=1" - "/owa/userspecificresourceinjector.ashx?*&appcacheclient=1*" - "/owa/manifests/appCacheManifestHandler.ashx?owamanifest=1" { ACCESS::respond 403 -version "1.1" noserver "Connection" "Close" ACCESS::session remove return } } }
Access Policy Already Being Evaluated - Exchange OWA Service
Hi, We recently setup APM for our OWA service to the internet. Pretty simple, checks AD group, and SSO to exchange. Works flawlessly except we are seeing abnormal behavior regarding time out and keeping sessions active. Many times due to inactive browsing, closing the tab, ect users will navigate to the main page again. They receive a "access policy already being evaluated message." Even closing the web browser at time doesn't seem to resolve the issue. What we found does resolve it: Desktops, launch private browsing windows iPhones, delete background processes or private windows. Neither of these solutions are ideal. How do I force these "limbo" sessions to expire and allow users to re-authenticate properly.having trouble accessing OWA2010 with Basic authentication
Hi, I cannot get SSO working with Basic authentication on BIG-IP 11.5.1 (LTM+APM). Official iApp supports only HTML Form. I have a Virtual Server with associated Access Profile. Access policy is quite simple - I've got a Logon Page, AD Auth and Credential Mapping. I've created an SSO HTTP Basic configuration and attached it to Access Profile. After logging in to Logon Page it offers me to enter my credentials again (HTTP Basic Auth window appears). I've tested similar configuration (but with simple Apache web server, not one of MS webapps) in my LAB and everything worked fine. When I access OWA through the APM I get the following headers in response: HTTP/1.1 401 Unauthorized Content-Type: text/html WWW-Authenticate: Negotiate WWW-Authenticate: NTLM WWW-Authenticate: Basic realm="" X-Powered-By: ASP.NET X-UA-Compatible: IE=EmulateIE7 Date: Mon, 30 Jun 2014 18:36:23 GMT Connection: keep-alive Vary: Accept-Encoding Transfer-Encoding: chunked Proxy-Support: Session-Based-Authentication Dear community, could you please share some working recipes for similar configuration with me? PS Same issue with SharePoint webapp...Blocking Exchange 2010 ECP while allowing OWA
Using Big IP 12.1.1, I have OWA+Activesync enabled through the exchange iApp and I'd like to block /ECP. Currently when I login to owa I can simply type "/ecp" instead of /owa in the URL and it comes up, but I'd like to block that. I tried creating an ACL but not sure how to tie it in so that it works. Also tried removing the resource item "https://hostname:443/*" (the other sub resources with /owa/ are already listed) in Portal Access Links. Anything else I can try on the F5? Perhaps an irule?
outlook web access (OWA) 2010 cookie problem
When I try to connect to outlook web access (OWA) 2010 I get after a few seconds this message: Cookies are currently disabled by your browser. Outlook Web App requires that cookies be enabled The browser is configured to accept the cookies. The Firepass version 7.0.0 A capture with Wireshark shows, that the Firepass is altering the Cookies from Cookie: OutlookSession=56c059975f054c98a9b9fdc30bec6ebd to Cookie: FPSandboxLogon=true; OutlookSession=56c059975f054c98a9b9fdc30bec6ebd Is there a way the tell the Firepass not alter cookies for example for exchange.mydomain.com? Best regards Thomas