owa
22 TopicsHow to avoid "Access policy evaluation is already in progress"
Hello, I am using the iRule below to close Outlook Web App 2013 sessions. At the first sight it works correctly and shows the F5 logoff page (/vdesk/hangup.php3). However, OWA 2013 has a javascript that performs a hidden POST to the server on the onunload event to close the session on the server side. This happens right after the session is closed by the F5 logoff page. So it automatically creates a new APM session and when the user clicks on "Click here to login again" he/she sees the message below coming from APM: "Access policy evaluation is already in progress" How can I avoid this message? I tried to do ACCESS::session remove on in response to this last hidden POST but it didn't help. I also tried to introduce some delay before redirecting the user to the F5 logout page in order to let it perform the last POST but it did not work either. when HTTP_REQUEST { Set the uri variable set uri [string tolower [HTTP::uri]] Check if the user clicked the OWA signout link and redirect to the F5 logout page if { $uri contains "/logoff.owa" || $uri contains "/logoff.aspx" } { HTTP::redirect "/vdesk/hangup.php3" } }2.2KViews0likes14CommentsSetting up ASM policy to protect Outlook Web Access (OWA)
I have used the iApp to create a the setup for some Exchange 2016 backend servers. Users from outside are supposed to use Outlook Web App (OWA), and I thought it should be possible to protect the virtual server using ASM and only allowing access to specific URLs. However, if I want to create a new policy in Security -> Application Security -> Security Policies -> Create... I am not able to select the virtual server. The information text next to the input field states: "Select an Existing Virtual Server if you already configured one (An existing Virtual Server is displayed only if it has an HTTP Profile assigned to it and it is not using any Local Traffic Policy controlling ASM)..." The iApp created a virtual server and assigned an HTTP profile to it. I verified that the parent profile is "http". So which important bit might I be missing? I have seen there is a specific template for just OWA and ASM (https://devcentral.f5.com/articles/new-asm-outlook-web-access-owa-2016-template-for-bigip-v13-29413), but is it possible to combine the two somehow?1.2KViews0likes5CommentsOWA Exchange 2016 - Problems with Autodiscover from external access
Hey F5 Community! At the Exchange-Server of the customers, the Login-Syntax from the Outlook-Autodiscovery, like its usually pre-configured from Microsoft, does not work. The customers have an outlook.customer.com OWA Access, and also an autodiscover.customer.com URL. They login with "domain\SamAccountName" or "UserPrincipalName". The Login possibilities at the F5 should have the same Login-Syntax like OWA for AutoDiscover. On the testconnectivity.microsoft.com site belongs to the SamAccountName also the intern domain, which should not be missing. Because without it will not work. At the moment the the Autodiscovery works only with the SamAccountName, without entering the local "domain\" infront of the username. This leads to conflicts with other internal structures at the Outlook-Autodiscovery. I work in public services, this is the case: There are problems with Outlook-Autodiscovery for the "public utility" but with the "townhall" it works fine. Independent from the Windowsdomain, the Exchange-Server have to find the intern domain or? Exchange Server is placed in the Townhall. Public Utility used the old OWA 2013 via TMG from the Townhall. Now Autodiscover does not work for Public Utility but works fine in the Townhall. The Access Policy is pretty basic: Logon Page -> AD Query (with Cross Domain enabled) -> AD Auth (with Cross Domain enabled) -> SSOCredentialMapping (with custom mcget {session.logon.last.logonname}) -nothing else changed Published on F5 BigIP v13.1.1 with Exchange 2016 template.800Views0likes0CommentsOWA bruteforce protection with ASM
Hi, Have you ever tried to protect MS Outlook Web Access login page with ASM? I'm trying to set up brute force protection but don't have any luck. I made a login page with the following parameters: Login URL Explicit HTTPS /owa/auth.owa Authentication Type HTML Form Username Parameter Name username Password Parameter Name password Expected HTTP response status code 302 With this configuration I can see all requests including usernames in the Event Viewer. I expected that after enabling brute force protection for my login page I will have this page protected. But I don't. Could you please share with me your experience?713Views0likes5CommentsAccess Policy Already Being Evaluated - Exchange OWA Service
Hi, We recently setup APM for our OWA service to the internet. Pretty simple, checks AD group, and SSO to exchange. Works flawlessly except we are seeing abnormal behavior regarding time out and keeping sessions active. Many times due to inactive browsing, closing the tab, ect users will navigate to the main page again. They receive a "access policy already being evaluated message." Even closing the web browser at time doesn't seem to resolve the issue. What we found does resolve it: Desktops, launch private browsing windows iPhones, delete background processes or private windows. Neither of these solutions are ideal. How do I force these "limbo" sessions to expire and allow users to re-authenticate properly.674Views0likes9CommentsOWA Timeout, Redirect to Logon Page, not BIG-IP Logout page, iRule?
Hello Community, I am looking for an iRule or a way to redirect to the Logon Page when a user session timesout, (specifically for OWA) instead of sending them to the BIG-IP logged off page. I know little about writing iRule (working on getting taking the class), I can read and understand the basics but of course that is like any foreign language :-) I have searched around and have not really found anything, any pointers would be greatly appreciated! Thanks in advance! Thanks! DamonSolved628Views0likes4Commentshaving trouble accessing OWA2010 with Basic authentication
Hi, I cannot get SSO working with Basic authentication on BIG-IP 11.5.1 (LTM+APM). Official iApp supports only HTML Form. I have a Virtual Server with associated Access Profile. Access policy is quite simple - I've got a Logon Page, AD Auth and Credential Mapping. I've created an SSO HTTP Basic configuration and attached it to Access Profile. After logging in to Logon Page it offers me to enter my credentials again (HTTP Basic Auth window appears). I've tested similar configuration (but with simple Apache web server, not one of MS webapps) in my LAB and everything worked fine. When I access OWA through the APM I get the following headers in response: HTTP/1.1 401 Unauthorized Content-Type: text/html WWW-Authenticate: Negotiate WWW-Authenticate: NTLM WWW-Authenticate: Basic realm="" X-Powered-By: ASP.NET X-UA-Compatible: IE=EmulateIE7 Date: Mon, 30 Jun 2014 18:36:23 GMT Connection: keep-alive Vary: Accept-Encoding Transfer-Encoding: chunked Proxy-Support: Session-Based-Authentication Dear community, could you please share some working recipes for similar configuration with me? PS Same issue with SharePoint webapp...515Views0likes6CommentsBlocking Exchange 2010 ECP while allowing OWA
Using Big IP 12.1.1, I have OWA+Activesync enabled through the exchange iApp and I'd like to block /ECP. Currently when I login to owa I can simply type "/ecp" instead of /owa in the URL and it comes up, but I'd like to block that. I tried creating an ACL but not sure how to tie it in so that it works. Also tried removing the resource item "https://hostname:443/*" (the other sub resources with /owa/ are already listed) in Portal Access Links. Anything else I can try on the F5? Perhaps an irule?499Views0likes1Commentoutlook web access (OWA) 2010 cookie problem
When I try to connect to outlook web access (OWA) 2010 I get after a few seconds this message: Cookies are currently disabled by your browser. Outlook Web App requires that cookies be enabled The browser is configured to accept the cookies. The Firepass version 7.0.0 A capture with Wireshark shows, that the Firepass is altering the Cookies from Cookie: OutlookSession=56c059975f054c98a9b9fdc30bec6ebd to Cookie: FPSandboxLogon=true; OutlookSession=56c059975f054c98a9b9fdc30bec6ebd Is there a way the tell the Firepass not alter cookies for example for exchange.mydomain.com? Best regards Thomas474Views0likes3CommentsOWA 2nd Authentication? Exchange Problem?
Hi DevCentral, I deployed iApp Exchange 2010/2013 Template a several times and it was working fine for every customer. On my last customer there's something strange happening. I tried everything to fix it. When I want to authenticate with the test user it gives me after hitting login button a second http-auth prompt where I need to log in with the same data a second time. So after typing 2nd time credentials he forwards me to OWA. On which site is something wrong configured? I tried everything on F5 site. I cannot access customers Exchange so I dont know what I have to tell the customer to change.. Log: Disabled the SSO for this session: no supported WWW-Authenticate header is found454Views0likes3Comments