Forum Discussion

adambaack_13393's avatar
adambaack_13393
Icon for Nimbostratus rankNimbostratus
May 30, 2016
Solved

Exchange 2013 iApp - Block Activesync except from one IP

Have only used the iApp templates with their defaults in the past but now I'm needing to allow only one IP to ActiveSync to it. We are using MobileIron for mobile devices and I want to only allow MobileIron to talk to the F5 for ActiveSync traffic. I believe they will be pointing their MobileIron server to the F5 VIP.

 

Any easy way to do this? I've seen one post with code for an iRule to 'block' all activesync traffic but not allow only one IP.

 

This is what I was referring to:

 

when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
        "/microsoft-server-activesync*" {
            drop
        }
    }
}
active sync
application delivery
BIG-IP
exchange
iapp
irule
LTM
mobileiron
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    May 31, 2016

    Hi,

    You are right, find a corrected irule below :

    when HTTP_REQUEST {
    if { [string tolower [HTTP::path]] eq "/microsoft-server-activesync" and !([IP::client_addr] eq "x.x.x.x") } {
    drop
    }
   }

16 Replies

Sort By
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 30, 2016

    Hi,

    You have an option in the VS to specify allowed source addr. You can also define an irule :

    when HTTP_REQUEST {
    if { !([IP::client_addr] eq "x.x.x.x") } {
    drop
    }
   }
    • adambaack_13393's avatar
      adambaack_13393
      Icon for Nimbostratus rankNimbostratus
      May 31, 2016
      Would that not restrict all applications (OWA, OA, AS)? I just want ActiveSync restrict to the MobileIron IP Address. All other applications (OWA, OA) need to be unrestricted to the outside.
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 30, 2016

    Hi,

    You have an option in the VS to specify allowed source addr. You can also define an irule :

    when HTTP_REQUEST {
    if { !([IP::client_addr] eq "x.x.x.x") } {
    drop
    }
   }
    • adambaack_13393's avatar
      adambaack_13393
      Icon for Nimbostratus rankNimbostratus
      May 31, 2016
      Would that not restrict all applications (OWA, OA, AS)? I just want ActiveSync restrict to the MobileIron IP Address. All other applications (OWA, OA) need to be unrestricted to the outside.
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 31, 2016

    Hi,

    You are right, find a corrected irule below :

    when HTTP_REQUEST {
    if { [string tolower [HTTP::path]] eq "/microsoft-server-activesync" and !([IP::client_addr] eq "x.x.x.x") } {
    drop
    }
   }
    • adambaack_13393's avatar
      adambaack_13393
      Icon for Nimbostratus rankNimbostratus
      May 31, 2016
      Not to sound like a complete idiot, but I don't have a ton of familiarity with iRules. To implement this, I would have to uncheck 'strict updates' in the Application Services? I see where I can create the iRule but how would I apply it to the Exchange iApp?
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 31, 2016
      Hi, you are right. You need to uncheck strict update on the iapp, then apply the irule in the resource section of your VS configuration
    • adambaack_13393's avatar
      adambaack_13393
      Icon for Nimbostratus rankNimbostratus
      May 31, 2016
      Would this also work? I noticed in the iApp if I choose advanced there is an area where it says 'Do you want to add any iRules to this combined virtual server?' and it lists all the iRules. Can I just select the newly created iRule and not have to uncheck 'strict updates?'
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 31, 2016

    Hi,

    You are right, find a corrected irule below :

    when HTTP_REQUEST {
    if { [string tolower [HTTP::path]] eq "/microsoft-server-activesync" and !([IP::client_addr] eq "x.x.x.x") } {
    drop
    }
   }
    • adambaack_13393's avatar
      adambaack_13393
      Icon for Nimbostratus rankNimbostratus
      May 31, 2016
      Not to sound like a complete idiot, but I don't have a ton of familiarity with iRules. To implement this, I would have to uncheck 'strict updates' in the Application Services? I see where I can create the iRule but how would I apply it to the Exchange iApp?
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 31, 2016
      Hi, you are right. You need to uncheck strict update on the iapp, then apply the irule in the resource section of your VS configuration
    • adambaack_13393's avatar
      adambaack_13393
      Icon for Nimbostratus rankNimbostratus
      May 31, 2016
      Would this also work? I noticed in the iApp if I choose advanced there is an area where it says 'Do you want to add any iRules to this combined virtual server?' and it lists all the iRules. Can I just select the newly created iRule and not have to uncheck 'strict updates?'