Restrict access to unpublished directories in Exchange

Question

Hello,&nbsp;
I have a requirement to allow access to  certain directories within the Exchange IIS server. For e.g users are only required to get to /owa , /oab or /ews etc and access to all other directories should be dropped. &nbsp;
When a user connects to webmail , they come in through the URL "https://webmail.company.com" and then the "/owa" gets appended.  I wrote some rules to achieve this , but however realized that the rules I wrote will only work if a user actually types in the URL " https://webmail.company.com/owa" or similar. However most of our users come in "https://webmail.company.com" and the rule does not work and if fact when i apply the rule , the appending of owa stops working as well and a user is presented with the default IIS page.&nbsp;
I would appreciate some help in getting this rule right. I have pasted the rule I created below:&nbsp;
when HTTP_REQUEST {
    if {[HTTP::uri] equals "/oab"} {HTTP::redirect "https://[HTTP::host]/oab"
    if {[HTTP::uri] equals "/ews"} {HTTP::redirect "https://[HTTP::host]/ews" 
    if {[HTTP::uri] equals "/rpc"} {HTTP::redirect "https://[HTTP::host]/rpc"
    if {[HTTP::uri] equals "/cvwebrecall"} {HTTP::redirect "https://[HTTP::host]/cvwebrecall"
    if {[HTTP::uri] equals "/autodiscover"} {HTTP::redirect "https://[HTTP::host]/autodiscover/autodiscover.xml"
    if {[HTTP::uri] equals "/"} {HTTP::redirect "https://[HTTP::host]/owa"
           }&nbsp;
Thanks,&nbsp;
Karthik           &nbsp;

brad_parker_139 · Answer

I assume you have a separate HTTP and HTTP VS.  Just have you HTTP vip doing a 301 redirect to https://[HTTP::host][HTTP::uri] then you can use an iRule like this on your HTTPS VS to restrict access to you defined allowed paths.  All paths will be blocked that are not in the switch command.
when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/" {
            HTTP::respond 301 noserver "https://[HTTP::host]/owa"
        }
        "/autodiscover" {
            HTTP::respond 301 no server "https://[HTTP::host]/autodiscover/autodiscover.xml"
        }
        "/oab*" -
        "/esw*" -
        "/rpc*" -
        "/cvwebrecall*" -
        "/owa*" {
            return
        }
        default {
            reject
        }
    }
}

brad_parker · Answer

I assume you have a separate HTTP and HTTP VS.  Just have you HTTP vip doing a 301 redirect to https://[HTTP::host][HTTP::uri] then you can use an iRule like this on your HTTPS VS to restrict access to you defined allowed paths.  All paths will be blocked that are not in the switch command.
when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/" {
            HTTP::respond 301 noserver "https://[HTTP::host]/owa"
        }
        "/autodiscover" {
            HTTP::respond 301 no server "https://[HTTP::host]/autodiscover/autodiscover.xml"
        }
        "/oab*" -
        "/esw*" -
        "/rpc*" -
        "/cvwebrecall*" -
        "/owa*" {
            return
        }
        default {
            reject
        }
    }
}

karthik_krishn1 · Answer

Hi Brad,

Thanks the rule. I tried it but when I do apply it , the page will not even display.

karthik_krishn1 · Answer

Hi Brad,

Thanks the rule. I tried it but when I do apply it , the page will not even display.

Forum Discussion

Restrict access to unpublished directories in Exchange

4 Replies

Recent Discussions

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

APM OCSP Responder Issues

Related Content

Office 365 Tenant Restrictions

Enabling Azure Active Directory Tenant Restrictions with F5

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Azure Active Directory and BIG-IP APM Integration

F5 iRule Geolocation restriction