Forum Discussion

Rosieodonell_16's avatar
Rosieodonell_16
Icon for Cirrus rankCirrus
Jan 04, 2016

Trying to mimic the webmail private and public computer settings using an irule

Found this article online:

 

https://devcentral.f5.com/articles/add-outlook-web-access-login-options-to-the-apm-logon-page

 

However it seems to only work with Basic forms and I am using an NTLM format. Basically i can setup the radio buttons for the users to select if they are either at a public or private PC. From there i need to change the timeout settings from 8 hours (private) to 15 minutes (public).

 

Is there a way to do this with an irule or with APM. by changing the APM timeout session based on the selection?

 

APM
iRules
security

4 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jan 04, 2016

    If you're not using forms in OWA, you have to access those options by inserting some special headers. This is the same thing that Forefront/TMG/whatever does when it does Forms Auth --> HTTP Auth. Like you're doing with APM.

    Two headers "X-Experience" and "X-LogonType" control it:

    X-Experience can be "premium" or "light". X-LogonType can be "public" or "private".

    To append the headers, you'd set a custom (whatever you want) session variable during Access Policy execution, then you can use something like this on the APM vs:

    when ACCESS_ACL_ALLOWED {
  if { [ACCESS::session data get "session.somecustomvariableyoucansetintheaccesspolicy"] contains "somevalueyousetforlightmode" } {
    HTTP::header replace "X-Experience" "light"
  }
  else {
   HTTP::header replace "X-Experience" "premium"
  }
}
    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Jan 05, 2016
      Hi Lucas, the outlined code to mimic the "X-Experience" functionality of Forefront TMGs is not complete/correct. The valid "X-Experience" header values are "Premium" or "Basic". In addition a Forefront TMG changes the User-Agent-header value to a non-MSIE browser if Light-Mode is selected. The Public/Private-Mode setting of Forefront TMGs has beside of the "X-LogonType"-Headers some additional server-side (aka. TMG) and also client-side (aka. Browser) functionality. Basically it enables two independent TMG-Login-Cookie profiles to controll the Max-Session-Lifetime/Max-Session-Timeout and also enables persistent cookies for the private mode (e.g. required for SharePoint Browser/Office SSO Scenarios). In addition the Private-Mode stores the last-entered username string into a client-side generated cookie to autofill the username for subsequent logons. Cheers, Kai
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 05, 2016

    Hi Rosieodonell,

    your provided link outlines the required APM-Forms customizations to include Public/Private-Mode radio buttons and a Light-Mode checkbox, and then continues to outline a Forms-based SSO-Object to relay the collected Public/Private/Light-Mode selections to an OWA-Forms-Login site.

    So if you're aiming for Kerberos/NTLM/Basic cedential delegation (as performed by Forefront TMG), you don't need to relay the collected Public/Private/Light-Mode selections to your OWA. Just insert the 

    X-Experience
    and 
    X-LogonType
    headers in transit (as shown by Lucas) and change the User-Agent to as needed. In addition you may want to implement a mechanism in VPE to validate the collected Public/Private-Mode selection and then overwrite the predefined session variables "Inactivity Timeout" and "Maximum Session Timeout" using an additional "Variable Assign" action. To selectively enable/disable cookie persistence for Private/Public Mode you may want to use a 
    HTTP_RESPONSE_RELEASE
    iRule to add cookie expires values to the 
    MRHSession
    and 
    LastMRH_Session
    cookies.

    Cheers, Kai