APM irule

Question

Hi I needed an irule to allow traffic through an APM enabled virtual server without running it agaiast the access policy if the url is /ews&nbsp;
I thought this would work:&nbsp;
1st non-working irule________________________________________________________
when HTTP_REQUEST {
 if { [string tolower [HTTP::path]] starts_with "/ews" } {
  ACCESS::disable }
    }&nbsp;

But this does not work an EWS requests still seem to hit the APM policy and F5 requests preauth (which is part of access policy)&nbsp;
I found an irule to allow Skype traffic through which led me to create this irule instead:        &nbsp;
2nd working irule_________________________________________________________
when HTTP_REQUEST {
 set is_disabled 0&nbsp;
if { [string tolower [HTTP::path]] starts_with "/ews" } {
 set is_disabled 1
 set path [HTTP::path]
 ACCESS::disable
 HTTP::path _disable-$path
 pool /Common/outlook.mydomain.com.au.app/outlook.mydomain.com.au_edge_pool14
 }
}
when HTTP_REQUEST_RELEASE {
 if { !$is_disabled } { return }
 HTTP::path $path
 unset is_disabled
}&nbsp;

This second irule works as I intended and allows /ews traffic through as if there were no APM policy attached to the VS.
But I dont understand why the first irule doesnt work as intended but the second one does.  Why do you need these extra commands and event for request release?
Can anyone explain why?&nbsp;

josiah_39459 · Answer

One difference is the presence of the pool command.  If your original vip assigned the pool in the access policy, then disabling access would mean the pool wouldn't get assigned so then the traffic wouldn't go on to the backend pool.&nbsp;
The other difference is this is unsetting the flag after each request.  This makes a difference if you want some requests to go through access and others not ON THE SAME CONNECTION.  For example, your irule would work with an attached pool and as long as the /ews requests always came on a new connection.  But if an /ews request came and then another request came on the same connection that you wanted to be handled by access it wouldn't be (and vice versa).&nbsp;

stevevernau_132 · Answer

And what does this do?
HTTP::path _disable-$path

faruk_aydin · Answer

use ACCESS::restrict_irule_events disable in the CLIENT_ACCEPTED event to interfere before the access policy. Like this:

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

georgi · Answer

We worked with F5 Support and support provided us with the following solution to disable APM policy for Exchange Web Services (EWS).
 priority 1
when HTTP_REQUEST {
    set is_disabled 0
    if { [string tolower [HTTP::path]] starts_with "/ews" } {
        if { [string tolower [HTTP::uri]] contains "wssecurity" } {
            NTLM::disable
            set is_disabled 1
            set path [HTTP::path]
            WEBSSO::disable
            ACCESS::disable
            HTTP::path _disable-$path
            pool Exchange_External_oa_pool7 
        }
        if { [string tolower [HTTP::uri]] contains "mrsproxy.svc"} {
            set is_disabled 1
            set path [HTTP::path]
            NTLM::disable
            WEBSSO::disable
            ACCESS::disable
            HTTP::path _disable-$path
            pool Exchange_External_oa_pool7 
            COMPRESS::disable
            CACHE::disable
        }
    }
    if { [string tolower [HTTP::path]] starts_with "/autodiscover" } {
        if { [string tolower [HTTP::uri]] contains "wssecurity" } {
            NTLM::disable
            set is_disabled 1
            set path [HTTP::path]
            WEBSSO::disable
            ACCESS::disable
            HTTP::path _disable-$path
            pool Exchange_External_ad_pool7 
        }
        if { [string tolower [HTTP::uri]] contains "autodiscover.svc"} {
            set is_disabled 1
            set path [HTTP::path]
            NTLM::disable
            WEBSSO::disable
            ACCESS::disable
            HTTP::path _disable-$path
            pool Exchange_External_ad_pool7 
            COMPRESS::disable
            CACHE::disable
        }
    }
}
when HTTP_REQUEST_RELEASE {
    if { !$is_disabled } { return }
        HTTP::path $path
        unset is_disabled
}

Forum Discussion

APM irule

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

APM AdAuth HTTP Header Insert iRule Switch Statement

iRule to restart APM session

iRule Not Firing after APM policy completes

APM per-request policy/irule

What is BIG-IP APM?