Edge Gateway-OWA 2010 sp2 session timeout and double login page

Question

So I wrote this long post of two issues we are having with the exchange/apm implementation,  however it was denied.  So heres the coles notes version:&nbsp;&nbsp;&nbsp;
&nbsp;1)  double login prompt
&nbsp;                sso matches on /owa/&amp;reason=0
&nbsp;                This page redirects to another login page using javascript
&nbsp;                sso has already happened at this point so I just change the uri to '/owa/'&nbsp;&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;              if {([HTTP::uri] == "/") } {
&nbsp;                       HTTP::uri /owa
&nbsp;              }
&nbsp;             set req_uri [HTTP::uri]
&nbsp;             if { $req_uri starts_with "/owa/auth/logon.aspx?replaceCurrent=1" } {
&nbsp;            HTTP::uri /owa
&nbsp;}
&nbsp;unset req_uri
&nbsp;}&nbsp;&nbsp;
&nbsp;2)  The second issue is that the users session never times out.  The reason is highlighted here http://support.microsoft.com/kb/2478286.  When user times out server returns a response code of 440 Login Timeout.  I watch for this response code and remove the session and redirect back to owa.&nbsp;
&nbsp;when HTTP_RESPONSE {
&nbsp;      if { [HTTP::status] == 440  } {
&nbsp;           
&nbsp;            set apm_cookie [HTTP::cookie value MRHSession]
&nbsp;            if { $apm_cookie != "" &amp;&amp;  [ACCESS::session exists $apm_cookie] } {
&nbsp;                ACCESS::session remove
&nbsp;            HTTP::redirect "http://mymail.humber.ca/"
&nbsp;            }
&nbsp;     }
&nbsp;}&nbsp;&nbsp;&nbsp;
&nbsp;The second rule hasn't been tested thoroughly, but the implementation period here will be long,  so I will have a long time to test.&nbsp;
&nbsp;Now lets hope I can submit this timeSo I wrote this long post of two issues we are having with the exchange/apm implementation,  however it was denied.  So heres the coles notes version:&nbsp;&nbsp;&nbsp;
&nbsp;1)  double login prompt
&nbsp;                sso matches on /owa/&amp;reason=0
&nbsp;                This page redirects to another login page using javascript
&nbsp;                sso has already happened at this point so I just change the uri to '/owa/'&nbsp;&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;              if {([HTTP::uri] == "/") } {
&nbsp;                       HTTP::uri /owa
&nbsp;              }
&nbsp;             set req_uri [HTTP::uri]
&nbsp;             if { $req_uri starts_with "/owa/auth/logon.aspx?replaceCurrent=1" } {
&nbsp;            HTTP::uri /owa
&nbsp;}
&nbsp;unset req_uri
&nbsp;}&nbsp;&nbsp;
&nbsp;2)  The second issue is that the users session never times out.  The reason is highlighted here http://support.microsoft.com/kb/2478286.  When user times out server returns a response code of 440 Login Timeout.  I watch for this response code and remove the session and redirect back to owa.&nbsp;
&nbsp;when HTTP_RESPONSE {
&nbsp;      if { [HTTP::status] == 440  } {
&nbsp;           
&nbsp;            set apm_cookie [HTTP::cookie value MRHSession]
&nbsp;            if { $apm_cookie != "" &amp;&amp;  [ACCESS::session exists $apm_cookie] } {
&nbsp;                ACCESS::session remove
&nbsp;            HTTP::redirect "http://mymail.humber.ca/"
&nbsp;            }
&nbsp;     }
&nbsp;}&nbsp;&nbsp;&nbsp;
&nbsp;The second rule hasn't been tested thoroughly, but the implementation period here will be long,  so I will have a long time to test.&nbsp;
&nbsp;Third attempt at posting.  This time I copied and pasted.&nbsp;

terrence · Answer

Point2 
&nbsp;        This rule crashes websso &nbsp;
&nbsp; Attempt2 
&nbsp; when HTTP_RESPONSE { 
&nbsp;   if { [HTTP::status] == 440  } { 
&nbsp;             log -noname local0.info "440 Login Timeout Response Received" 
&nbsp;             HTTP::redirect "https://owa.example.com/vdesk/hangup.php3" 
&nbsp;           } &nbsp;
&nbsp; }

terrence · Answer

Point2 
&nbsp; Thus far the rules have proven wrong.  The last one definately removes the session, however the web client never realizes it has timed out, as the requests were from json or xmlrpc of some sort. 
&nbsp;  
&nbsp; I stole this one from https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086502/APM-Session-Invalidation-Using-ASM.aspx 
&nbsp;  
&nbsp; Removing the asm piece and adding the HTTP_RESPONSE piece 
&nbsp; when ACCESS_ACL_ALLOWED {  
&nbsp;      set mrhsession [HTTP::cookie value "LastMRH_Session"] 
&nbsp;      if { [table lookup $mrhsession] == "EXCHANGE_LOGOUT" } { 
&nbsp;          set user_logon [ACCESS::session data get "session.logon.last.username"]  
&nbsp;          set sessionid [ACCESS::session data get "session.user.sessionid"]  
&nbsp;           
&nbsp;          log local0.warn "ASM VIOLATION - Session: $sessionid, User: $user_logon"  
&nbsp;          ACCESS::session remove  
&nbsp;          table delete $mrhsession  
&nbsp;      }  
&nbsp;  }  
&nbsp;    
&nbsp;  when HTTP_RESPONSE { 
&nbsp;      if { [HTTP::status] == 440 } { 
&nbsp;      set mrhsession [HTTP::cookie value "LastMRH_Session"] 
&nbsp;  
&nbsp;      if { $mrhsession != ""} { 
&nbsp;          table set $mrhsession "EXCHANGE_LOGOUT" 
&nbsp;          log local0.warn "OWA Exchange Initiated Timeout - MRHSession: $mrhsession" 
&nbsp;      } 
&nbsp;  } 
&nbsp; } &nbsp;

terrence · Answer

And the final irule: &nbsp;&nbsp;
&nbsp; My Final version of the irule, which I hope doesnt put to much strain on the edge gateway looks as follows: &nbsp;
&nbsp; when ACCESS_ACL_ALLOWED {  
&nbsp;                  set mrhsession [HTTP::cookie value "LastMRH_Session"] 
&nbsp;                  if { [table lookup $mrhsession] == "EXCHANGE_LOGOUT" } { 
&nbsp;                             set user_logon [ACCESS::session data get "session.logon.last.username"]  
&nbsp;                             set sessionid [ACCESS::session data get "session.user.sessionid"]  &nbsp;
&nbsp;                             log local0.warn "OWA Exchange Initiated timeout - Session: $sessionid, User: $user_logon"  
&nbsp;                             ACCESS::session remove  
&nbsp;                             table delete $mrhsession  
&nbsp;                   }  
&nbsp;  }  &nbsp;
&nbsp; when HTTP_REQUEST { 
&nbsp;                   set mrhsession [HTTP::cookie value "LastMRH_Session"]     
&nbsp; } &nbsp;
&nbsp; when HTTP_RESPONSE { 
&nbsp;                if { [HTTP::status] == 440 } { 
&nbsp;                            log local0.warn "OWA Exchange Initiated Timeout" 
&nbsp;                            if { $mrhsession != ""} { 
&nbsp;                                        table set $mrhsession "EXCHANGE_LOGOUT" 
&nbsp;                                        log local0.warn "OWA Exchange Initiated Timeout - MRHSession: $mrhsession" 
&nbsp;                   } &nbsp;
&nbsp;          } 
&nbsp;               unset mrhsession 
&nbsp; } &nbsp;

kunal · Answer

Hi All,&nbsp;I have similar issue. The issue is for IPv6 users, we see that users are getting timed out.&nbsp;Is there a way to see the value of the table "EXCHANGE_LOGOUT"?&nbsp;ThanksKunal

Forum Discussion

Edge Gateway-OWA 2010 sp2 session timeout and double login page

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

source address persistence maximum session timeout

idle timeout for admin session on BigIP

APM session inactivity timeoute VS. TCP idle timout

big3d timeouts

api token timeout change