Home Ustad Pro Bypassing The BIG-IP ASM For RPC & ActiveSync Connections

Bypassing The BIG-IP ASM For RPC & ActiveSync Connections

Recently I faced the issue with Microsoft ActiveSync where I created the transparent policy and applied on the Microsft OWA VIP but after applying Transparent ASM policy on OWA VIP, Outlook client stopped working. it’s just showing “trying to connect“.

Then after I opened a case with F5 support then after I get to know both RPC and ActiveSync connections which are currently not supported by the ASM unfortunately.

When i checked the Event logs for this policy it’s giving me below violations

Bypassing the BIG-IP ASM system for RPC and ActiveSync connections

Bypassing the BIG-IP ASM system for RPC and ActiveSync connections

Bypassing the BIG-IP ASM system for RPC and ActiveSync connections

F5 is talking about this also in K40345000 but I didn’t follow the same iRule, Icreated own irul based on the my blocking URL’s here with the help of my Brother and Friend Rohit Singla

F5 Recommend iRule:-

when HTTP_REQUEST {
if { ([HTTP::path] eq “/rpc/rpcproxy.dll”) and \
(([HTTP::method] equals “RPC_IN_DATA”) or ([HTTP::method] equals “RPC_OUT_DATA”))}{
ASM::disable
log local0. “ASM disabled.”
} else {
ASM::enable /Common/MyASMpolicy
log local0. “ASM enabled. Current ASM policy is [ASM::policy]”
}
}

Used iRule by me :-

when HTTP_REQUEST {
if { ([HTTP::uri] contains “/rpc/rpcproxy.dll”)} {
ASM::disable
}
if { ([HTTP::uri] contains “/owa/service.svc”)} {
ASM::disable
}
if { ([HTTP::uri] contains “/ews/exchange.asmx”)} {
ASM::disable
}
if { ([HTTP::uri] contains “/Microsoft-Server-ActiveSync”)} {
ASM::disable
}
}

or

when HTTP_REQUEST {
if { ([HTTP::path] eq “/rpc/rpcproxy.dll”) and \
(([HTTP::method] equals “RPC_IN_DATA”) or ([HTTP::method] equals “RPC_OUT_DATA”))}{
ASM::disable
log local0. “ASM disabled.”
} else {
#ASM::enable /Common/MoJ_Exchange_ASM
log local0. “ASM enabled. Current ASM policy is [ASM::policy]”
}
}
Bypassing The BIG-IP ASM For RPC & ActiveSync Connections
Apart from irule, I also added Microsoft Active Sync URLs in the Allowed URL’s list.

a) Go to : Security > Application Security > URLs > Allowed URLs > /Microsoft-Server-ActiveSync

b) In the Allowed URL Properties, click on the drop-down and select “Advanced”

c) Add a [Header-Based Content Profiles] with the following details :

Request Header Name = Content-Type
Request Header Value = application/vnd.ms-sync.wbxml
Request Body Handling = Do nothing

d) Click “Update” and also apply the changes to the policy

Bypassing The BIG-IP ASM For RPC & ActiveSync Connections
and finally, after applying this iRule on the respective VIP, it starts working.
Bypassing ASM for connections that use RPC
Hope this tutorial helps you to resolve your ASM issue with Microsoft Active Sync and again many many thanks to Rohit for his great support. if you have any query, feel free to comment.
I will recommend you to read  F5 Networks Application Delivery Fundamentals Study Guide to understand F5 Technology in depth.

 You may also like to read this
How to Block Uncategorized Websites in Bluecoat