Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Apr 01, 2015

iRule to disable APM not working as expected

when HTTP_REQUEST {

   set header [HTTP::header "User-Agent"]
    log local0. "Before Match --- Header is: $header"
    if {[string tolower [HTTP::header "User-Agent"]] contains "mac os x"  && [string tolower [HTTP::uri]] equals "/ews/exchange.asmx"} {
            ACCESS::disable 
            log local0. "one time"
            log local0. "URI: [HTTP::uri]"

            pool /Common/exchange.app/exchange_oa_pool6

    }   
}
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    I think it's triggered for the Exchange Web Service(EWS) by the exchange profile attached the access policy. You might see this in the APM logs. If you are using a 11.4 version you might be able to modify the iRule _Sys attached.

     

    • Rabbit23_116296's avatar
      Rabbit23_116296
      Icon for Nimbostratus rankNimbostratus
      I think you are right here. I am using 11.6.0 with the latest iApp (think 1.4.0) , does this mean I have options?
  • I think it's triggered for the Exchange Web Service(EWS) by the exchange profile attached the access policy. You might see this in the APM logs. If you are using a 11.4 version you might be able to modify the iRule _Sys attached.

     

    • Rabbit23_116296's avatar
      Rabbit23_116296
      Icon for Nimbostratus rankNimbostratus
      I think you are right here. I am using 11.6.0 with the latest iApp (think 1.4.0) , does this mean I have options?
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    You can try HTTP:disable in the iRule with priority 0 for the iRule. But not sure about the implications.

     

    The other 'dirty' trick is to change the uri in HTTP_REQUEST to temp value and change it back in HTTP_REQUEST_SEND

     

  • I have entirely given up with support with f5 as there is ZERO apm support.

     

    I believe looking at tcpdumps my issue is ntlm related as our mac clients are domain joined. they send a combination of ntlm+basic headers and we are still experiencing major issues.