iRule to restrict activesync traffic to particular IPs but allow all other Exchange traffic
Hi All,
I am currently working on an MDM project, in which we are moving to AirWatch to proxy all Active Sync traffic.
In order to force all users to use Airwatch for all ActiveSync, we need to be able to drop all ActiveSync Traffic on our Exchange CAS Pool.
As we are currently on Exchange 2013, virtually all traffic goes via https_443, hence we need to be able to drop only ActiveSync traffic that is not coming from our two AirWatch Servers but allow all other traffic (ie OWA, RPC, AutoDiscovery, etc..)
Below is a sample of code I have created to hopefully achieve this, would this work? and any recommendations?
when HTTP_REQUEST {
log local0. "Client IP: [IP::client_addr]"
log local0. "URI: [HTTP::uri]"
if {string tolower [HTTP::uri] contains "/Microsoft-Server-ActiveSync*" and not ([class match [IP::client_addr] equals Airwatch_SEG_Servers]) }
{
log local0. "dropped connection"
reject
}
else
{
pool EXCHANGE_2013_https_int_pool
}
}
I have a Data Group called Airwatch_SEG_Servers containing the IPs of my two Airwatch Servers which will proxy the ActiveSync Traffic
Thanks in Advance,
Monty