locked
Block external users except Active Sync using WAP claim RRS feed

  • Question

  • Can anyone help create a custom claim rule which blocks all connections coming through WAP except for Active sync?  I've looked everywhere and I can only see this accomplished by creating an allow IP list using regular expressions.  The issue I have with that is my client has subnets all over the place -- Class C, and B, and they have over 100 active subnets.  



    George Talbert

    Thursday, October 27, 2016 8:33 PM

Answers

  • I have no lab to test it, but something following that logic would do the trick:

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "/adfs/services/trust/2005/usernamemixed"])
    && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.ActiveSync"])
    => add(Type = "http://custom/EAS", Value = "true");
    
    c1:[Type == "http://custom/EAS", Value == "true"]
    && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
    =>issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "Ok4EAS");
    
    not exists([Type == "http://custom/EAS", Value == "true"])
    && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"])
    =>issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "Ok4InternalUsers");

    Check if it is EAS, if so create a custom claim EAS = True then allow access.

    Then if it is EAS and coming from the WAP, we allow access. If it is not EAS and coming from internal, then allow the access.

    And no catch all condition at the end, so everything else, is access denied.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, October 27, 2016 10:02 PM

All replies

  • I have no lab to test it, but something following that logic would do the trick:

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "/adfs/services/trust/2005/usernamemixed"])
    && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.ActiveSync"])
    => add(Type = "http://custom/EAS", Value = "true");
    
    c1:[Type == "http://custom/EAS", Value == "true"]
    && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
    =>issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "Ok4EAS");
    
    not exists([Type == "http://custom/EAS", Value == "true"])
    && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"])
    =>issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "Ok4InternalUsers");

    Check if it is EAS, if so create a custom claim EAS = True then allow access.

    Then if it is EAS and coming from the WAP, we allow access. If it is not EAS and coming from internal, then allow the access.

    And no catch all condition at the end, so everything else, is access denied.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, October 27, 2016 10:02 PM
  • I have tested and it Works!!!  Thanks for you help on this.


     

    George Talbert

    Friday, October 28, 2016 7:51 PM
  • Pierre is it at all possible to add Skype to the Allow list?  Essentially this claim will allow only EAS and Skype applications for external login.

    George Talbert

    Wednesday, November 23, 2016 6:22 PM
  • Well yes and no. Adding Skype behave differently depending on the platform. And it also requires you to create rules partially based on the user agent string. And anybody can spoof the user agent string. You might have to look at the Conditional Options in Office 365 if you are using Skype for Business as a part of your Office 365 subscription. Now you can still try this:

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "/adfs/services/trust/2005/usernamemixed"])
    && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.ActiveSync"])
    => add(Type = "http://custom/EAS", Value = "true");
    
    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "lync|Lync|MSOIDCRL"])
    && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "/adfs/services/trust/2005/usernamemixed|/adfs/services/trust/2005/windowstransport"])
    => add(Type = "http://custom/SkypePC", Value = "true");
    
    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "Lync Mobile"])
    && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "/adfs/services/trust/2005/usernamemixed"])
    => add(Type = "http://custom/SkypeiOS", Value = "true");
    
    c1:[Type == "http://custom/EAS", Value == "true"]
    && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
    =>issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "Ok4EAS");
    
    
    c1:[Type == "http://custom/SkypePC", Value == "true"]
    && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
    =>issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "Ok4SkypePC");
    
    c1:[Type == "http://custom/SkypeiOS", Value == "true"]
    && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
    =>issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "Ok4SkypeiOS");
    
    not exists([Type == "http://custom/EAS", Value == "true"])
    && not exists([Type == "http://custom/SkypePC", Value == "true"])
    && not exists([Type == "http://custom/SkypeiOS", Value == "true"])
    && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"])
    =>issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = Ok4InternalUsers");

    BUT user agent string based, it means there is a risk of leveraging this to access with a specially crafted client. Your call!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, November 23, 2016 11:51 PM