Forum Discussion

Nimbostratus

Sep 30, 2013

2nd Factor of Authentication for documents within Sharepoint

Hi All We are currently evaluating an F5 licensed for LTM and APM. We are wanting to publish our Internal Sharepoint intranet via this platform, which we have managed to do using the various gu...

application delivery

BIG-IP Access Policy Manager (APM)

Employee

Oct 01, 2013

The short answer is that this is not an easy thing to do. The APM access policy only evaluates once at the beginning of the session, so to cause any sort of re-validation, you essentially have to dump the existing session and start a new one. The new ACCESS::policy evaluate command would technically allow you to do some post-policy processing, but only does so in clientless-mode, so no opportunity to display a logon page.

There are, potentially, two other options:

Use LTM and iRules to generate an RSA token logon page (not an APM logon page), then submit that data via ACCESS::policy evaluate. I haven't tested this idea, but it should work.
There is a technique that allows you to store relevant information from the current session into a short-lived session table entry, delete the old session, start a new one, and then dump the old data into the new access session. Not the most intuitive thing in the world, but certainly an option.