For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Nov 01, 2018

APM - dynamically enabling access policy when 401 back from server is detected

I'm working a new fronting of an F5 APM instance in front of Sharepoint 2013. We are looking to expand our ability to offer Sharepoint across a large corporate network that has multiple domains. Ther...
application delivery
BIG-IP Access Policy Manager (APM)
eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Nov 07, 2018

We are testing this and it is working well for us so far. Thanks.

when HTTP_REQUEST {
    set var_uri [HTTP::uri]
    set var_apm_cookie [HTTP::cookie value MRHSession]

    if { ( [ACCESS::session exists -state_allow $var_apm_cookie] ) \
             or ( [HTTP::uri] starts_with "/my.policy" ) } {
        set var_apm_required 1
        return

    } elseif { ( [HTTP::uri] starts_with "/start_policy" ) } {
        ACCESS::session remove
        ACCESS::session create -timeout 1800 -lifetime 0
        ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url=" 18]
        set var_apm_required 1
        return

    } else {
        ACCESS::disable
        set var_apm_required 0
        return
    }
}

when ACCESS_SESSION_STARTED {
    ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url" 18]
}

when HTTP_RESPONSE { 
    if {  ([HTTP::status] eq "401") and ($var_apm_required eq 0) } {
         HTTP::respond 302 Location "/start_policy?url=$var_uri"
    }
}
eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Nov 20, 2018

We rolled this out in production without issue thus far. Thanks Stanislas.