For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Oct 17, 2013

But not without issues... Sorry, this thread is going to end up like war & peace...

 

First a warning. DO NOT enable the AUTH caching. It's evil. It will break your service. (Did for me anyway) badly.

 

Basically as soon as the iRule detects ANY form of issue, it'll cache that in a table for the APM session. And return a 401 to the client. Which tells the client try again. So it does. At which point the iRule sees that the table has cached the bad auth result and just returns a 401 again. Resetting the table timer... Because that client is pretty much guaranteed to keep trying, it will fail forever. Trying to then disable the caching won't help BTW. There's no test before checking the table that caching is enabled. So disabling just stops NEW clients from experiencing the issue. Current sessions will continue to break. Seemingly forever (That's an exadgeration. but for users, even 5 minutes is forever, and my iPhone was broken for over an hour because I typed my passwd wrong once while trying to test it). because the PASSWORD is not checked it doesn't matter if you got it wrong, and now want to fix it. You'll still get the cached 401's... Oops..

 

Second issue. The iRule seems to have an issue with throttling of EWS. particularly for Mac OS 10.8 mail client.

 

I haven't traced this one out completely yet, but it would appear that on initial connection, mac mail works fine. it tries to connect, EWS bas to be basic auth, so it gets a 401. It replies with the auth, that passes through, exchange creates a session, all is happy. For a bit. Then throttling kicks in. After working for a bit (200 OK's coming back fine & dandy), exchange sends back a 401 Unauthorized. So it looks like the client then starts trying to re-authenticate. But because EWS sends back headers indicating it'll do NTLM, negotiate, AND Basic the mac client keeps trying NTLM (Evidenced by enabling debug for the APM logs). But the iRule on 10.2.1 doesn't do NTLM. It only does Basic. So it sends back a 401...

 

The APM debug logs at this stage show the same client going round in circles. Requests with NTLM a few times... 401's returned. Requests with no auth header... 401 returned... Sleeps for a bit. Repeat. Ad-infinitum. A 'long' period of not doing anything (sleep the laptop & go home), OR a restart of the Mac mail client seems to kick it into life again...

 

I'm hoping that if the exchange guys can get the throttling turned off, we'll get that fixed. But in the meantime, it would appear that the Mac mail client doesn't work seamlessly with BigIP 10.2.1... (i.e. Anything prior to 11.3.0 where you can use NTLM).

 

H