For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Aug 26, 2025

F5 APM sharepoint selective enabling Access with NTLM SSO

Dear all,

Just wanted to share with you the work so far on enabling APM access for certain Sharepoint URLs and keep a seperate part publicly accessible. The SSO method for Sharepoint is NTLMv2 and is working fine when performing SSO to the backend. We had to overcome some technical difficulties as IPv6 requets are generated internally as well as requests from referer my.policy. The only thing that is happening is that the client side is still receiving the NTLM popup however when pressing cancel is still allowed access to the sharepoint. Comparing this behavior when browsing directly to the server it wont allow access. When using the selective enabling irule this popup still appears and i have no idea why. If someone could share their experience with this scenario that would be very helpfull.

we check against datagroup with specific path enabling or disabling, enabling for IPv6 (internaly generated APM) as well as referer header my.policy, lastly check if the APM policy is allowed and enable for each request when already allowed access to make sure that F5 APM generated requests are passed through.

when RULE_INIT {
set static::ssocompleted 0
}
when CLIENT_ACCEPTED {    ACCESS::restrict_irule_events disable}
 
when HTTP_REQUEST {
 
    set path [string tolower [HTTP::path]]
    if { [IP::version] eq "6" } {
 
        # enabling IPv6 internal communication for SSO
        log local0. "Īpv6 matched Access enable"
        ACCESS::enable
        return

 
    } elseif {([HTTP::header exists "Referer"]) and 
    ([URI::host [HTTP::header value Referer]] contains "my.policy") } {
    ACCESS::enable

    } elseif {$static::ssocompleted eq 1}
    {
    ACCESS::enable
    } 
    elseif { [class match $path contains dg-bypass] } {
 
        ACCESS::disable
 
    } elseif { [class match $path contains dg-enable] } {
 
        ACCESS::enable
 
    } else {
 
        ACCESS::disable
 
    }
 
}
when ACCESS_ACL_ALLOWED {
if { [ACCESS::session data get "session.state"] eq "allow" }{
set static::ssocompleted 1
}}

 

application delivery

1 Reply

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Aug 26, 2025

    My suggestion is do not use static variables if you gonna change their value during traffic processing.