F5 UAG SharePoint 2010 (NO DIRECT ACCESS)

OK.... Now I get it. You are using UAG purely as a reverse proxy for SharePoint. It also sounds like you are decrypting and rencrypting at each BIG-IP hop.

 

 

With SharePoint 2010, persisting a user to a specific front end does provide *some* benefit, and may be a requirement if you are running a custom app on SP.

 

 

I recommend using a cookie based persistence method over source IP if you can. If you use Source IP based persistence you'll start to see clumping if a large number of users are coming in from the same source IP (say a branch office...). Cookie persistence is based off a hash (no lookup table needs to be maintained on the BIG-IP!) which takes very little resources for the BIG-IP to calculate, and it survives a BIG-IP failover without having to mirror over any persistence tables.

 

 

Since you are decrypting/re-encrypting at both BIG-IPs, you could use cookie persistence at both (be sure to use different persistence profiles that name the cookie something different for each tier of BIG-IP).