For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

KevinA's avatar
KevinA
Icon for Nimbostratus rankNimbostratus
Sep 17, 2025

Portal Access Application URI - ERR_EMPTY_RESPONSE

Scenario: Remote users need to access an externally hosted website that is whitelisted to my company's internal IP.

Setup: Public facing webtop with resource assignment for a Portal Access Application URI

Issue: Remote users can get to the external website through the webtop, which opens in a new browser tab, but when they click on the Login button, SSO redirection occurs and the page renders an ERR_EMPTY_RESPONSE message.

Troubleshooting: Using dev tools I was able to determine the backend server was returning a x-frame-options: DENY error translating to "Do not allow this page to be loaded inside a frame". 

Not sure where to go from here.

application delivery

4 Replies

  • Tofunmi's avatar
    Tofunmi
    Icon for MVP rankMVP
    Sep 18, 2025

    What you’re running into isn’t an F5 misconfig; it’s a browser security policy. Portal Access works by rendering the target app inside a frame. The error you saw in DevTools – X-Frame-Options: DENY – instructs the browser not to render the page in a frame. That header is being honoured, so the browser drops the response, and you end up with ERR_EMPTY_RESPONSE.

    Unfortunately, Portal Access cannot override this. Even if you try to strip the header in a Portal Access profile, most modern apps also set Content-Security-Policy: frame-ancestors, which will block framing.

    • Contact the app owners to update the headers (X-Frame-Options: SAMEORIGIN or allow specific frame-ancestors in CSP to include your F5/Portal domain).
    • If you don’t control the site, Portal Access isn’t viable — use Network Access (VPN) or App Tunnel so the app can be reached directly without being framed.
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Sep 19, 2025

    You could override X-Frame-Options or even Content-Security-Policy with an irule like this

    when HTTP_REQUEST 
{
    switch [HTTP::host]
    {
        "portal.example.com"
        {
            switch -glob [HTTP::path]
            {
                "/f5-w-<YOUR_APP_HEX>$$/*"
                {
                    set iframe_allow
                }
            }
        }
        default
        {
            drop
        }
    }
}

when HTTP_RESPONSE_RELEASE
{
    if {[info exists iframe_allow])}
    {
		if {([HTTP::header exists "X-Frame-Options"])}
		{
			HTTP::header remove "X-Frame-Options"
		}
		if {([HTTP::header exists "Content-Security-Policy"])}
		{
			set csp [HTTP::header "Content-Security-Policy"]
			append csp " frame-src https://your_target_url;"
			HTTP::header replace "Content-Security-Policy" $csp
		}
}

     

  • Melissa_C's avatar
    Melissa_C
    Icon for Moderator rankModerator
    Sep 24, 2025

    Hello KevinA​

    Thanks for posting to our community. I would like to encourage you to update your post and if your questions have been answered please mark your post as solved. This will help you and others in the future who may encounter this same experience. 

    -Melissa