Portal Access Application URI - ERR_EMPTY_RESPONSE

Question

Scenario: Remote users need to access an externally hosted website that is whitelisted to my company's internal IP.

Setup: Public facing webtop with resource assignment for a Portal Access Application URI

Issue: Remote users can get to the external website through the webtop, which opens in a new browser tab, but when they click on the Login button, SSO redirection occurs and the page renders an ERR_EMPTY_RESPONSE message.

Troubleshooting: Using dev tools I was able to determine the backend server was returning a x-frame-options: DENY error translating to "Do not allow this page to be loaded inside a frame".

Not sure where to go from here.

tofunmi · Answer

What you’re running into isn’t an F5 misconfig; it’s a browser security policy. Portal Access works by rendering the target app inside a frame. The error you saw in DevTools – X-Frame-Options: DENY – instructs the browser not to render the page in a frame. That header is being honoured, so the browser drops the response, and you end up with ERR_EMPTY_RESPONSE.
Unfortunately, Portal Access cannot override this. Even if you try to strip the header in a Portal Access profile, most modern apps also set Content-Security-Policy: frame-ancestors, which will block framing.

Contact the app owners to update the headers (X-Frame-Options: SAMEORIGIN or allow specific frame-ancestors in CSP to include your F5/Portal domain).
If you don’t control the site, Portal Access isn’t viable — use Network Access (VPN) or App Tunnel so the app can be reached directly without being framed.

kevina · Answer

Thanks Tofunmi.

injeyan_kostas · Answer

You could override X-Frame-Options or even Content-Security-Policy with an irule like thiswhen HTTP_REQUEST 
{
    switch [HTTP::host]
    {
        "portal.example.com"
        {
            switch -glob [HTTP::path]
            {
                "/f5-w-&lt;YOUR_APP_HEX&gt;$$/*"
                {
                    set iframe_allow
                }
            }
        }
        default
        {
            drop
        }
    }
}

when HTTP_RESPONSE_RELEASE
{
    if {[info exists iframe_allow])}
    {
		if {([HTTP::header exists "X-Frame-Options"])}
		{
			HTTP::header remove "X-Frame-Options"
		}
		if {([HTTP::header exists "Content-Security-Policy"])}
		{
			set csp [HTTP::header "Content-Security-Policy"]
			append csp " frame-src https://your_target_url;"
			HTTP::header replace "Content-Security-Policy" $csp
		}
}&nbsp;

melissa_c · Answer

Hello KevinA​,&nbsp;
Thanks for posting to our community. I would like to encourage you to update your post and if your questions have been answered please mark your post as solved. This will help you and others in the future who may encounter this same experience.&nbsp;
-Melissa&nbsp;

Forum Discussion

Portal Access Application URI - ERR_EMPTY_RESPONSE

4 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Software Downgrade from version 17.x.x to 15.x.x

Error diskmonitor

CPU utilization of F5OS on r2600

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Hardware replacement i2800 to r2600

Related Content

Introducing the F5 Application Study Tool (AST)

System Prerequisites for Deploying the Application Study Tool

Application Study Tool: Make Grafana Listen on HTTPS

Zero Trust Application Access for Federal Agencies

Modern Applications-Demystifying Ingress solutions flavors

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS