Forum Discussion

alex100_194614's avatar
alex100_194614
Icon for Nimbostratus rankNimbostratus
Mar 03, 2016

Problem with stream iRule and SAML idp redirect

Running into following issue here. We have a sharepoint site with web servers listening on some high port and using internal hostname. On the SharePoint virtual server I am applying fallowing iRule t...
application delivery
BIG-IP Access Policy Manager (APM)
irule
saml
SSO
  • Andrew_4752's avatar
    Andrew_4752
    Mar 03, 2016

    Hi Alex,

    For for the VIP targeting VIP solution to get around APM-Stream Profile conflicts, below is a basic view of what the config would look like:

    ltm virtual vs_external {
destination 1.1.1.1:443
ip-protocol tcp
mask 255.255.255.255
profiles {
    clientssl_profile {
        context clientside
    }
    stream_profile { }
    http { }
    tcp { }
}
rules {
    forward_internal_virtual
    saml_stream_expression
  }
}
ltm virtual vs_internal {
destination 2.2.2.2:80
enabled
ip-protocol tcp
mask 255.255.255.255
profiles {
    example_accesspolicy { }
    http { }
    rba { }
    tcp { }
    websso { }
}
}
ltm rule forward_internal_virtual {
when HTTP_REQUEST {
virtual vs_internal
}
}
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Mar 03, 2016

Hi Alex,

Don't know if this fixes your problem, but you should keep in mind that 

[STREAM::enable]
translates HTTP responses and HTTP requests. So if you don't require HTTP request stream replacements, then better move 
STREAM::disable
into 
HTTP_REQUEST
event. Otherwise it may have unintentional side effects on post data...

when HTTP_REQUEST {
    STREAM::disable
}

In addition, you could use a HTTP-Compression profile instead of the 

HTTP::header remove "Accept-Encoding"
command. This would allow you to still remove the Accept-Encoding header on the server side (its a default setting) but without losing client side compression.

Cheers, Kai