Forum Discussion

alex100_194614's avatar
alex100_194614
Icon for Nimbostratus rankNimbostratus
Mar 03, 2016

Problem with stream iRule and SAML idp redirect

Running into following issue here. We have a sharepoint site with web servers listening on some high port and using internal hostname. On the SharePoint virtual server I am applying fallowing iRule t...
application delivery
BIG-IP Access Policy Manager (APM)
irule
saml
SSO
  • Andrew_4752's avatar
    Andrew_4752
    Mar 03, 2016

    Hi Alex,

    For for the VIP targeting VIP solution to get around APM-Stream Profile conflicts, below is a basic view of what the config would look like:

    ltm virtual vs_external {
destination 1.1.1.1:443
ip-protocol tcp
mask 255.255.255.255
profiles {
    clientssl_profile {
        context clientside
    }
    stream_profile { }
    http { }
    tcp { }
}
rules {
    forward_internal_virtual
    saml_stream_expression
  }
}
ltm virtual vs_internal {
destination 2.2.2.2:80
enabled
ip-protocol tcp
mask 255.255.255.255
profiles {
    example_accesspolicy { }
    http { }
    rba { }
    tcp { }
    websso { }
}
}
ltm rule forward_internal_virtual {
when HTTP_REQUEST {
virtual vs_internal
}
}
alex100_194614's avatar
alex100_194614
Icon for Nimbostratus rankNimbostratus
Mar 03, 2016
In LTM log I am seen this: TCL error: /Common/irulename_link_rewrite - Operation not supported (line 1) invoked from within "STREAM::disable" In APM Log: Mar 3 18:06:59 QC-BIGIP-03 err apd[12434]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 209 Msg: error while reading from socket Connection reset by peer Mar 3 18:06:59 QC-BIGIP-03 err apd[12434]: 01490000:3: AccessPolicyD.cpp func: "process_request()" line: 765 Msg: EXCEPTION AccessPolicyD.cpp line:676 function: process_request - error 2 reading/parsing response from socket Mar 3 18:06:59 QC-BIGIP-03 debug apd[12434]: 01490000:7: AccessPolicyD.cpp func: "sendAccessPolicyResponse()" line: 1835 Msg: send 'error' code Mar 3 18:06:59 QC-BIGIP-03 err apd[12434]: 01490085:3: : Response could not be sent to remote client. Socket error: Broken pipe Mar 3 18:06:59 QC-BIGIP-03 debug apd[12434]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 776 Msg: ** done with the request processing ** Mar 3 18:06:59 QC-BIGIP-03 warning tmm[16831]: 01490531:4: d3ae9f1d: Detected invalid host header (). Mar 3 18:06:59 QC-BIGIP-03 notice tmm[16831]: 01490501:5: d3ae9f1d: Session deleted due to user logout request. If I remove the APM policy the iRule doesn't seem to triger anything in the log and it works. Also it seems that changing HTTP_RESPONSE to HTTP_RESPONSE_RELEASE breaks the irule in my case... I wonder if there is a way to exclude a specific uri from being translated... I am new to stream profile. Thanks for the help..