For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Longhi_Mauro_19's avatar
Longhi_Mauro_19
Icon for Nimbostratus rankNimbostratus
Jul 06, 2015

Replace Microsoft NLB with BIGIP 2200S

Goodmorning,

 

I'm trying to replace serveral Microsoft NLB Cluster with a couple of BIGIP 2200S to do loadbalancing for different services.

 

I have configured management interfaces,upgraded and connected the two BIGIP machines.

 

I have connected 4 interfaces with trunk configuration with all VLAN I need.

 

Now I'm trying to configure NLB for Microsoft Dynamics NAV and I have some problem. CLIENTS and SERVERS ara on the same VLAN. BIGIP has an interface on this VLAN.

 

I tried to configure a virtual server with SNAT but I have a problem of delegation and without APM I can't configure Kerberos Delegation, so I have disabled SNAT and clients should arrive directly on servers (is it right?). I can connect to Dynamic NAV services but randomly the client can't reach the server service.

 

This is the first time that I use BIGIP to configure an internal LTM without SNAT and I don't know if my deployment is right.

 

Thank you very much

 

Mauro

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
deployment
LTM
microsoft
security

13 Replies

Show More
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 09, 2015

    Client side Kerberos will produce a single (useful) session variable: session.logon.last.username, which will be in UPN format. Example:

    user@DOMAIN.COM

    Kerberos SSO requires two input session variables: session.sso.token.last.username and session.logon.last.domain. That means in order to do client side and server side Kerberos together, you need a variable assignment in your access policy that splits the incoming UPN into separate username and domain values. So something like this:

    session.sso.token.last.username = return [lindex [split [mcget {session.logon.last.username}] "@"] 0]    

session.logon.last.domain = return [lindex [split [mcget {session.logon.last.username}] "@"] 1]
  • Longhi_Mauro_19's avatar
    Longhi_Mauro_19
    Icon for Nimbostratus rankNimbostratus
    Jul 14, 2015

    Hi, I have followed the guide but it can't make it work.

     

    How can I see if the apn works fine and pass the kerberos auth?

     

    Thank you

     

    Mauro

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 14, 2015

    You should build each side separately. Configure a backend server for anonymous authentication and configure client side "AAA" Kerberos first. Once you have that working, create a separate access policy with no client side authentication and build your server side "SSO" Kerberos. In the SSO profile, you'll see two "source" session variables (by default session.sso.token.last.username and session.logon.last.domain). In the visual policy for your server side Kerberos access policy, just do Start -> Variable Assign -> Allow. In the variable assign agent, set these two source session variables to a valid domain username and (uppercase) domain name, respectively. Once you have both sides working independently, then you can combine them by changing the input session variable session.logon.last.username (a UPN value: user@DOMAIN) into the two separate server side source variables.