SharePoint Issues with F5 LTM and APM.

Posted By dubdub on 09/11/2012 06:00 AM

 

Hi Jared,

 

 

How were you able to get the source IP check working? I need to bypass an APM policy based on source IP and it's proving more difficult than I expected.

 

 

Thanks,

 

Jen

Hey Jen -

 

Here is the solution that worked for me:

 

I added the "Check Source IP" variable to the beginning of my SharePoint access policy. Within that variable, go to Branch Rules, then Advanced, and enter this expression:

 

expr { [mcget {session.userlocation}] == "internal" }

 

Ok - now I have my completed Access Policy (see the attached picture for the full VPE). Now, go to Local Traffic -> iRules -> Data Group List and create a new list. I called mine "dg-internal-networks". Then select "Address" as the field type. Now you can add address records (i.e. a single IP address, or an entire network) to the list. I then created an iRule called "ir-apm-set-internal-netflag" and populated it with the following code:

 

when ACCESS_SESSION_STARTED {

 

if { [class match [ACCESS::session data get "session.user.clientip"] equals "dg-internal-networks" ] } {

 

ACCESS::session data set "session.userlocation" "internal"

 

} else {

 

ACCESS::session data set "session.userlocation" "external"

 

}

 

}

 

Now we're going to save the iRule and then apply this iRule to the virtual server in question. Once the iRule is applied, and assuming your Access policy is set correctly, you should be good to go. In the case of SharePoint, I had to add my sites public address to the "Intranet Trusted Sites" section within Internet Explorer before it would work correclty. This is also assuming your using NTLM on the backend and not kerberos.

 

If you need some more help, just let me know!!

 

 

Jared