Forum Discussion
TMG Migration - Deny Authentication
Good afternoon! I'm relatively new to BIG-IP, as we're working on a migration from TMG 2010 to BIG-IP 11.5.1 build 4.0.128. I searched documentation and the forums here but didn't find an answer to what I'm trying to do:
In TMG, there is an option to publish a website (in this case, SharePoint 2010) while preventing authentication (in the "Authentication Delegation" tab of a rule property, you can select "No delegation, and the client cannot authenticate directly"). In this configuration, when a client tries to access a resource that requires authentication, the proxy denies access to the URL.
My current iApp configuration is using the latest SharePoint iApp (f5.microsoft_sharepoint_2010_2013.v1.1.0). It's publishing just fine, but it doesn't block direct authentication like we need to. I do not have APM configured for this particular site, but I do have the license for it.
Thank you in advance for your help!
Sounds like you could create an iRule to drop or otherwise respond to requests for the Authentication URL and add it to the virtual server using the iApp. Maybe something like this:
when RULE_INIT { set static::response "Access DeniedWe are sorry, but you may not authenticate to the SharePoint server." } when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/authenticate.aspx" } { HTTP::respond 200 content $static::response } } when HTTP_RESPONSE { if { [HTTP::header exists "WWW-Authenticate"] } { HTTP::respond 200 content $static::response } }
- mikeshimkus_111Historic F5 Account
Hi Lynonell, APM offers two modes of proxying SharePoint requests. The iApp supports using APM to proxy authentication and then forwarding the request directly to the server.
Another option is to publish SharePoint as an APM portal resource, where the BIG-IP rewrites every response and the client requests are never sent to the SharePoint servers.
It sounds like the second scenario is what you want, correct? It's covered on page 18 of this guide: http://www.f5.com/pdf/deployment-guides/microsoft-forefront-tmg-dg.pdf
I've also put in a request for this option to be added to the iApp template, but don't have an ETA yet.
Mike
- Lyonell_165736Nimbostratus
Mike, thank you for the reply. In this case, we're publishing a SharePoint server as an anonymously accessible website that does not require authentication to access the content. Authentication should be blocked by the proxy if attempted - that way internal users can authenticate to the site (for content updates, etc, not through BIG-IP), but outside users cannot.
Does that help clarify the use case?
- mikeshimkus_111Historic F5 Account
Sounds like you could create an iRule to drop or otherwise respond to requests for the Authentication URL and add it to the virtual server using the iApp. Maybe something like this:
when RULE_INIT { set static::response "Access DeniedWe are sorry, but you may not authenticate to the SharePoint server." } when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/authenticate.aspx" } { HTTP::respond 200 content $static::response } } when HTTP_RESPONSE { if { [HTTP::header exists "WWW-Authenticate"] } { HTTP::respond 200 content $static::response } }
- Lyonell_165736Nimbostratus
That makes perfect sense - thank you very much!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com