Forum Discussion

Lyonell_165736's avatar
Lyonell_165736
Icon for Nimbostratus rankNimbostratus
Aug 06, 2014

TMG Migration - Deny Authentication

Good afternoon! I'm relatively new to BIG-IP, as we're working on a migration from TMG 2010 to BIG-IP 11.5.1 build 4.0.128. I searched documentation and the forums here but didn't find an answer to...
application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iApps
LTM
Security
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Aug 07, 2014

    Sounds like you could create an iRule to drop or otherwise respond to requests for the Authentication URL and add it to the virtual server using the iApp. Maybe something like this:

    when RULE_INIT {
    set static::response "Access DeniedWe are sorry, but you may not authenticate to the SharePoint server."
}

when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] contains "/authenticate.aspx" } { 
        HTTP::respond 200 content $static::response         
    }
} 

when HTTP_RESPONSE {
    if { [HTTP::header exists "WWW-Authenticate"] } {
        HTTP::respond 200 content $static::response 
    }
}
mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account
Aug 07, 2014

Hi Lynonell, APM offers two modes of proxying SharePoint requests. The iApp supports using APM to proxy authentication and then forwarding the request directly to the server.

 

Another option is to publish SharePoint as an APM portal resource, where the BIG-IP rewrites every response and the client requests are never sent to the SharePoint servers.

 

It sounds like the second scenario is what you want, correct? It's covered on page 18 of this guide: http://www.f5.com/pdf/deployment-guides/microsoft-forefront-tmg-dg.pdf

 

I've also put in a request for this option to be added to the iApp template, but don't have an ETA yet.

 

Mike