Distributed Cloud Users

Discuss the integration of security, networking, and application delivery services

53 Posts

Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Featured Group Content

This section shows featured content the Group Owner has highlighted.

Group Content

Question about healthchecks
Hello, We're publishing quite old server behind XC load balancer, and to make it work I had to lower "TLS Security Level" to Medium under Origin Pool > TLS. This works fine, however, without healthchecks. If I enable a simple healthcheck, for example: Host Header Value = my.hostname Path = / I start getting "503 Service Unavailable" errors. I checked the web server logs on the server and there are no hits, so I suspect the healthcheck uses newer TLS protocols/ciphers, therefore, it fails (as it used to fail when TLS Security Level was set by default to High). Can TLS protocols/ciphers used by the healthecks be configured? And second question, are there any logs that could be enabled for healthchecks? Thank you.
Solved
Teddy_Brewski
Mar 06, 2026 Place XC Users Forum
144Views
0likes
4Comments
CORS with API calls
Hello, Sorry if this is an obvious question -- we're very new to XC. We're using XC with one load balancer with CORS activated. It works fine for web applications but all API calls (to our internal APIs) are blocked because of missing origin header. What is the correct way to handle it? Ask the connecting party to insert origin headers? Dedicate another load balancer (to be used for APIs only) with CORS disabled? Thank you.
Solved
Teddy_Brewski
Feb 05, 2026 Place XC Users Forum
127Views
0likes
4Comments
High Availability and Load Balancing for Single-Node CE with multiple ISP uplinks
I'm designing a deployment for an F5 Distributed Cloud (XC) Customer Edge (CE) on-premise and would like some guidance on the best practices for link redundancy. Scenario: Deployment: Single-node Customer Edge (CE). Connectivity: Three distinct ISP providers for internet access. Objective: Achieve High Availability (HA) and traffic balancing for the connectivity between the CE and the Regional Edges (RE). Traffic Flow: I will have a public Virtual Server on the RE, with Origin Pools located on-premise behind this CE. Goals: I want to ensure the best possible user experience and minimal latency/downtime if one of the ISP links fails. I’m looking for the best way to configure the CE to utilize all ISP links for its connection to the F5 XC Fabric. Handle failover automatically so that the RE-to-CE communication remains stable. Ensure the "shortest path" or best performing link is prioritized if possible. Are there any specific configuration in the XC that I should focus on for this dual-homed setup? Thanks in advance.
Solved
StefanBraittiNT
Jan 23, 2026 Place XC Users Forum
149Views
0likes
4Comments
HTTP portal with the NTLM auth flow is broken on XC.
We are trying to protect an OWA365 portal with XC, but some requests with NTLM authentication show an Error 503 - Service Unavailable message in XC. I think that is the NTLM auth process because when try the same HTTP GET with "Authorization: Basic" it works fine. curl -v https://autodiscover.example.com/autodiscover/autodiscover.xml -H "Authorization: Basic ZG9tYWluXHVzZXI6UHJ1ZWJhc2RlcGFzc3dvcmQ=" < HTTP/2 200 < cache-control: private < content-type: text/xml; charset=utf-8 < request-id: 00000000-0000-0000-0000-000000000000 < server: volt-adc < <?xml version="1.0" encoding="utf-8"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response> <Error Time="20:00:00.0000000" Id="000000000"> But the browser always fails. First, it responds with a 401 HTTP code. After sending the credentials, XC shows a 503-03 error: 'Service unavailable'. method: GET host: autodiscover.example.com req_path: /autodiscover/autodiscover.xml req_body: — api_endpoint: UNKNOWN scheme: https rsp_code: 503 rsp_code_details: upstream_reset_before_response_started{remote_reset} Do F5-XC have an OWA template or something about the NTLM user portal?
Solved
andresneri1
Jan 20, 2026 Place XC Users Forum
151Views
0likes
3Comments
F5 Roles required for Catalog Items
Having difficulty mapping required roles for a group to have proper access to catalog items. If I create a group call Security-Team and I want them to manage the security like WAF (Web App * API Protection) and Bot Defense, Web App Scanning and whatever else the Security Team should be monitoring to keep our environment safe. What Roles are required for management? They don't need access to everything, just what is required for the application security. Then we have a group called Support-Teams that need ReadOnly access to everything so they can log into F5 XC and just view everything with no ability to make changes. Not sure what Roles would get assigned to this group. Both scenarios let's assume all namespaces. Any help or direction is most appreciated.
WildWeasel
Aug 07, 2025 Place XC Users Forum
187Views
0likes
1Comment
Custom Attack Signatures
We are migrating an ASM policy with custom attack signatures created by the user. How can we translate this to an XC configuration? These are SQL injection signatures. Thank you in advance
Solved
andresneri1
Jul 29, 2025 Place XC Users Forum
231Views
0likes
3Comments
F5 configured SP initiated SAML Authentication causing multiple Redirects
F5 configured (source-ip based) to talk to 2 IBM HTTP Servers and webservers are loadbalancing using Traditional loadbalancing (Round-Robin) and routing requests to 8 JVMs of a Websphere ND Cluster. 2 Applications are deployed with context root /maximo and /saml/acs on the same cluster. When SAML Authentication is triggered via F5. We have 2 scenarios to take care F5 :- HTTPSOFFLOAD is enabled with end to end validation using HTTPS only 1. https://abc.com/maximo URL loads successfully. No issues in Authentication to SAML. When loaded follows below path 1) Incognito Browser(User) requests resource from Service Provider (SP). 2) SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). 3) Since it is first login, User gives the (IdP) his/her valid credentials. 4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page. 5) User receives the landing page. THIS IS WORKING 2. https://abc.com/maximo/ui/?event=loadapp&value=asset&changetab=viewtab&uniquid=123455 1) Incognito Browser(User) requests resource from Service Provider (SP). 2) SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). 3) Since it is first login, User gives the (IdP) his/her valid credentials. 4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page. 5) Cannot find the resource and SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). 6) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page. 7) Cannot find the resource and SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). Keeps redirecting multiple times and Finally timeout is hit and doesnot respond at all. It keeps redirecting when long URL is challenged. Do we need to have special irules to retain JSESSIONID state or WAS - I see this is an issue with respect to Cookie persistence
Lohit
May 15, 2025 Place XC Users Forum
487Views
0likes
13Comments
Allow the use of two or more monitors for DNS pools on XC
Hello, It would be useful to allow the use of two or more monitors for the DNS pool, as is the case for GTM pools. This would allow an easier migration from GTM to DNS XC. regards
Satoshino
Mar 24, 2025 Place XC Users Forum
181Views
0likes
2Comments
CE FW setup error
Hi, I am not able to configure Network firewall under Network security section in a Secure Mesh Site object. I keep getting this: Error description is not very helpful.. Do anyone know what can be the problem here? Thanks
Zdenek
Mar 16, 2025 Place XC Users Forum
160Views
0likes
2Comments
Can I use XC as a TCP proxy and DDoS Protection?
Hello, experts! I’m a longtime BIG-IP user but a complete newbie to XC. I have a task and would love some guidance on the best way to approach it. The goal is to use XC as a TCP proxy and for DDoS protection. The scenario: A client has a distributed network of ATMs that connect to a server. XC should sit in front of the server as a TCP proxy. The requests come in via IP. A few questions: Which XC product should I use for this? TCP Load Balancer requires requests to come via a domain name, correct? Would I need a dedicated IP from XC in this case? Can DDoS protection be applied in this setup? Am I thinking about this correctly? Any insights or recommendations would be greatly appreciated!
Aantat
Mar 11, 2025 Place XC Users Forum
342Views
0likes
3Comments

Most Recent Updates

Question about healthchecks

Solved

High Availability and Load Balancing for Single-Node CE with multiple ISP uplinks

Solved

CORS with API calls

Solved

HTTP portal with the NTLM auth flow is broken on XC.

Solved

Custom Attack Signatures

Solved

F5 Roles required for Catalog Items

XC Users Forum
Open conversations with staff and peers about F5 Distributed Cloud Services.
Mar 10, 202641 Posts
XC Users Articles
Authoritative information from F5 Distributed Cloud Services subject matter experts for you, the community.
Jul 11, 202212 Posts

About Distributed Cloud Users

Discuss the integration of security, networking, and application delivery services

Owned by: Rebecca_Moloney, DinaS, mlangdon, and LiefZimmermanCreated: 3 years ago

Open Group