11.6
6 Topicsis it possible to use regex within switch block?
Hello! Is it possible to use regular expressions within switch block? My scenario: a.domain.com a.domain.net So different TLDs. Now I want to write iRule that will handle both 'com' and 'net', but I can't figure this out and instead I have to use following syntax: when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "a.domain.com" { pool some_pool_a } "a.domain.net" { pool some_pool_a } "b.domain.com" { pool some_pool_b } "b.domain.net" { pool some_pool_b } } } I would like to rewrite this iRule to something like this: when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "a.domain.[com|net]" { pool some_pool_a } "b.domain.[com|net]" { pool some_pool_b } } } but it seems to be not working. Do you guys have any good idea how to fix it? BTW - I'm using v11.6 of BIG IP software.504Views0likes5CommentsF5 APM OWA o365 SSO Form Based Authentication Issues
Hello there, we'd like to configure our v11.6 F5 box to provide access to an Exchange 2013 / MS o365 web based email using APM to enforce two factor authentication (AD + OTP) on an HTTPS Virtual Server. The authentication part is ok and the policy log shows that the ending is "allow". On the other end the authenticated user is redirected to his o365 landing home page that displays his latest emails. At this point any attempt to click on any item in the page won't produce any result. When looking at the session logs, I noticed that right after the webtop gets assigned and the Websso form-based auth is triggered, APM says "Session deleted due to user logout request." which of course the user has not done. What am i missing ? Session Logs: Jul 9 17:47:02 MY-F5 notice apd[5923]: 01490220:5: c1f370de: Pool '/Common/mail.o365.mydomain.com' assigned Jul 9 17:47:02 MY-F5 info apd[5923]: 01490004:6: c1f370de: Executed agent '/Common/WEBMAIL_act_resource_assign_2_ag', return value 0 Jul 9 17:47:02 MY-F5 notice apd[5923]: 01490005:5: c1f370de: Following rule 'fallback' from item 'TEST_OWA' to ending 'Allow' Jul 9 17:47:02 MY-F5 notice apd[5923]: 01490102:5: c1f370de: Access policy result: Web_Application Jul 9 17:47:02 MY-F5 info apd[5923]: 01490004:6: c1f370de: Executed agent '/Common/WEBMAIL_end_allow_ag', return value 0 Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.pool' set to '/Common/mail.o365.mydomain.com' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.resources.pa' set to '/Common/OWA_TEST' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.uuid' set to 'tmm.uuid./Common/WEBMAIL.userid' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.webtop' set to '/Common/WebTop_Test' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.authresult' set to '1' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.errmsg' set to ' ' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.errmsgext' set to ' ' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.totalEntries' set to '0' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.authresult' set to '1' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.errmsg' set to ' ' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.errmsgext' set to ' ' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.totalEntries' set to '0' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.logon.last.password' set to '**********' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.logon.last.username' set to 'userid@mydomain.ad' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.logon.page.errorcode' set to '0' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.policy.result' set to 'allow' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.policy.result.start_uri' set to '/f5-w-68747470733a2f2f7765626d61696c2e6d79646f6d61696e2e636f6d$$/owa/' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.policy.result.webtop.type' set to 'web_application' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.attr.class' set to '0x661905fe00000137000102000aef19aa00000000000000000000000001d0b703690c67f0000000000000129d' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.attr.framed-protocol' set to '1' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.attr.service-type' set to '2' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.errmsg' set to ' ' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.result' set to '1' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.attr.class' set to '0x661905fe00000137000102000aef19aa00000000000000000000000001d0b703690c67f0000000000000129d' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.attr.framed-protocol' set to '1' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.attr.service-type' set to '2' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.errmsg' set to ' ' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.result' set to '1' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.sso.token.last.password' set to '**********' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.sso.token.last.username' set to 'userid@mydomain.ad' Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.webtop.customization.group' set to '/Common/WebTop_Test_customization' Jul 9 17:47:02 MY-F5 info websso.0[12351]: 014d0015:6: c1f370de: Websso form-based authentication for user 'userid@mydomain.ad' using config '/Common/OWA_365' Jul 9 17:47:06 MY-F5 notice tmm2[11808]: 01490501:5: c1f370de: Session deleted due to user logout request. Jul 9 17:47:44 MY-F5 notice tmm2[11808]: 01490521:5: c1f370de: Session statistics - bytes in: 161950, bytes out: 1593105 ` And here's the sso config `apm sso form-based /Common/OWA_365 { form-action https://webmail.mydomain.com/owa/auth.owa form-field "destination https://webmail.mydomain.com/owa/ flags 4 forcedownlevel 0 passwordText isUtf8 1 trusted 4" form-password password form-username username start-uri /owa/auth/logon.aspx* } apm resource portal-access /Common/OWA_TEST { acl-order 2 customization-group /Common/OWA_TEST_resource_web_app_customization flash-patching false items { item { client-caching-type no-cache compression-type none home-tab false host webmail.mydomain.com log packet order 1 paths /* port 443 scheme https session-timeout false session-update false sso /Common/OWA_365 subnet 0.0.0.0/0 } } path-match-case false scheme-patching true } apm resource webtop /Common/WebTop_Test { customization-group /Common/WebTop_Test_customization portal-access-start-uri https://webmail.mydomain.com/owa/ webtop-type portal-access } Thanks in advance for your helpSolved954Views0likes6CommentsADFS 3.0 monitor for ADFS Proxy servers on LTM 11.6 HF3
We are load balancing ADFS 3.0 Proxy servers, but cannot get the monitor to work. The external script provided by F5 is as follows: !/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: HOST = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE=`echo ${1} | sed 's/::ffff://'` if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/`basename ${0}`.sni_monitor_${HOST}_${PORT}_${NODE}_sni.pid" if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}:${PORT}:${NODE}" | logger -p local0.error kill -9 `cat $PIDFILE` > /dev/null 2>&1 fi curl-apd -k -v --resolve $HOST:$PORT:$NODE https://$HOST$URI 2>&1 > /dev/null | grep -i "${RECV}" STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit I can ssh into the F5 and get a good response when I hard-code the values: config curl-apd -k -v --resolve adfs.abc.edu:443:10.255.200.201 https://adfs.abc.edu/FederationMetadata/2007-06/FederationMetadata.xml 2>&1 > /dev/null | grep -i "HTTP/1.1 200 OK" < HTTP/1.1 200 OK Is there a way on the command line to see what variables are actually being used or maybe a way to log their values? I wonder if it is not correctly pulling the $NODE or $PORT values. As an experiment I also changed [ $STATUS -eq 0 ] to [ $STATUS eq 0 ] just to see if the monitor would come up and that did not help either. Thanks, Rob288Views0likes1CommentHelp! ACS, v11.6, variable substitution for multiple user roles in multiple partitions?
v11.6 allows multiple roles per account as long as they are assigned to different partitions. What is the recommended configuration for LTM v11.6 and ACS 5.2 to support variable substitution for complex RBAC assignments? For instance, UserA in AD who is a member of AD groups 'F5 Operator' and 'F5 Certs' can login and have manager access to PartitionA and Certificate Manager access to Common.209Views0likes0Commentssnmp values changed in 11.6?
i just upgraded some ltms from 11.4 to 11.6 and noticed my snmp throughput numbers are considerably different, i'm wondering what changed? is there a different mib that i should be querying? i double-checked all switch ports and the traffic remains consistent there however the f5s think otherwise. i'm using sysStatClientBytesIn and sysStatClientBytesOut205Views0likes1Comment