APM VPN LDAP POOL can't contact ldap server.
Hi, I have a question regarding APM VPN and LDAP authentication. When I configure the LDAP server using the direct LDAP Server IP, the authentication works fine. However, when I use a Pool with the same LDAP Server IP, it shows the error message: "Can't contact LDAP server." From the packet capture, it seems that no traffic is being sent out at all. Is there any specific configuration I need to adjust for LDAP Pool settings? Thank you.
APM webtop – problem with websockets for Serverside Blazor app
Dear community, We have a web application built with Blazor server side rendering that utilizes SignalR (websockets) and runs on a Windows server with IIS (i.e. not web assembly). Virtual sever: the site runs as intended! Webtop + virtual sever: The site will render and SSO works, but any page using SignalR will loose interactivity as the websocket handshake times out. We have tried to disable websockets on the server which makes SignalR use long polling as a fallback. The web browser displays a different error message but behaves the same otherwise (have not dug deeper as we intend to use websockets in production). I would greatly appreciate any guidance on what to do! This is the log from the blazor web app (behind webtop + virtual server): 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection XQNqGM4oGkm0P1v4NECJ9g created. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Establishing new connection. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Handshake was canceled. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Waiting for the client to close the socket. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket closed. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager Removing connection xVt0cL2a0gpMOiJROyJxhw from the list of connections. This is the log from the same blazor web app when it works as intended 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection c0CR_c-7xa0QydeddE5HcA created. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Found protocol implementation for requested protocol: blazorpack. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Completed connection handshake. Using HubProtocol 'blazorpack'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "0", Target: "StartCircuit", Arguments: [ https://testsite.com/, https://testsite.com/counter, [], CfD...m ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "EndInvokeJSFromDotNet", Arguments: [ 2, True, [2,true,null] ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "UpdateRootComponents", Arguments: [ {"batchId":1,"operations":[{"type":"add","ssrComponentId":1,"marker":{"type":"server","prerenderId":"80...9c8","key":{"locationHash":"....","formattedComponentKey":""},"sequence":0,"descriptor":".... ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "OnRenderCompleted", Arguments: [ 2, ], StreamIds: [ ] }. This is the output in the web browser console when accessing the site via (webtop + virtual server): 2025-09-18T14:50:28.565Z Information: Normalizing '_blazor' to 'https://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:28.609Z Information: WebSocket connected to wss://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor?id=xVt0cL2a0gpMOiJROyJxhw. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Connection disconnected with error 'Error: Server returned handshake error: Handshake was canceled.'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Error: Server returned handshake error: Handshake was canceled. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Failed to start the circuit. blazor.web.js?F5CH=J:1
Checkpoint Web Smartconsole behind reverse proxy.
Does anyone have any experience at trying (and hopefully suceeding) to put a Checkpoint (CP) FW Provider-1 based web smartconsole behind a reverse proxy. The thing is that CP use local IP addresses to identify one of a selection of management module instances. And they use webtransport/websockets to connect from these mgmt modules back to a browser for displaying FW policies and log data etc. That all seems fairly OK but they don't anchor it using the connection ID and so the raw IPs (of what they call the domain blade/instance) get passed to the browser. But we would prefer to NAT/hide/reIP the server (domain) side IPs and not have the internal server/domain IPs sent along to the browser. Part of the conversation, and some wrapper text from me, from the server to the client follows: *** We wish to use access to various customer domains using the /smartconsole web interface. But the access has to be behind a reverse proxy (F5 vIP) and after the initial logon using the CMA IP behind a vIP (so address the browser sees is a service public one) you get a screen where the domain is listed and after selecting continue you get redirected seperately to the CMA IP in an internal JSON/javascript message. Hence breaking the attempt to have the CMA behind a reverse proxy. *** {"data":{"loginToDomain":{"transportOtt":"107ad894-253d-4638-aa31-1c3e7d23172a","transportUrl":"https://100.64.20.29:443/smartconsole/transport","__typename":"LoginToDomainResponse"}}} ***
How APM GET IOS UUID & Andriod MAC
Hello Expert, Recently, there has been a requirement to restrict the MAC addresses or UUIDs of source mobile devices. Android devices will utilise the method of obtaining the MAC address. https://my.f5.com/manage/s/article/K13731#ai-recommendations-54 expr {[mcget {session.client.mac_address}] == "50:6B:8D:xx:xx:xx" iOS devices will utilise the method of obtaining the UUID. https://my.f5.com/manage/s/article/K12749 expr {[mcget {session.client.unique_id}] == "8ccaf965e51e3077" As illustrated below: Would this approach successfully fulfil my requirements? Thanks.SOLVED: sending IsCompliant, IsKnown and IsManaged via SAML (SSO)
Background We have an EntraID (Azure/Microsoft365) SAML based VPN using the APM module and were keen to provide a different device pool to domain devices, rather than personal devices (BYOD). We noted that, in the EntraID logs, it included elements such as whether the device IsCompliant, IsKnown and/or IsManaged: Wrong step first We followed part of the exceptionally good video from Matthieu Dierick (https://www.youtube.com/watch?v=DBA84d4VJU8) in which he explains how to configure InTune to make the IsCompliant assertion and push a certificate onto the device to identify it.. and then the BIG-IP Edge client will send that certificate back to be used via an API call against InTune (even if EntraID isn't used for your APM authentication). To get the API bit to function we needed to follow the guidance in https://my.f5.com/manage/s/article/K00943512 But we aren't that far down the route with InTune and, without pushing that certificate, we got the error "Device ID was not found in session variables" (as explained in https://my.f5.com/manage/s/article/K93969130 ) To get working: Azure steps It seems exporting these variables isn't natively available through the GUI although there were some pointers available from Azure AD - SAML - Intune - ismanaged attribute - Microsoft Q&A In short, Navigate to: https://portal.azure.com/ Microsoft EntraID Under Manage > App registrations (this will default to "owned application") choose "all applications" tab Filter by the name of your SAML configuration Manage > Manifest Take a copy of the manifest incase you want to revert (note that it won't let you save it unless it can parse the input) Find the section "optional claims" and inject the following after any groups you pass back: "optionalClaims": { "accessToken": [], "idToken": [], "saml2Token": [ { "additionalProperties": [ "on_premise_security_identifier" ], "essential": false, "name": "groups", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_managed", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_compliant", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_known", "source": null } ] }, To get working: APM steps In the visual policy editor you can now assign variables to those claims of the form: session.logon.last.isknown = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/02/devicecontext/claims/isknown} session.logon.last.iscompliant = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/09/devicecontext/claims/iscompliant} session.logon.last.ismanaged = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 2/01/devicecontext/claims/ismanaged} So you can end up with a variable assignment box that looks like: (just be careful with copy/paste that it doesn't introduce spaces in the session variables) Then you can do a new general purpose > empty box with a branch rule evaluating: expr {[mcget {session.logon.last.ismanaged}] == "true"} Optionally you can record the output of these variables by adding a logging box with the entry: username=%{session.logon.last.username}, ismanaged=%{session.logon.last.ismanaged}, iscompliant=%{session.logon.last.iscompliant}, isknown=%{session.logon.last.isknown}
APM reading user attributes from local database
Hello, Any clue to read the email address of a user created on local database as this email address is required to send the OTP to it, I know that there are ready template and the user can enter his email address on the login page, but we need the OTP to be sent to the email address of the user who try to login it it is easy if the user is created on AD right? so we can query the AD for that attribue but when can be done if the user on local database?Bypass Azure Login Page with OAuth login_hint on F5 BIG-IP APM
Overview This article demonstrates how to enhance the user experience between F5 BIG-IP APM (OAuth Client) and Azure AD (OAuth Authorization Server) by implementing the login_hint parameter. This approach eliminates the need for users to enter their credentials twice, once on the F5 login page and again on the Azure login page. Problem Statement When users access applications protected by F5 APM that authenticate against Azure AD using OAuth/OIDC, they often encounter a suboptimal experience: User enters credentials on the F5 login page (often using their familiar sAMAccountName) F5 redirects to Azure AD for OAuth authentication Azure AD presents another login page asking for the same credentials (expecting UPN/email format) This creates additional friction because users may not know their User Principal Name (UPN) and typically use their sAMAccountName for domain authentication. The login_hint parameter solves this by allowing F5 APM to translate the user's sAMAccountName to their UPN and pre-populate the Azure login page, effectively bypassing the redundant login prompt. Alternative approach The same functionality can be achieved using SAML, as described here. However, I find the OAuth approach cleaner, as it eliminates the need for an iRule and also allows you to include the prompt parameter. This can be useful when you want to force authentication in Azure instead of relying on an existing session. See herefor details. Prerequisites F5 BIG-IP with APM Azure AD tenant with application registration Basic OAuth/OIDC configuration between F5 and Azure AD (as outlined in https://my.f5.com/manage/s/article/K53313351) Implementation Steps Step 1: Complete Basic OAuth Setup Follow the standard F5 APM OAuth configuration with Azure AD: Configure OAuth Server Object Navigate to Access ›› Federation ›› OAuth Client/Resource Server ›› OAuth Server Create a new OAuth server configuration for Azure AD Set the provider type to "Microsoft Identity Platform 2.0" Configure Access Profile Create an access profile with OAuth Client agent Configure authentication redirect and token requests Step 2: Create Custom Authentication Redirect Request The key modification involves creating a custom authentication redirect request that includes the login_hint parameter: Navigate to Request Configuration Access ›› Federation ›› OAuth Client/Resource Server ›› Request Clone the Default Request Find the existing /Common/MSIdentityPlatform2.0AuthRedirectRequest Create a copy Name it something descriptive like MSIdentityPlatform2.0AuthRedirectRequest_LoginHint and the same parameters as /Common/MSIdentityPlatform2.0AuthRedirectRequest Add login_hint Parameter Parameter Name: login_hint Parameter Type: custom Parameter Value: %{session.ad.last.attr.userPrincipalName} or any other variable containing user’s UPN based on your environment and Authentication configuration In the Parameters section, click Add Configure the new parameter: Step 3: Update VPE OAuth Configuration Access the Visual Policy Editor Go to Access ›› Profiles/Policies ›› Access Profiles (Per-Session Policies) Edit your access profile Click Edit to open the VPE Modify OAuth Client Agent Locate the OAuth Client agent in your policy Edit the OAuth Client agent properties In the Authentication Redirect Request dropdown, select your new custom request: MSIdentityPlatform2.0AuthRedirectRequest_LoginHint Apply Access Policy Click Apply Access Policy to save changes Step 4: Session Variable Configuration and UPN Translation The key to successful login_hint implementation is ensuring the proper session variable is populated with a UPN-formatted email address. F5 APM can automatically translate sAMAccountName to UPN during AD authentication. Complete Policy Flow Example Start ↓ Logon Page (user enters: DOMAIN\john.doe or john.doe) ↓ AD Auth (authenticate and populate session variables) ↓ AD Query (to fetch user attributes) ↓ OAuth Client (with custom redirect request including login_hint=john.doe@company.com) ↓ Azure AD (pre-populated with UPN, bypasses login prompt) ↓ Application Access Troubleshooting Common Issues login_hint Parameter Not Working Verify the session variable contains a valid email address Check that the custom request is selected in the OAuth Client agent Ensure the parameter type is set to "custom" Session Variable Empty or Wrong Format Verify AD authentication and query occurs before OAuth redirect Check AD attribute mapping configuration Confirm the userPrincipalName attribute exists in your AD schema Ensure domain suffix matches Azure AD tenant domain Azure AD Still Prompts for Login Verify the email format matches Azure AD expectations Check Azure AD application configuration for login_hint support Ensure the user exists in the Azure AD tenant Debugging Tips Enable APM debug logging: tmsh modify sys db log.apm.level value debug Use browser developer tools to inspect the OAuth redirect URL Verify session variables using Variable Assign agents in VPE Security Considerations The login_hint parameter only pre-populates the username field; users still must provide valid credentials This is a user experience enhancement, not a security bypass Ensure session variables don't contain sensitive information beyond the username/email Conclusion Implementing login_hint with OAuth on F5 BIG-IP APM significantly improves user experience by eliminating redundant login prompts. The key advantage is that F5 APM can seamlessly translate users' familiar sAMAccountName credentials to the UPN format required by Azure AD, allowing users to authenticate once with their domain credentials while Azure AD receives the properly formatted UPN for the login_hint. This approach maintains security while providing a seamless user experience, particularly beneficial in environments where: Users are more familiar with their sAMAccountName than their UPN Organizations want to minimize authentication friction Azure itself is also federated to another IDP and you want transparent rederiction The solution leverages F5 APM's AD integration capabilities to handle the username format translation automatically, making it transparent to end users.
