F5 APM and Intune integration for Windows 10 machine posture check
Hello, We have taken up a new project in our organization to move away machine certificate check to machine posture check using integration feature with Azure Intune. We have followed the document: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-client-configuration-7-1-6/6.html Requirement is to get complaint status from Intune for Windows 10 laptops that are registered with Intune. Endpoint management system integration with intune is successful. We are using Big IP Edge Client at Windows 10 end. However during login attempt, we get an error message in session logs that says: /Common/Azure-POC:Common:fb626905: mdm [/Common/Azure:ms-intune]: Device ID was not found in session variables. Any suggestion on possible resolution on this issue?
SAML SESSION VARIABLE AND ATTRIBUTES
HI, I am currently setup on my APM to use SAML single sign on with Azure as my IDP and F5 APM as my SP. I want to assign resources to authenticated users based on their groups in azure. How do i represent this in the Advanced Resource Assign expression in the Visual Policy Editor? Please this is quite urgent.Integration F5 APM with AZure ( User book mark issue)
When a customer hit a URI path abc/bcd it redirects the user to azure login page. If customer bookmarks that url and tries to access it later. He would be prompted the azure login prompt and once he authenticates he gets redirected to /my.policy and getting denied. Is there a solution for this where customer should be redirected to the login URI path he saved or to the homepage so that he can initiate the actual F5 APM session?
Modify Azure Active Directory application credentials after ARM template deployment
Hello to you all, I deployed an F5 BIG-IP VE Active/Standby Cluster from Github repository: https://github.com/F5Networks/f5-azure-arm-templates/tree/v5.4.0.0/supported/failover/same-net/via-api/n-nic/existing-stack I have trouble with my HA configuration and I think it come from the Azure Active Directory application (that does not call the Azure API properly to reassign all VS IP from old to new Active node). Please find a comment bellow from Peter Silva on DevCentral: "The next 3 fields (Tenant ID, Client ID, Service Principal Secret) have to do with security. Rather than using your own credentials to modify resources in Azure, you can create an Active Directory application and assign permissions to it." I was wondering if there is a way to change the required "Tenant ID, Client ID, Service Principal Secret" fields after ARM template deployment. From WebUI management or either TMOS shell instance. I found nothing about it online. Thank you in advance for your help, Jordan
ASM and OPSWAT Metadefender Blank Page after file upload
Hi, I am trying to integrate F5 ASM WAF with OPSWAT metadefender but when I try and upload and EICAR file browser just shows a blank white page. I am using a default security policy in blocking mode and have configured the settings according to the F5 BIG IP ASM (WAF) OPSAWT guide. I have configured the ICAP server under Security>Options>Application Security>Integrated Services>Anti-Virus Protection. I have configured the antivirus block settings under Security>Application Security>Policy Building>Learning and Blocking Settings>Advanced Configuration. I have antivirus scanning for HTTP file uploads and SOAP attachments Security>Application Security>Integrated Services>Anti-Virus Protection. When I try to upload the test file I get a blank browser and if I check the source code in the browser I see the following: window["bobcmn"] = "101110101010102000000022ffffffff2ffffffff20000000220156c0ea200000000200000000200000000300000044multipart%2fform%2ddata%3b%20boundary%3d%2d%2d%2d%2dWebKitFormBounda300000000300000000300000000300000000300000007httpsc3000000b008a59e5661ab20000adb568196d38950bf7928e988d64266cafbda4956605335d523cb0c44e211db089aede8158b2800a5d271c7e2a6f9d94d8c4ad7cd49022d5f72b236f5ca5943b07c111a9484727f3b29e542d2d2302b300000002TS300000165%2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz Content%2dDisposition%3a%20form%2ddata%3b%20name%3d%22filename%22%3b%20filename%3d%22eicar.com%22 Content%2dType%3a%20application%2foctet%2dstream X5O!P%25@AP[4%5cPZX54(P%5e)7CC)7}%24EICAR%2dSTANDARD%2dANTIVIRUS%2dTEST%2dFILE!%24H%2bH%2a %2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz%2d%2d 200000000"; "</script> </APM_DO_NOT_TOUCH> <script type="text/javascript" src="/TSbd/08a59e5661ab2000a21cb91986bc897b6b354965ec350caba4c8ca55a7b089798844a4727e8dc553?type=5"></script><noscript>Please enable JavaScript to view the page content.<br/>Your support ID is:8648386876400468880.</noscript> </head><body> </body></html>" Is there something in the ASM policy that needs to be changed?APM integration with AZURE two open-id endpoints
We are using azure as our AD. When have configured the Openid url (https://login-test.abc.com/ae9bc4d111-2ef0-4c44-b82a-85c8645b04c7/v2.0/.well-known/openid-configuration?p=B2C_1A_YA_signup_signin) for sign in and signup as a provider for calls going out to azure to get the customer authenticated and that part works as expected. There is a another scenario if customer forgets password and attempts to change the password. The call will directly go to azure where the APM policy is not invoked. After customer changes the password he is prompted to go back to accountsummary. When customer hits go to account summary link he will get redirected back to F5 APM and we are getting the below error message error: HTTP error 400, Error: invalid_grant: AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1A_YA_signup_signin and Expected Value : B2C_1A_YA_ForgotPassword Correlation ID: 08292914-d9c6-4382-a6cf-565739167457 Timestamp: 2020-04-13 20:05:22Z . One thing i observed is that the open_id endpoint for forgot password from azure is https://login-test.abc/ae9bc4d111-2ef0-4c44-b82a-85c8645b04c7/v2.0/.well-known/openid-configuration?p=B2C_1A_YA_forgotpassword. When the call from azure is coming back to F5 APM for forgotpassword. APM is validating the open id endpoint and throwing a Oauthclient miss match. Is there is anyway we can intercept the call coming back from azure to redirect the customer to accountsummary without invoking the APM policy. This is the call which is coming back from azure to F5 (and the call from azure to f5 is this URL https://www-abc.com/oauth/client/redirect?state=5_mj2GiWfTfk2cJFDftVNdg&p=forgotpassword). Is there a way we can do it via irule. I have writen an irule but it did not work as expected. when ACCESS_SESSION_STARTED { set forgotpassword [ACCESS::session data get "session.server.landinguri"] set id [ACCESS::perflow get perflow.irule_agent_id] log local0. "error message is $forgotpassword" if { $forgotpassword contains "/oauth/client/redirect" && [HTTP::query] eq "p=forgotpassword"}{ HTTP::cookie remove "MRHSession" ACCESS::session remove HTTP::redirect "https://www-dev.we-energies.com/accountsummary/" log local0. "redirected to accountsummary" } else { log local1. "do nothing" } } Experts please help me in resolving this issue.
F5 load Balancer With Azure App services Plan
Dear I have 3 different app services plan in azure i would like to use Load Balncer as front end of our app services. 3 app services with be pool for Load balance 1.if it is possible ? how I can configure It ? 2.App services Plan it did not come with Private IP. how it work in F5 load Balancer best regards