Deploying F5 WAF in front of Azure Web App Services
Does anyone know of a supported architecture for deploying an Azure F5 WAF in front of Azure Web App Services to handle the SSL and ASM services against traffic destined for an Azure Web App Service (App Service not just an app server running in Azure).
BigIP APM Oauth - set to 'Failed to perform curl: Failure when receiving data from the peer'
We've been dealing with a issue when an Oath token is sent to Azure for authentication using XXX.session.oauth.client.last.auth_redirect: login.windows.net/XXXXX/XXXX session.oauth.client.last.auth_resule 0 We are constantly seeing the error and causing out Oath Client to be denied. We are able to perform a "discover" in the Provider and able to "dig" to the Azure Enterprise.Our DNS Resolver is able to resolve DNS as per guide. Has anybody come across this and can point us in the right direction? The only way we can make is work is to change the APM policy to "fallback" Allow OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/Azure_Oauth_Server' using 'authorization_code' grant type (client_id=XXXXXXXXXXXXXXXX), error: Failed to perform curl: Failure when receiving data from the peer Session variable 'session.oauth.client./DC-TEST/OAuthClientToAzureAD_act_oauth_client_ag.authresult' set to '0' Session variable 'session.oauth.client./DC-TEST/OAuthClientToAzureAD_act_oauth_client_ag.errMsg' set to 'Failed to perform curl: Failure when receiving data from the peer Session variable 'session.oauth.client.last.authresult' set to '0' OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'client_secret=********'OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'grant_type=authorization_code' OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'redirect_uri=https://our.test.website.com/oauth/client/redirect OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'code=********' OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/Azure_Oauth_Server' using 'authorization_code' grant type (client_id=XXXXXXXXXXXXXXX), error: Failed to perform curl: Failure when receiving data from the peer If we change the Access Policy "fallback" to "Allow" the user is then allowed to reach the backend application but would have otherwise been denied. It seem during the Oauth Client process the token request is rejected Previously we were seeing the error below which we resolved by making sure the DNS resolver could resolve DNS correctly. OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/AzureAD_Server' using 'authorization_code' grant type (client_id=d7b3f856-6053-462b-a8f3-c2820e2a4c6c), error: HTTP error 503, DNS lookup failed
SAML F5 as SP initiated with Azure MFA Integration
Hi Experts, I am deploying F5 as SP with Azure MFA, during the deployment we encountered this behavior below(which is expected): User access F5 VPN, F5 authenticates users thru local AD Users will redirect to Azure MFA for a second verification Users will key in their Azure account and Azure will send SMS OTP Once verified, users can access applications behind F5 APM The issue we encountered is when the user login for the 2nd time, there was no challenge/authentication presented to the users, we guess it's because of the SSO or cookie session on the Azure. User access F5 VPN, F5 authenticates users thru local AD Users will redirect to Azure MFA (no verification/authentication) Users can access F5 APM After we noticed the behavior above, we used the force authentication option in the F5 SAML configuration (which seems to be the answer): However, we want to minimize the user effort because every time they are redirected to Azure MFA they need to key in their Azure credentials (username & pass). My question is, is there a way to pass the credentials from the F5 logon page to the Azure MFA login portal thru SAML.
Manual creation of F5 VE HA in MS Azure
Hi, Appreciate any help with my current issue. We are going to migrate the customer's current PAYG to BYOL. Their setup is one standalone for testing and HA pair for production. I knew creating F5 HA pair in Azure is easy using publicly available templates (e.g., Github), but I don't think using the template will work for us. We need to migrate the PAYG instance to BYOL (meaning utilizing the same interfaces, IP addresses, and configuration) with minimum downtime, so I thought pairing the BYOL instance to the existing PAYG instance would do the job. Question: 1. Is it possible to manually create HA pair in Azure without using the template? If this is possible, do we have guides on how to proceed with the configuration? 2. Is it possible to HA pair one PAYG instance and a BYOL instance since PAYG and BYOL are just licensing methods? I need advice and guidance on this setup. Thank you in advance for your responses.Repo for Azure VMSS deployment
Hello, For a deployment of an autoscaling (F5 Advanced WAF) model in Azure, I'm searching an ARM template which will fit some requirements. Which existing ARM template can be used in order to create a custom one with the below characteristics: Advanced WAF module Autoscale (VMSS 2 min & 3 max) Existing network 2-NIC version 15 BYOL Internal LB (front of the VMSS - unlike external LB) without public IP (F5 NICs) One more questions regarding existing templates: The 'appContainerName' parameter is set to "f5devcentral/f5-demo-app:latest": ==> is there an impact for rolling update capabilities on the VMSS, when wanted to push a new image? Thanks in advance Regards Fatih
sFlow doesn't export flowSampleType http
Greetings, I have F5 BIG-IP LTM version 14.0.1 (Build 0.0.14). What I'm trying to do is to export my SLB VIP related statistics. It's referenced here in "sFlow HTTP Request sampling data types" paragraph. I configure basic sFlow collector settings in F5 GUI, run sflowtool and receive COUNTERSAMPLEs and FLOWSAMPLEs, but not with type of http. On HTTP Profile that is assigned to my SLB VIPs I have the following settings: ltm profile http http-x-forward { accept-xff disabled app-service none basic-auth-realm none defaults-from http encrypt-cookies none enforcement { known-methods { CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK } max-header-count 64 max-header-size 32768 max-requests 0 pipeline allow truncated-redirects disabled unknown-method allow } fallback-host none fallback-status-codes none header-erase none header-insert none hsts { include-subdomains enabled maximum-age 16070400 mode enabled preload disabled } insert-xforwarded-for enabled lws-separator none lws-width 80 oneconnect-transformations enabled proxy-type reverse redirect-rewrite none request-chunking preserve response-chunking selective response-headers-permitted none server-agent-name BigIP sflow { poll-interval 0 poll-interval-global yes sampling-rate 0 sampling-rate-global yes } via-request preserve via-response preserve xff-alternative-names none } I need to gather HTTP related statistics from my TLS-enabled VIPs, but I don't receive proper sFlow samples from F5. What could be the problem? Thank you. DimaAPM Access Guided Configuration with VIP in different partion
I am trying to use the Guided Configuration to create SAML Service Provider. However ths is can only be run from the Common partition whereas the VIP required has to be on a different parition for security reasons. I have tried to configure this manually but running in to problems and all online guides point to the guided configuration. Is there a way around this partition restriction while using the guided configuration? I am trying to deploy Big IP APM to perform SAML authentication through Azure. We have the Metadata file but would like to use the Guided configuration to complete the deploy.
APM: Office365 Skype for Business On-Premise Authentication
I've spent a few days working on an Office 365 lab hybrid deployment and have been unable to get Skype for business to authenticate or work properly. Is this supported? In my configuration I am attempting to use the F5 as the IDP. Azure AD connect is syncing properly and is not syncing password hashes to Azure. According to this document, Rich client application such as Lync or authenticating an Office subscription are not supported: Azure AD federation compatibility list However I am able to authenticate other thick-clients like Word, Excel, Outlook, etc without issue. A window with the APM login screen is displayed when authenticating--I would expect similar behavior for the Skype client. This makes me believe maybe this document is incorrect? I have gathered SSLdumps and see the authentication request reach the VIP: 1 10 1472838567.6975 (0.0018) C>SV3.3(448) application_data --------------------------------------------------------------- POST /saml/idp/profile/ecp/sso HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; WOW64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; MSOIDCR L 7.250.4556.0; App lync.exe, 16.0.7167.2040, {12B07E85-1B47-41C4-A4E2-43XXXXXXXXXX}) Content-Length: 1583 Host: idp.xxxxx.xxx --------------------------------------------------------------- 1 11 1472838567.6975 (0.0000) C>SV3.3(1632) application_data --------------------------------------------------------------- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuehttps://idp.xxxxx.xxxx:443/saml/idp/profile/ecp /sso1472838xxx xxxx@xxxx.xxxxxxxxxxxxxx 2016-09-02T17:52:11Z2016-09-02T17:57:11Z http://schemas.xmlsoap.org/ws/2005/02/trust/ Issueurn:federation:MicrosoftOnline http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey --------------------------------- ------------------------------ 1 12 1472838567.7042 (0.0067) S>CV3.3(336) application_data --------------------------------------------------------------- HTTP/1.0 302 Found Server: BigIP Connection: Close Content-Length: 0 Location: /my.policy Set-Cookie: LastMRH_Session=9c7be893;path=/;secure Set-Cookie: MRHSession=xxxxxxxxxxxxxxxxxxxxxxxxxxx;path=/;secure Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/ --------------------------------------------------------------- 1 1472838567.7042 (0.0000) S>C TCP FIN 1 13 1472838567.7046 (0.0003) C>SV3.3(48) Alert I would expect that the APM should be responding to the request rather than closing the connection as seen above. To me the soap envelope looks OK, or maybe I'm missing something simple? I'm running 12.1.1, and have also tried 11.6.1. I have no on-premise Skype/Lync environment and have validated that all DNS entries for Skype are correct. Microsoft's Connectivity Analyzer succeeds on all tests. The Skype client produces a generic failure on login: "Cannot sign in because the server is temporarily unavailable". Any guidance would be appreciated, thanks!
Setup site-to-site IPsec tunnel for single BigIP partition
I am trying to setup a VPN between our on-premise environment and Microsoft Azure. The information is pretty straightforward and it should be quite easy. The only odd thing is that our external VIP is only available within a partition in the BigIP configuration and does not reside in /Common unlike all the examples. Whenever I create a single IPsec IKE Peer under the administrative partition and set the remote address (leaving any other configuration untouched), the racoon service restarts. I find the following errors in the racoon log file: 2017-06-21 10:57:54: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2017-06-21 10:57:54: ERROR: getaddrinfo(13.94.240.25%100,500): Name or service not known 2017-06-21 10:57:54: ERROR: fatal parse failure. 2017-06-21 10:57:54: ERROR: failed to parse configuration file. 2017-06-21 10:57:56: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2017-06-21 10:57:56: ERROR: getaddrinfo(13.94.240.25%100,500): Name or service not known 2017-06-21 10:57:56: ERROR: fatal parse failure. 2017-06-21 10:57:56: ERROR: failed to parse configuration file. 2017-06-21 10:58:08: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2017-06-21 10:58:08: ERROR: getaddrinfo(13.94.240.25%100,500): Name or service not known 2017-06-21 10:58:08: ERROR: fatal parse failure. 2017-06-21 10:58:08: ERROR: failed to parse configuration file. 2017-06-21 10:58:10: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2017-06-21 10:58:10: ERROR: getaddrinfo(13.94.240.25%100,500): Name or service not known 2017-06-21 10:58:10: ERROR: fatal parse failure. 2017-06-21 10:58:10: ERROR: failed to parse configuration file. The same thing happens if I create an IPsec Traffic Selector with our internal network: 2017-06-21 10:58:19: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2017-06-21 10:58:19: ERROR: getaddrinfo(10.0.0.0%100,0): Name or service not known 2017-06-21 10:58:19: ERROR: fatal parse failure. 2017-06-21 10:58:19: ERROR: failed to parse configuration file. 2017-06-21 10:58:21: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2017-06-21 10:58:21: ERROR: getaddrinfo(10.0.0.0%100,0): Name or service not known 2017-06-21 10:58:21: ERROR: fatal parse failure. 2017-06-21 10:58:21: ERROR: failed to parse configuration file. 100 is in this case the partition default route domain, but it seems it is not accepted? Am I missing something or is it simply not possible to create an IPsec tunnel from any other partition but the default one; /Common? Version: BIG-IP 11.5.4 Build 4.0.313 Hotfix HF4
