Azure Virtual Machine Scale Set (VMSS) with F5 LTM
Hi So basically we have F5 in azure and worked perfect with pools that have only one pool member. And now we are about to enable azure scale set (auto scaling) of virtual machines (IIS servers) , and these VMs in the VMSS needed to be added / removed automatically to / from the F5 LTM pool. How could I solve this issue? What I am basically asking, is how can I fully automate adding / removing pool members according to VMSS ? Is there a script to be installed in F5 that does this automatically? ThanksEdge Client OAuth with Azure
Hello All, I tried OAuth feature on Edge Client with Azure as IDP. It works, I receive the Access Token and connect successfully. The problem is that Policy does not parse the JWT token and just stores it as secure variable. So I have no information about the user. I can parse it with an irule, but I expected to be parsed automatically, lilke when you use an OAuth Client in VPE. Am I missing something?
Deploying F5 WAF in front of Azure Web App Services
Does anyone know of a supported architecture for deploying an Azure F5 WAF in front of Azure Web App Services to handle the SSL and ASM services against traffic destined for an Azure Web App Service (App Service not just an app server running in Azure).BigIP APM Oauth - set to 'Failed to perform curl: Failure when receiving data from the peer'
We've been dealing with a issue when an Oath token is sent to Azure for authentication using XXX.session.oauth.client.last.auth_redirect: login.windows.net/XXXXX/XXXX session.oauth.client.last.auth_resule 0 We are constantly seeing the error and causing out Oath Client to be denied. We are able to perform a "discover" in the Provider and able to "dig" to the Azure Enterprise. Our DNS Resolver is able to resolve DNS as per guide. Has anybody come across this and can point us in the right direction? The only way we can make is work is to change the APM policy to "fallback" Allow OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/Azure_Oauth_Server' using 'authorization_code' grant type (client_id=XXXXXXXXXXXXXXXX), error: Failed to perform curl: Failure when receiving data from the peer Session variable 'session.oauth.client./DC-TEST/OAuthClientToAzureAD_act_oauth_client_ag.authresult' set to '0' Session variable 'session.oauth.client./DC-TEST/OAuthClientToAzureAD_act_oauth_client_ag.errMsg' set to 'Failed to perform curl: Failure when receiving data from the peer Session variable 'session.oauth.client.last.authresult' set to '0' OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'client_secret=********'OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'grant_type=authorization_code' OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'redirect_uri=https://our.test.website.com/oauth/client/redirect OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'code=********' OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/Azure_Oauth_Server' using 'authorization_code' grant type (client_id=XXXXXXXXXXXXXXX), error: Failed to perform curl: Failure when receiving data from the peer If we change the Access Policy "fallback" to "Allow" the user is then allowed to reach the backend application but would have otherwise been denied. It seem during the Oauth Client process the token request is rejected Previously we were seeing the error below which we resolved by making sure the DNS resolver could resolve DNS correctly. OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/AzureAD_Server' using 'authorization_code' grant type (client_id=d7b3f856-6053-462b-a8f3-c2820e2a4c6c), error: HTTP error 503, DNS lookup failed
SAML F5 as SP initiated with Azure MFA Integration
Hi Experts, I am deploying F5 as SP with Azure MFA, during the deployment we encountered this behavior below(which is expected): User access F5 VPN, F5 authenticates users thru local AD Users will redirect to Azure MFA for a second verification Users will key in their Azure account and Azure will send SMS OTP Once verified, users can access applications behind F5 APM The issue we encountered is when the user login for the 2nd time, there was no challenge/authentication presented to the users, we guess it's because of the SSO or cookie session on the Azure. User access F5 VPN, F5 authenticates users thru local AD Users will redirect to Azure MFA (no verification/authentication) Users can access F5 APM After we noticed the behavior above, we used the force authentication option in the F5 SAML configuration (which seems to be the answer): However, we want to minimize the user effort because every time they are redirected to Azure MFA they need to key in their Azure credentials (username & pass). My question is, is there a way to pass the credentials from the F5 logon page to the Azure MFA login portal thru SAML.
Manual creation of F5 VE HA in MS Azure
Hi, Appreciate any help with my current issue. We are going to migrate the customer's current PAYG to BYOL. Their setup is one standalone for testing and HA pair for production. I knew creating F5 HA pair in Azure is easy using publicly available templates (e.g., Github), but I don't think using the template will work for us. We need to migrate the PAYG instance to BYOL (meaning utilizing the same interfaces, IP addresses, and configuration) with minimum downtime, so I thought pairing the BYOL instance to the existing PAYG instance would do the job. Question: 1. Is it possible to manually create HA pair in Azure without using the template? If this is possible, do we have guides on how to proceed with the configuration? 2. Is it possible to HA pair one PAYG instance and a BYOL instance since PAYG and BYOL are just licensing methods? I need advice and guidance on this setup. Thank you in advance for your responses.Repo for Azure VMSS deployment
Hello, For a deployment of an autoscaling (F5 Advanced WAF) model in Azure, I'm searching an ARM template which will fit some requirements. Which existing ARM template can be used in order to create a custom one with the below characteristics: Advanced WAF module Autoscale (VMSS 2 min & 3 max) Existing network 2-NIC version 15 BYOL Internal LB (front of the VMSS - unlike external LB) without public IP (F5 NICs) One more questions regarding existing templates: The 'appContainerName' parameter is set to "f5devcentral/f5-demo-app:latest": ==> is there an impact for rolling update capabilities on the VMSS, when wanted to push a new image? Thanks in advance Regards Fatih
sFlow doesn't export flowSampleType http
Greetings, I have F5 BIG-IP LTM version 14.0.1 (Build 0.0.14). What I'm trying to do is to export my SLB VIP related statistics. It's referenced here in "sFlow HTTP Request sampling data types" paragraph. I configure basic sFlow collector settings in F5 GUI, run sflowtool and receive COUNTERSAMPLEs and FLOWSAMPLEs, but not with type of http. On HTTP Profile that is assigned to my SLB VIPs I have the following settings: ltm profile http http-x-forward { accept-xff disabled app-service none basic-auth-realm none defaults-from http encrypt-cookies none enforcement { known-methods { CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK } max-header-count 64 max-header-size 32768 max-requests 0 pipeline allow truncated-redirects disabled unknown-method allow } fallback-host none fallback-status-codes none header-erase none header-insert none hsts { include-subdomains enabled maximum-age 16070400 mode enabled preload disabled } insert-xforwarded-for enabled lws-separator none lws-width 80 oneconnect-transformations enabled proxy-type reverse redirect-rewrite none request-chunking preserve response-chunking selective response-headers-permitted none server-agent-name BigIP sflow { poll-interval 0 poll-interval-global yes sampling-rate 0 sampling-rate-global yes } via-request preserve via-response preserve xff-alternative-names none } I need to gather HTTP related statistics from my TLS-enabled VIPs, but I don't receive proper sFlow samples from F5. What could be the problem? Thank you. DimaAPM Access Guided Configuration with VIP in different partion
I am trying to use the Guided Configuration to create SAML Service Provider. However ths is can only be run from the Common partition whereas the VIP required has to be on a different parition for security reasons. I have tried to configure this manually but running in to problems and all online guides point to the guided configuration. Is there a way around this partition restriction while using the guided configuration? I am trying to deploy Big IP APM to perform SAML authentication through Azure. We have the Metadata file but would like to use the Guided configuration to complete the deploy.
