Big-IP Edge Client / Windows 10 1809 - No internet connection with connected VPN
Hi everybody I've updated my computer to Windows 10 Build 1809: After a successfull connection with Big-IP Edge Client VPN the internet connection is broken. Ping to Google DNS servers with connected VPN: We have configured Network Access with "split tunneling". The very same VPN worked perfectly with the previous build of Windows 10 (1803). Version of VPN client: 7160,2018,417,2013 Does anyone run into the same problem? Thank you, John
F5 APM (failed to initialize local tunnel server)
Hi, I'm hoping someone can help with a couple of question I have before I turn to support. I've newly deployed an F5 APM and am having a couple of issues:- 1). I have a couple of users who get the error "failed to initialize local tunnel server" after successfully logging in using IE or Firefox and trying to launch an RDP resource. Other users on the same OS are fine. Have tried reinstalling all F5 components without success. It seems the tunnelserver.exe process doesn't get launched for some reason. Any idea's on what I can look for? 2). When a user first connects and launches a full Network access connection (Full VPN), a windows dialler profile gets built and populated and can be seen in the internet options on a windows machine. Once its built the OS tries to connect through this dialler and it causes some local connection issues until you set/configure the option "Never Use Dialler". Is there any way to stop this behaviour or to turn it off? I gather the dialler that is built is necessary. Thanks RK
What is the difference between BIG-IP APM and BIG-IP LTM?
As I'm preparing for F5 101 exam, I read about BIG-IP APM and LTM. I find it hard to get a difference between them. I found a table of features : https://support.f5.com/csp/article/K66031634 , but it doesn't explain too much. I've been also reading https://www.f5.com/pdf/products/big-ip-local-traffic-manager-ds.pdf . Is there any distinction on 101 level or do you need to be a little bit more advanced to understand these differences?
Why the page /my.policy redirects users to /vdesk/hangup.php3 ?
Hello all, I have a problem with the APM, I have an application published and sometimes the users are unable to see the login page, instead of that they get the logout page. This is very strange because it doesn't happens all the times, only sometimes so for me this seems a cookie problem or something like that. I've been using the fiddler tool and I've seen that sometimes when the my.policy URL is called the F5 closes the connection and redirect the user to /vdesk/hangup.php3, also in the same GET I see the session cookies and it seems to be ok. There is no iRules that redirects the request to /vdesk/hangup.php3 and I've not modified the logon page code. Do you know why could this be happening?
APM - How to create a keytab file with multiple SPNs
Hi, I have run into a problem using Kerberos Authentication when using CNAMEs in DNS. You can search the web but basically if you use a CNAME record like "www CNAME www1" and then A records "www1 A 10.10.10.1" and "www2 A 10.10.20.1", when IE or .NET needs to authenticate it forms the request to "www1" (or "www2") and not "www". Now, you can add the additional SPNs on the Domain Controllers using the MS tool "setspn" with the "-A" switch no problem against the same service account. The instructions for creating the keytab file only cover the use of the MS tool "ktpass". This tool can only create a keytab file with a single SPN and when you use this with APM it will only work for "www" and break for anything else. I'm unfamiliar with the Kerberos utilities on BIG-IP but I have seen that there are several (kadmin, kinit, ktutil). Can anyone give me a working example of how I can create a keytab file which will work using these tools for all 3 SPNs which will work with MS AD. Thanks.Kerberos Delegation and NTLM auth Exchange 2013
This is related to a previous post about the Exchange iApp. Everything is working for both internal and internal connections except from Outlook Anywhere clients attempting to connect to the external VS and auth via RPC over HTTP. I enabled all debug logs for APM and ECA since that seemed to be where the failure was occuring. I noticed the following and cannot make much sense of it. Any help would be appreciated. Below is the log file comparison between a successful auth though the internal iApp vs the failed auth through the external iApp. This is just a snippet of the full log. Everything before these lines in the log is the same for both internal and external connections. It seems to fail when the BigIP tries to make a call to itself to process the logon request, anyone ever see this before? Internal success: Aug 12 13:22:12 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 10.1.12.9:46380 (0x09a8b9c8) Server challenge: 24296533D8C59FB4 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[18] from 127.0.0.1:43935 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> client[5]: is ready Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> NLAD_TRACE: nlclnt[53403010a / 01] sending logon = 0xC00000E5 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> nlclnt[53403010a] logon: entering user GRicketts domain JHHC wksta JHHC04619LT Failed auth: Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 warning nlad[8603]: 01620000:4: <0x559058f0> clntsvc: no client for id 6 to service request from connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> nla_rq: response with status [0xc00000ab,NT_STATUS_INSTANCE_NOT_AVAILABLE] for type 'logon' client 6 context 0x5ab82b90 24 bytes to connection[38] from 127.0.0.1:44495: took 0 milli-seconds Aug 12 12:51:10 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 12.181.141.210:45214 (0x5bf14c28) nla_agent::logon, rc = STATUS_NO_LOGON_SERVERS (3221225566)
Horizon Client authentication failure
I am running Big IP version 12.1.0 with APM and Horizon View 7.0.1. Currently attempting setup with the f5.vmware_view.v1.5.1 iapp template. The feature we really want to implement is using smartcard authentication with SAML 2.0 through the horizon client. Both the View server and F5 have been configured according to the companion guide for the iapp. The horizon client will prompt for a pin and then after a second or two display "Authentication Failure." APM logs consistently show the access policy failing at the cert inspection step. No SAML traffic appears to take place. If I attempt the same exact connection through a regular web browser via HTML 5, I can authenticate to the webtop where the authentication fails to the back end (the documentation says that's what should happen and that manual login has to occur from the webtop). The main thing is the APM log looks great. SAML authentication is seen for the browser connection the cert inspection from the same smartcard passes where it fails on connections from the Horizon client. I could really use some guidance on this.
