BIG-IP Access Policy Manager (APM)
8663 TopicsIs it possible to connect to VPN from a Windows client command line without user interaction?
I am trying to get our F5 11.4 APM set up to work with remote Windows clients that need to connect and then disconnect from the VPN without any user interaction. To briefly summarize, this is for a remote password self-service application, so I need for the client machines to be able to do a remote command line access using "f5fpc -start /c "C:\Program Files\F5 VPN\client.f5c /t /q" so the users don't get any prompts or pop-ups, the client.f5c file has to provide the username and password and server to connect to, then the password self service app does its thing, and finally issues the command "f5fpc -stop" at the end to close the VPN session out. This needs to be done in the background as it is using straight username and password authentication and we don't want the users to see that. I keep getting authentication failures, and when I check the client.f5c, I see that it has not saved my password. I went back and checked my F5 settings, and sure enough the save password on exit setting is set to false. Even if I edit the file and save it, it just ignores the password I put in there and removes it afterwards. I guess I would need to set the connectivity profile to allow password caching and save it to disk, but can I make that change, download the package with those options, and then change it back as we generally don't want the passwords to be cached? How would I need to configure the access policy for this to work? I tried with and without a logon page, but I don't seem to be getting a username and/or password passed through from the client, none of the session variables show the values from the edge client config file. Is there a way to do this without a logon page so it is completely transparent and silent to the users?Solved2.4KViews0likes9CommentsRequire host header
Hi, Is there a setting/iRule that makes it so that host header is required for clients to be able to connect to server. For example User enters https://www.test.com he will be able to connect. But if user enters https://10.10.10.10 they should be rejected Best regards Daniel982Views0likes9CommentsIs there an APM SAML error legend or documentation?
We are using APM and have our F5's setup as SAML SP's for a number of sites. In the past we bypassed the access policy if the users were sourcing their request from within our IP space (trusted source), however we just recently changed this so now no matter what users are redirected to the IDP and then back into the resource. While this is working well for the vast majority I'm getting little complaints here and there for users accessing a specific site. When I look into the error message all it says is: "SAML assertion is invalid, error: Invalid Session, possible use of different host names to access SAML SP" It's strange b/c this appears to be working for thousands of users, but for the ten or so that it's not they are all getting the same error. They are sourcing from different destinations and have no common denominator other than the error message that they are getting. I can't replicate the issue so I was hoping that there was some sort of legend or document that would elaborate on the error message above so that I could try and identify what is causing this. Thanks.1.2KViews0likes5CommentsHow to add missing Content-Length header to an HTTP POST request?
Have tried to send an APM HTTP Auth POST request to external authentication server which requires Content-Length header. Seems to be that APM HTTP Auth does not calculate and add the Content-Length header when sending a custom POST. The POST content is small json data but its size varies. HTTP Auth sends the POST to a layered VS which converts the request to https, so can use iRules there. Tried to use HTTP::collect and then calculate the size from collected HTTP::payload and do HTTP::release. However it gets stuck.. Would be nice to be able to do it at the Layered VS. Alternatively thinking of using an iRule agent event in the VPE to form the json POST data and calculate the size into session variables prior the HTTP Auth box in the VPE and using them in the HTTP Auth custom POST definition. Any advice?288Views0likes1CommentHow to add missing Content-Length header to an HTTP POST request?
Have tried to send an APM HTTP Auth POST request to external authentication server which requires Content-Length header. Seems to be that APM HTTP Auth does not calculate and add the Content-Length header when sending a custom POST. The POST content is small json data but its size varies. HTTP Auth sends the POST to a layered VS which converts the request to https, so can use iRules there. Tried to use HTTP::collect and then calculate the size from collected HTTP::payload and do HTTP::release. However it gets stuck.. Would be nice to be able to do it at the Layered VS. Alternatively thinking of using an iRule agent event in the VPE to form the json POST data and calculate the size into session variables prior the HTTP Auth box in the VPE and using them in the HTTP Auth custom POST definition. Any advice?1.6KViews0likes3CommentsAPM integrate with Azure Intune
Hi, Does anyone manage to get F5 APM integrate with Azure Intune for MDM? https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-client-configuration-7-1-6/6.htmlguid-0bd12e12-8107-40ec-979d-c44779a8cc89 Refer to: Creating an Azure web application for Microsoft Intune on APM Ben1.8KViews0likes18CommentsError after setting NTLM authentication in iAPP
I am using the f5.microsoft_exchange_2010_2013_cas.v1.5.0 iAPP template, primarily for Outlook anywhere with auto discover, and after setting up the option for NTLM I get the following error after clicking finished: script did not successfully complete: (list element in quotes followed by "-account-name" instead of space while executing "string map $map_array($item) $access_form" (procedure "iapp_apm_config" line 68) invoked from within "iapp_apm_config apm_map" invoked from within "if { $new_apm } { set aaa_pool [subst $apm_aaa($new_aaa_pool)] set pre_proc_map " [expr { $is_exchange_2010 ? "ses..." line:2561) Does anyone know how to resolve this error? Thanks,Solved707Views0likes10CommentsAPM with EntraID as idP / request signed
Hi experts. I need your help to solve an issue. I'm configuring a new enviroment with BIG-IP version 15.1.8.2 Build 0.0.17 Point Release 2. I have the APM works fine with SSO using EntraID (AzureAD) as idP. Now, I need to enable the request signed (Enforce signed SAML authentication requests - Microsoft Entra ID | Microsoft Learn). I generated the self signed certificate and import it on my app at Azure and my BIG-IP. I changed my config in Access > Federation > SAML Identity Provider and assigned my self signed certificate (pk included) to assign the request. But, I've received the below error by EntraID: Sign-in error code: 76021 Failure reason: The request sent by client is not signed while the application requires signed requests All attemps was made by browser (SSL VPN). Thank you.409Views0likes4CommentsF5 APM - limiting access to the bandwidth for network Access
I am looking for a way of restricting access to the available bandwidth for our SSL VPN users. I see within the 'Network Access' configuration (Network Settings) there is an option to set 'Client Interface Speed' in bits per second. I have attempted to find more information on this without much luck. The only references I can find are below: 'Specifies the maximum speed of the client interface connection, in bits per second.' 'Specifies the speed of the client interface connection, in bits per second.' Can anyone provide further insight to this particular setting? I want to confirm/understand: (1) if this is actually a bandwidth restriction or whether it is just an administrative setting (though the above suggests a restriction) (2) if it is a bandwidth restriction, does this perform Traffic Policing or shaping? (3) is the setting per client connection, or all connections using that particular 'network access' Thanks1.1KViews0likes7CommentsAPM Import error: config version 15.1 is not compatible with BIGIP version 16.1
I would like to migrate all of our APM policies from old F5 platform (v15.1) to newer F5 platform (v16.1). I can migrate most of the objects, except for APM. I get an error message "Import error: config version 15.1 is not compatible with BIGIP version 16.1" when import on the newer F5. I noticed there is a file called ng-export.conf inside the exported .tar file. Can I modify the following setting to correct version like this? I'm not sure if there will be bunch of other settings that may be not compatible between version. #F5[Version:15.1] #F5[Build:15.1.10.3-0.0.12.0] To #F5[Version:16.1] #F5[Build:16.1.5-0.0.3.0] Have anyone done like this before?Solved101Views0likes3Comments