BIG-IP Access Policy Manager (APM)
8663 TopicsAPM with EntraID as idP / request signed
Hi experts. I need your help to solve an issue. I'm configuring a new enviroment with BIG-IP version 15.1.8.2 Build 0.0.17 Point Release 2. I have the APM works fine with SSO using EntraID (AzureAD) as idP. Now, I need to enable the request signed (Enforce signed SAML authentication requests - Microsoft Entra ID | Microsoft Learn). I generated the self signed certificate and import it on my app at Azure and my BIG-IP. I changed my config in Access > Federation > SAML Identity Provider and assigned my self signed certificate (pk included) to assign the request. But, I've received the below error by EntraID: Sign-in error code: 76021 Failure reason: The request sent by client is not signed while the application requires signed requests All attemps was made by browser (SSL VPN). Thank you.284Views0likes4CommentsF5 APM - limiting access to the bandwidth for network Access
I am looking for a way of restricting access to the available bandwidth for our SSL VPN users. I see within the 'Network Access' configuration (Network Settings) there is an option to set 'Client Interface Speed' in bits per second. I have attempted to find more information on this without much luck. The only references I can find are below: 'Specifies the maximum speed of the client interface connection, in bits per second.' 'Specifies the speed of the client interface connection, in bits per second.' Can anyone provide further insight to this particular setting? I want to confirm/understand: (1) if this is actually a bandwidth restriction or whether it is just an administrative setting (though the above suggests a restriction) (2) if it is a bandwidth restriction, does this perform Traffic Policing or shaping? (3) is the setting per client connection, or all connections using that particular 'network access' Thanks1.1KViews0likes7CommentsAPM Import error: config version 15.1 is not compatible with BIGIP version 16.1
I would like to migrate all of our APM policies from old F5 platform (v15.1) to newer F5 platform (v16.1). I can migrate most of the objects, except for APM. I get an error message "Import error: config version 15.1 is not compatible with BIGIP version 16.1" when import on the newer F5. I noticed there is a file calledng-export.conf inside the exported .tar file. Can I modify the following setting to correct version like this? I'm not sure if there will be bunch of other settings that may be not compatible between version. #F5[Version:15.1] #F5[Build:15.1.10.3-0.0.12.0] To #F5[Version:16.1] #F5[Build:16.1.5-0.0.3.0] Have anyone done like this before?Solved63Views0likes3CommentsIs network access bypassing APM logon pages?
Hello, Maybe it's a stupid question but I've been wondering about it for a while without finding a proper answer. Usually, you can either access your web apps remotely through APM or you can use a SSL VPN connection to have a full network access. Recently when I was connected to the VPN (BigIP Edge Client), I tried to access different web apps through APM in order to test some APM workflows (vpe config) and I noticed I was somehow bypassing the APM logon pages : actually I was able to access the web apps without having the APM logon pages. Maybe these were silly tests but still i'm wondering : what happened ? I used an irule to have verbose logs, I saw that my vpn session ID were being used when accessing these web apps. Is there any credential forwarding ? How does it work ? Thank you ThomasSolved591Views0likes8Comments<apm_do_not_touch> in JS file failing</apm_do_not_touch>
So we have an application that uses the @cc_on statement within a javascript file, and the APM is trying to rewrite it. Problem is (as stated in SOL3910) that the rewrite breaks the code because it doesn't rewrite properly. According the the SOL3910, adding the tag around an HTML element works to tell APM to ignore rewriting this section. The problem is that this fix doesn't (fully) work in JS files because the tag is an html tag. While adding the tag around the section will work to keep APM from rewriting the code, because it's in a JS file, the syntax is invalid and causes other JS errors. I've tried embedding the tag in a comment (many different ways) but it doesn't work, and APM will continue to rewrite the code. I doubt there's a javscript statement we can use to do the same thing here and cause APM to ignore rewriting it, but wanted to see if anyone else had a similar issue before or ideas on resolution.458Views0likes2CommentsSSO
I am.beginner with APM I could see same access profile is mapped to 2 different VS. 1.my understanding is they have mapped same access profile to make sso work between virtual servers..is that right? 2.when sso has been generated in first vs it will be passed to user browser right?and when the same user access the 2nd VS how does the second vs validate credentials?Solved115Views0likes10CommentsOAuth token synchronization in APM HA pair
Hello. I have an HA pair of APMs, acting as a OAuth authorization server. By default, devices in HA should synchronized OAuth tokens from Active to Standby. But I don't see issued tokens on Standby device. The statemirror.mirrorsession system database variable set in "enabled". :Active:In Sync] ~ # tmsh show apm oauth token-details db-instance <db_name> total-tokens: 7258 :Standby:In Sync] ~ # tmsh show apm oauth token-details db-instance <db_name> total-tokens: 0 No synchronization errors (Failed to initiate DB synchronization (ERR_DB)) in logs. How can I check, that token synchronization is successful and issued OAuth tokens existing on both device in cluster?731Views0likes7CommentsDTLS support for Citrix Receiver 4.7? (Adaptive Transport, EDT)
Will there be DTLS support for Citrix new "Adaptive Transport" or "Enlightened Data Transport (EDT)" which is based on UDP in APM? This is a new feature since version 4.7 of Citrix Receiver, and version 7.13 of XenDesktop/XenApp. I would definitely want it to be supported asap...818Views0likes6CommentsIcall script argument
Hello! How I can translate to icall script argument from APM via iRule? Example. I want generate user certificate SSL via APM. I wrote bash script, but it should be called with two argument - UserName and UserDomain. Thank you! sys icall script gcc_script { app-service none definition { exec /home/root/scripts/certificates.sh $UserDN $DomainDN exec istats remove "GCC generate for UserDN" } description none events none }281Views0likes1Comment