BIG-IP Access Policy Manager (APM)
8663 TopicsURL rewrite through iRule
Hi Guys, i have one "Performance (HTTP)" virtual server on F5-1600 series, and i want to change the URL "http://www.abc.com" to "http://partner.abc.com/xyz". i have tried all below scripts : 1- when HTTP_REQUEST { if {([string tolower [HTTP::host]] equals "http://www.abc.com")}{ HTTP::header replace Host "http://partner.abc.com/xyz" } } 2- when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/xyz") } { HTTP::uri /xyz[HTTP::uri] } } 3- when HTTP_REQUEST { if {[HTTP::uri] equals {http://www.abc.com}} {HTTP::uri {http://partner.abc.com/xyz} } } but i wasn't successful! can anyone help me how can i do this through iRule ?Solved9.1KViews0likes27CommentsBig-IP Edge Client / Windows 10 1809 - No internet connection with connected VPN
Hi everybody I've updated my computer to Windows 10 Build 1809: After a successfull connection with Big-IP Edge Client VPN the internet connection is broken. Ping to Google DNS servers with connected VPN: We have configured Network Access with "split tunneling". The very same VPN worked perfectly with the previous build of Windows 10 (1803). Version of VPN client: 7160,2018,417,2013 Does anyone run into the same problem? Thank you, JohnSolved7.3KViews0likes41CommentsRadius Authentication with Microsoft NPS and Azure MFA not working
We have configured F5 with Microsoft NPS to leverage Microsoft Azure AD MFA. F5 is sending Radius authentication request to Microsoft NPS server. However NPS server error. Looks like NPS server with Azure MFA extension expecting UPN value (john.smith@mydomain.com) but radius attribute User-Name is sending sAMAccount (or session.logon.last.username). The Microsoft Azure AD MFA is expecting UPN. I don't want to use the SAML based configuration. Q: How do we extract / search for UPN value and assign it to radius attribute User-Name. I believe UPN value can be extract with LDAP Query but how to send UPN value in the radius authentication request. Any suggestion advise. NPS serverError: Log Name:AuthZOptCh Source:Microsoft-AzureMfa-AuthZ Date:4/15/2021 5:06:35 PM Event ID:1 Task Category: None Level:Information Keywords: User:NETWORK SERVICE Computer:123server.mydomain.com Description: NPS Extension for Azure MFA:CID: f6d91669-8579-4da0-8968-dfa4ea5ef928 : Request Discard for user Smith, John with Azure MFA response: InvalidParameter and message: UserPrincipalName must be in a valid format.,,,23090ad2-da92-4800-ae4c-8b59182f5fb7 F5 Radius tcpdump shows the following Radius authentication request with the sAMAccount (or session.logon.last.username) in the User-Name attribute: RADIUS Protocol Code: Access-Request (1) Packet identifier: 0xab (171) Length: 74 Authenticator: abd00d0218bc6541842a401dcfb64d52 Attribute Value Pairs AVP: l=10 t=User-Name(1): johnsmith01 User-Name: johnsmith01 AVP: l=18 t=User-Password(2): Decrypted: Ajitkaur02@ User-Password: xxxxxxxxx AVP: l=6 t=Service-Type(6): Authenticate-Only(8) Service-Type: Authenticate-Only (8) AVP: l=14 t=Tunnel-Client-Endpoint(66): 65.60.150.62 Tunnel-Client-Endpoint: 65.60.150.62 AVP: l=6 t=NAS-Port(5): 0 NAS-Port: 0Solved6.2KViews0likes9CommentsWhat is the difference between BIG-IP APM and BIG-IP LTM?
As I'm preparing for F5 101 exam, I read about BIG-IP APM and LTM. I find it hard to get a difference between them. I found a table of features : https://support.f5.com/csp/article/K66031634 , but it doesn't explain too much. I've been also reading https://www.f5.com/pdf/products/big-ip-local-traffic-manager-ds.pdf . Is there any distinction on 101 level or do you need to be a little bit more advanced to understand these differences?5.7KViews0likes4CommentsF5 APM (failed to initialize local tunnel server)
Hi, I'm hoping someone can help with a couple of question I have before I turn to support. I've newly deployed an F5 APM and am having a couple of issues:- 1). I have a couple of users who get the error "failed to initialize local tunnel server" after successfully logging in using IE or Firefox and trying to launch an RDP resource. Other users on the same OS are fine. Have tried reinstalling all F5 components without success. It seems the tunnelserver.exe process doesn't get launched for some reason. Any idea's on what I can look for? 2). When a user first connects and launches a full Network access connection (Full VPN), a windows dialler profile gets built and populated and can be seen in the internet options on a windows machine. Once its built the OS tries to connect through this dialler and it causes some local connection issues until you set/configure the option "Never Use Dialler". Is there any way to stop this behaviour or to turn it off? I gather the dialler that is built is necessary. Thanks RK5.7KViews0likes9CommentsKerberos Delegation and NTLM auth Exchange 2013
This is related to a previous post about the Exchange iApp. Everything is working for both internal and internal connections except from Outlook Anywhere clients attempting to connect to the external VS and auth via RPC over HTTP. I enabled all debug logs for APM and ECA since that seemed to be where the failure was occuring. I noticed the following and cannot make much sense of it. Any help would be appreciated. Below is the log file comparison between a successful auth though the internal iApp vs the failed auth through the external iApp. This is just a snippet of the full log. Everything before these lines in the log is the same for both internal and external connections. It seems to fail when the BigIP tries to make a call to itself to process the logon request, anyone ever see this before? Internal success: Aug 12 13:22:12 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 10.1.12.9:46380 (0x09a8b9c8) Server challenge: 24296533D8C59FB4 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[18] from 127.0.0.1:43935 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> client[5]: is ready Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> NLAD_TRACE: nlclnt[53403010a / 01] sending logon = 0xC00000E5 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> nlclnt[53403010a] logon: entering user GRicketts domain JHHC wksta JHHC04619LT Failed auth: Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 warning nlad[8603]: 01620000:4: <0x559058f0> clntsvc: no client for id 6 to service request from connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> nla_rq: response with status [0xc00000ab,NT_STATUS_INSTANCE_NOT_AVAILABLE] for type 'logon' client 6 context 0x5ab82b90 24 bytes to connection[38] from 127.0.0.1:44495: took 0 milli-seconds Aug 12 12:51:10 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 12.181.141.210:45214 (0x5bf14c28) nla_agent::logon, rc = STATUS_NO_LOGON_SERVERS (3221225566)4.9KViews0likes38CommentsWhy the page /my.policy redirects users to /vdesk/hangup.php3 ?
Hello all, I have a problem with the APM, I have an application published and sometimes the users are unable to see the login page, instead of that they get the logout page. This is very strange because it doesn't happens all the times, only sometimes so for me this seems a cookie problem or something like that. I've been using the fiddler tool and I've seen that sometimes when the my.policy URL is called the F5 closes the connection and redirect the user to /vdesk/hangup.php3, also in the same GET I see the session cookies and it seems to be ok. There is no iRules that redirects the request to /vdesk/hangup.php3 and I've not modified the logon page code. Do you know why could this be happening?4.6KViews0likes8CommentsCertificates implementation in "SSL forward proxy client and server authentication" scenario.
I want to implement SSL forward proxy client and server authentication, and I am not sure how certificates are implemented. How can it be done? I mean how do I have to implement client and server certificates in order to proxy/forward SSL traffic to a backend SSL server? I am using a BIG-IP LTM appliance.4.5KViews0likes37CommentsOTP Flood Attack mitigation
We have application which is sitting behind our F5 WAF, where application receiving high voulme of OTP request on server to generate OTP SMS by attacker. People receiving unwanted OTP message on their mobile. I have configured an iRule which limiting the request in 3 request in 5 min max and it is working. but attacker using different ISP ip to flood the OTP request. Can someone please assist here, how to mitigate such attack with help of F5 WAF policy.4.4KViews0likes9CommentsSAML SLO Error
BIGIP is acting SP to an IDP. This IDP is one of our authentication methods to the Webtop. For instance, if you are logging out with the Logout-button from the webtop a samlrequest is sent to thier SLS, the ticket is destroyed at thier end, but bigip is throwing an error: "Internal error. Failed to process SAML request/response. Please try again or contact your system administrator if error persists." With uri: /vdesk/my.acl.php3?errorcode=8001 The response is getting back successful from the IDP (as issuer) to Destination="https://<bigipadress>/saml/sp/profile/post/sls" with a succes code: <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> APM-log: SAML SSO: SLO Response is received on SLO Request URL SAML SSO: SLO Request not found in SAML message 'SAMLResponse=<base64decoded samlrequest> SAML SSO: Error (12) in reading SP info from sessionDB SAML SSO: Abort reason: Error in reading sp info from session db The samlrequest as it appear in the log is not uri decoded, but if i look at the formdata in chrome everything looks fine. I've also tried with redirect instead of post, but then i get the error in APM-log: SAML SSO: SLO Request not found in SAML message '' A workaround is to clear the SLO settings in the IDP-connector, in this case the APM-session is destroyed but the session from the IDP isnt. Any suggestions to investigate this futher? Thanks, JohanSolved4.4KViews0likes10Comments