APM SOO to webpage witn windows credentrial
Good afternoon First of all, I would like to inform you that I have very little experience with APM. I have been asked to do the following: We have a web magazine that is accessible from the intranet and from the Internet. Our objective is: To use SSO for the users who access this website from within the intranet or from the VPN will never have to enter their username and password, because SSO will be done with the credentials they used to log in to Windows. But users who access from the Internet will have to enter their username and password My biggest question right now is how can I send the user that was used to loginin Windows to F5? And then do the SSO. Thnaks
BIG-IP APM Machine Cert Auth poblem
Dear F5 Expert Now i have implementation BIG-IP APM SSL VPN Auth with AD and Machine Cert Auth, For AD auth is work fine. But for Machine Cert Auth i found debug log is found Cert and verify key success. But i don't know why APM didn't forward client to authen page. Here's my configure SSL Self sign with ZERO SSL my SSL profile root domain and chain to ZERO SSL APM VPE i just verifu machine cert and allow 2 option verify key and not verify, i just check SN cert only. here's CA profile, i just use CA Cert from ZERO SSL and the last one here's Log on utility and access report Info 2024-03-03 16:23:18:016 \CertCheckImpl.cpp, CCertCheckImpl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"false", Allow elevation UI:"true", Serial number(HEX):"00898ad22f5f67b4c15e15187d63d0592a", Issuer:"", SubjectAltName:"" Info 2024-03-03 16:23:18:016 \CertCheckImpl.cpp, CCertCheckImpl::Verify, certInfo:STORE_NAME:MY&STORE_LOCATION:LocalMachine&ALLOW_ELEVATION:1&MATCH_FQDN:0&SN:00898ad22f5f67b4c15e15187d63d0592a&ISSUER:&SAN:, RootCertInfo:IS_TRUSTED:0, Nonce: cWQ2NDNQZHpDbzdKNnRvbWN5SW8= Info 2024-03-03 16:23:18:017 \certinfo.cpp, CCertInfo::FindCertificateInStoreExt:, Total certs tested: 1 Info 2024-03-03 16:23:18:017 \certinfo.cpp, CCertInfo::FindCertificateInStoreExt:, Found matched certificate Info 2024-03-03 16:23:18:023 \certinfo.cpp, CCertInfo::IsPrivateKeyPresent, GetPrivateKey succeeded: found private key. Info 2024-03-03 16:23:18:023 \CertCheckImpl.cpp, CCertCheckImpl::CheckPrivateKey, The machine certificate has private key on this machine Info 2024-03-03 16:23:18:033 \CertCheckImpl.cpp, CCertCheckImpl::Verify, Found key successfully using current user Info 2024-03-03 16:23:18:033 \CertCheckImpl.cpp, CCertCheckImpl::CheckPrivateKey, Signing message succeeded Info 2024-03-03 16:23:18:066 CUAgentHost::downloadNextAgent() - sending request to server "https://www.kotchagorn.com:10443/my.policy_host?dummy=45b47b8aeb5c96285f65f295ffa35237" Info 2024-03-03 16:23:18:067 CUAgentHost::downloadNextAgent() - POST data "version=2.0&client_data=c2Vzc2lvbj0xMzJhNWY3YzhlYzgxODg5MmNiNjJhZmQ4M2MzYjFjYyZkZXZpY2VfaW5mbz1QR0ZuWlc1MFgybHVabT Info 2024-03-03 16:23:18:166 <URL>/logon</URL> Info 2024-03-03 16:23:18:170 EPCHECK \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::stop, waiting for worker thread to exit Info 2024-03-03 16:23:19:534 EPCHECK \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::run, worker thread exit Info 2024-03-03 16:23:19:536 EPCHECK \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::stop, worker thread exit Info 2024-03-03 16:23:19:545 CUAgentHost::~CUAgentHost() - enter Info 2024-03-03 16:23:19:545 CAtlBrCon()::~CAtlBrCon() Info 2024-03-03 16:23:19:545 CUAgentHost::~CUAgentHost() - exit Info 2024-03-03 16:23:19:547 EPCHECK wWinMain, Endpoint check server process finished (res), 0 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.certificate_revoked' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.certificate_verified' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.error_message' set to ' X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate ' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.result' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.signature_verified' set to '1' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.certificate_revoked' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.certificate_verified' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.error_message' set to ' X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate ' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.result' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.signature_verified' set to '1' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.policy.inspectionhost.status' set to 'done' Anyone please guide me please Best Regards,BIG-IP Next Access presentation/demo
Hi everyone! Luke Lehman, BIG-IP Next Access product manager, will be joining us for a zoom presentation/demo on December 12th at 9am pacific standard time. Come see what's brewing for APM! If you have any questions before the session, drop them below. Zoom Session Link Oh...and we just might have an ugly sweater or two to give away to attendees!Application Programming Interface (API) Authentication types simplified
API is a critical part of most of our modern applications. In this article we will walkthrough the different authentication types, to help us in the future articles covering NGINX API Connectivity Manager authentication and NGINX Single Sign-on.
Load webtop from F5 Access edge client
I have an access profile set up for iOS devices to create a VPN connection via the F5 Access edge client. The network portion is working great. What I am struggling with is trying to present a set of bookmarks via webtop to frequently accessed resources people are accustomed to seeing (migrating from Pulse Secure). I have not found a way to display those bookmarks in the F5 Access client like Pulse Secure does. The closest I have come is a redirect either in the client (portal webtop) or Safari (via network access app launcher) to our portal page. Problem is, that requires them to login again since it is another session. I'm extremely new to all of this, so I'll keep poking around, just wanted to see if there were any suggestions from the community. Thanks!Can I Capture Outlook Login Details With no Login Page in APM?
I'm working with a customer that wants to use APM to handle some more granular access to their Exchange 2016 servers that are being load balanced by LTM. Is there a way I can create an access policy that can determine the user or UID of a user when they attempt to connect to exchange through Outlook? They want to make it so certain users do not have access to Exchange based on their IP and an AD attribute. If i were just IP it would be easy enough. I can't figure out how to capture any username information without having a login page. Any ideas?
limit IP access to certain URIs
Hi, I am looking for help creating an IRULE for the following conditions: Allow access to two URIs within the policy to a specific group of IPs. Disallow access to these URIs to all other IPs. I tried creating a traffic policy for this but was unsuccessful. Thanks Veredlimit IP access to certain URIs
Hi, I am looking for help creating an IRULE for the following conditions: Allow access to two URIs within the policy to a specific group of IPs. Disallow access to these URIs to all other IPs. I tried creating a traffic policy for this but was unsuccessful. Thanks VeredAPM Cannot Access Sesssion Variable Created by Irule
Hello, I am trying to pass the uri from an irule to the APM via a session variable However, the APM cannot find the variable. Here is the statement to generate the session variable. ACCESS::session data set session.user.custom.uri [HTTP::uri] I can see the variable in the console in Access ›› Overview : Active Sessions. dbe31cda.session.user.custom.uri I can also see it with the session dump command: sessiondump --sid=dbe31cda | grep custom.uri dbe31cda.session.user.custom.uri 18 /xxx/yyyy However, the APM cannot find the variable. variable "session.user.custom.uri" was not found in the local cache for session "dbe31cda" 'getSessionVar()': 594: try to get it from MEMCACHED variable "session.user.custom.uri" for session "dbe31cda" was not found in MEMCACHED Any ideas? JeffreyBIG-IP APM: Max Sessions Per User – Enable users to terminate a specified session
Technical Challenge Recently I was speaking with a customer and they mentioned that they leveraged the “Max Sessions Per User” setting within BIG-IP APM Access Profile to limit the number of concurrent connections that a single user could have at any point in time. The customer mentioned that this works but often their users would complain that the “wrong” session was terminated or that a session they were actively using was closed. After reproducing the scenario in a lab environment I observed that the BIG-IP APM would terminate sessions based on FIFO (First In, First Out). Meaning that the oldest session was always terminated first regardless of which session the user was actively interacting with. Since this was confusing for the customer I figured others experienced this problem and it would be worth sharing my solution with the world. So how do you enforce “Max Sessions Per User” and enable your users to intelligently select which session to terminate? The Solution If we break down the problem statement above we can see that it it is really two issues. First we need to identify if a user has exceeded the maximum number of allocated sessions, then if they have we need to provide them a way to select which session should be terminated. Enforce Max Sessions Per User BIG-IP APM Access Profiles natively provide a way to limit the Maximum number of Sessions a user can establish but it doesn’t provide a way to interact with pre-existing sessions. For more information on Access Profile settings see => https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-11-6-0/9.html#taskid If the built-in functionality won’t achieve what we want lets build our own using APM iRule Events. iRule Session Enforcement The ACCESS::uuid iRule function will allow us to identify all active sessions for a specified Access Profile and Username. The iRule below will prevent a user from establishing more than 3 sessions when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when ACCESS_POLICY_COMPLETED { set max_sessions 3 set apm_username [ACCESS::session data get session.logon.last.username] set apm_cookie_list [ ACCESS::uuid getsid "[PROFILE::access name].$apm_username" ] log local0. "[PROFILE::access name].$apm_username => session number [llength $apm_cookie_list]" if {[llength $apm_cookie_list] >= $max_sessions} { ACCESS::session remove ACCESS::respond 302 location "/vdesk/hangup.php3" } } This will allow us to limit concurrent connections for a user but is too late in the authentication process to enable the user to select a session to terminate. Instead of having the logic execute in the ACCESS_POLICY_COMPLETED section let’s try using an VPE iRule event. APM VPE iRule Event Session Enforcement First update your Access Policy to look similar to the images below with an iRule Event placed after the user authentication event. The iRule event id will be referenced in your iRule max_session_count The branch logic will be used to identify if the user has more than 3 concurrent sessions expr { [mcget {session.logon.last.count}] >= 3} Update the iRule you created earlier with the code below, this will allow the VPE policy to pause and execute events within the iRule. when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "max_session_count" { set apm_username[ACCESS::session data get session.logon.last.username] set apm_cookie_list [ ACCESS::uuid getsid "[PROFILE::access name].$apm_username" ] ACCESS::session data set session.logon.last.count[llength $apm_cookie_list] } } } Now as long as the user is below the defined maximum allowed connections they will be allowed to connect as normal. Enabling users to select a Session to be Terminated Now this is the tricky part, we need to provide an interface to the user that will enable them to select a session to be terminated. We could spend a bunch of time creating a custom web interface using javascript or we could re-purpose the Logon Page object built into the APM and display the information to the user with minimal customization. Remove the Password field from the Logon Page object and replace it with Radio and set the variable name to terminate Click on the textbox in the Values column of the terminate row and add one entry for each session the user is allowed to have. (If the max session count is set to 3 then add 3 options) The contents for the radio buttons will be dynamically generated within the iRule Event and stored as APM Session Variables The Value field should be %{session.logon.active.#.sid} (Session ID’s will be stored in a list variable that starts at 0, replace # with the appropriate index number starting at 0) %{session.logon.active.0.sid} %{session.logon.active.1.sid} %{session.logon.active.2.sid} The Text field should be %{session.logon.active.#.text} (The # should be replaced with the corresponding list index id) %{session.logon.active.0.text} %{session.logon.active.1.text} %{session.logon.active.2.text} After adding the appropriate number of options the final option should be cancel with text that will indicate that the current session will be terminated if the user selects cancel Click on the Branch Rules tab and add a new Branch Rule to handle logic that will allow the user to cancel Session Termination expr { [mcget {session.logon.last.terminate}] == "cancel" } Next update the iRule created earlier with the snippet listed below. The updated iRule will populate the session variables that will be used to display session information to the user. when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "max_session_count" { set apm_username[ACCESS::session data get session.logon.last.username] set apm_cookie_list[ ACCESS::uuid getsid "[PROFILE::access name].$apm_username" ] for {set i 0} {$i < [llength $apm_cookie_list]} {incr i} { set _clientip[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.clientip] set _starttime[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.starttime] set _timeformat[clock format $_starttime -format "%H:%M:%S %d %b %Y "] set _connectiontype[ACCESS::session data get -sid [lindex $apm_cookie_list $i]session.user.sessiontype] set _browsertype[ACCESS::session data get -sid [lindex $apm_cookie_list $i]session.client.type] set _sessionid[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.sessionid] set _sessioninfo"<table style='border-collapse: collapse' width='100%'>" append _sessioninfo"<tr><td style='border: 1px solid black'>Session ID</td><td style='border: 1px solid black' align='center'>$_sessionid</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Start Time</td><td style='border: 1px solid black' align='center'>$_timeformat</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Client IP</td><td style='border: 1px solid black' align='center'>$_clientip</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Connection Type</td><td style='border: 1px solid black' align='center'>$_connectiontype</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Browser Type</td><td style='border: 1px solid black' align='center'>$_browsertype</td></tr>" append _sessioninfo"</table>" ACCESS::session data set session.logon.active.$i.sid $_sessionid ACCESS::session data set session.logon.active.$i.text $_sessioninfo } ACCESS::session data set session.logon.last.count[llength $apm_cookie_list] } } } Terminate the selected Session Now that we have a way to select a session to terminate add a second VPE iRule Event to handle the Session Termination The iRule event id will be referenced in your iRule terminate_session The branch logic will be used to verify that the session was terminated successfully, if it fails to terminate the users current session will be terminated instead. expr { [mcget {session.logon.last.terminateresult}] == 1 } Next update the iRule created earlier with the snippet listed below. The updates will add a second iRule Event that will handle the session termination when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "max_session_count" { set apm_username[ACCESS::session data get session.logon.last.username] set apm_cookie_list[ ACCESS::uuid getsid "[PROFILE::access name].$apm_username" ] for {set i 0} {$i < [llength $apm_cookie_list]} {incr i} { set _clientip[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.clientip] set _starttime[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.starttime] set _timeformat[clock format $_starttime -format "%H:%M:%S %d %b %Y "] set _connectiontype[ACCESS::session data get -sid [lindex $apm_cookie_list $i]session.user.sessiontype] set _browsertype[ACCESS::session data get -sid [lindex $apm_cookie_list $i]session.client.type] set _sessionid[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.sessionid] set _sessioninfo"<table style='border-collapse: collapse' width='100%'>" append _sessioninfo"<tr><td style='border: 1px solid black'>Session ID</td><td style='border: 1px solid black' align='center'>$_sessionid</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Start Time</td><td style='border: 1px solid black' align='center'>$_timeformat</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Client IP</td><td style='border: 1px solid black' align='center'>$_clientip</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Connection Type</td><td style='border: 1px solid black' align='center'>$_connectiontype</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Browser Type</td><td style='border: 1px solid black' align='center'>$_browsertype</td></tr>" append _sessioninfo"</table>" ACCESS::session data set session.logon.active.$i.sid $_sessionid ACCESS::session data set session.logon.active.$i.text $_sessioninfo } ACCESS::session data set session.logon.last.count[llength $apm_cookie_list] } "terminate_session" { set removed0 set apm_username[ACCESS::session data get session.logon.last.username] set apm_cookie_list [ ACCESS::uuid getsid "[PROFILE::access name].$apm_username" ] for {set i 0} {$i < [llength $apm_cookie_list]} {incr i} { set _terminateid[ACCESS::session data get session.logon.last.terminate] set _sessionid[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.sessionid] if {$_sessionid eq $_terminateid} { set removed 1 ACCESS::session remove -sid [lindex $apm_cookie_list $i] break } } ACCESS::session data set session.logon.last.terminateresult$removed } } } Time to Test Now establish enough sessions to exceed the maximum concurrent user count and you should see receive a logon page prompting you to select a session to terminate. Putting Everything Together Step 1 – Edit your Access Policy When this step is complete your Access Policy should look similar to the attached imaged The first iRule Event should have the following information populated The iRule event id will be referenced in your iRule max_session_count The branch logic will be used to identify if the user has more than 3 concurrent sessions expr { [mcget {session.logon.last.count}] >= 3} The “Logon Page – Session Termination” should have the following information populated Remove the Password field from the Logon Page object and replace it with Radio and set the variable name to terminate Click on the textbox in the Values column of the terminate row and add one entry for each session the user is allowed to have. (If the max session count is set to 3 then add 3 options) The contents for the radio buttons will be dynamically generated within the iRule Event and stored as APM Session Variables The Value field should be %{session.logon.active.#.sid} (Session ID’s will be stored in a list variable that starts at 0, replace # with the appropriate index number starting at 0) %{session.logon.active.0.sid} %{session.logon.active.1.sid} %{session.logon.active.2.sid} The Text field should be %{session.logon.active.#.text} (The # should be replaced with the corresponding list index id) %{session.logon.active.0.text} %{session.logon.active.1.text} %{session.logon.active.2.text} After adding the appropriate number of options the final option should be cancel with text that will indicate that the current session will be terminated if the user selects cancel Click on the Branch Rules tab and add a new Branch Rule to handle logic that will allow the user to cancel Session Termination expr { [mcget {session.logon.last.terminate}] == "cancel" } The second iRule Event should have the following information populated The iRule event id will be referenced in your iRule terminate_session The branch logic will be used to verify that the session was terminated successfully, if it fails to terminate the users current session will be terminated instead. expr { [mcget {session.logon.last.terminateresult}] == 1 } Step 2 – Create and Apply the Custom iRule when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "max_session_count" { set apm_username[ACCESS::session data get session.logon.last.username] set apm_cookie_list[ ACCESS::uuid getsid "[PROFILE::access name].$apm_username" ] for {set i 0} {$i < [llength $apm_cookie_list]} {incr i} { set _clientip[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.clientip] set _starttime[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.starttime] set _timeformat[clock format $_starttime -format "%H:%M:%S %d %b %Y "] set _connectiontype[ACCESS::session data get -sid [lindex $apm_cookie_list $i]session.user.sessiontype] set _browsertype[ACCESS::session data get -sid [lindex $apm_cookie_list $i]session.client.type] set _sessionid[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.sessionid] set _sessioninfo"<table style='border-collapse: collapse' width='100%'>" append _sessioninfo"<tr><td style='border: 1px solid black'>Session ID</td><td style='border: 1px solid black' align='center'>$_sessionid</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Start Time</td><td style='border: 1px solid black' align='center'>$_timeformat</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Client IP</td><td style='border: 1px solid black' align='center'>$_clientip</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Connection Type</td><td style='border: 1px solid black' align='center'>$_connectiontype</td></tr>" append _sessioninfo"<tr><td style='border: 1px solid black'>Browser Type</td><td style='border: 1px solid black' align='center'>$_browsertype</td></tr>" append _sessioninfo"</table>" ACCESS::session data set session.logon.active.$i.sid $_sessionid ACCESS::session data set session.logon.active.$i.text $_sessioninfo } ACCESS::session data set session.logon.last.count[llength $apm_cookie_list] } "terminate_session" { set removed0 set apm_username[ACCESS::session data get session.logon.last.username] set apm_cookie_list [ ACCESS::uuid getsid "[PROFILE::access name].$apm_username" ] for {set i 0} {$i < [llength $apm_cookie_list]} {incr i} { set _terminateid[ACCESS::session data get session.logon.last.terminate] set _sessionid[ACCESS::session data get -sid [lindex $apm_cookie_list $i] session.user.sessionid] if {$_sessionid eq $_terminateid} { set removed 1 ACCESS::session remove -sid [lindex $apm_cookie_list $i] break } } ACCESS::session data set session.logon.last.terminateresult$removed } } }
