F5 webmail exchange 2016 - "Access policy evaluation is already in progress for your current session."
We recently moved over to outlook 2016. Users that are on 2010 connect fine and never have an issue. the new users that have moved over to 2016 mailboxes get the error message above in the title. When they connect, they get the following addons to their URL: ?bO=1 sessiondata.ashxappcacheclient=1&acver=15.1.1591.8&crr=1 I have tried irules from the following devcentral questions and answers with no success: Access policy evaluation is already in progress for your current session How to avoid "Access policy evaluation is already in progress" - (irules from matt, Misty Spillers & Stanislan Piron tested and didn't help) If i have users open a browser in "InPrivate Browsing" or "Incognito" mode, they don't get the error. I have also tried the windows_10_anniversary_fix as well as all the irules on page 76 of the iapp deployment guide for exchange 2016. Deployment guide stuff i tested and doesn't work: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } and tried this: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } } I have a ticket open with F5 but they are saying oh just check the guide. not helpful. Hoping someone from the community can help me. thanks in advance!958Views0likes1CommentAPM Access Policy - Pass LDAP or AD Query variable
Is it possible to query whether a user has a value for one or another variable then use that to pass or fail passage down the rest of the swimlane for access? (e.g.-expr {[mcget {session.ad.session.ad.last.attr.variable1}] != 0 || [mcget {session.ad.session.ad.last.attr.variable2}] != 0} where the two variables are numbers or a non-constant string, but do have a value...and are not "<not set>". Is it also possible to have another path where the lack of a value for theexpr {[mcget {session.ad.session.ad.last.attr.variable1}] == 0, can be sent to a uri or url? Any assistance would be greatly appreciated!1.4KViews0likes9CommentsACCESS::policy result "not_started"
Hi all! I try to invoke a access profile but the result of "ACCESS::policy result" is not_started. Why? Can someone help me? This is the code when HTTP_REQUEST { .... if { $sessionID ne ""}{ The user in session, TODO } else { The user not in session, check token if {$logDebug}{log local0. "=>|$logId| User not in session\n"} if {$logDebug}{log local0. "=>|$logId| sessionID empty, creating a new session"} set sessionID [ACCESS::session create -lifetime 30 -timeout 30] if {$logDebug}{log local0. "=>|$logId| new sessionID is $sessionID"} call APM HTTP::header insert "clientless-mode" 1 set ldapAPResultByToken [ACCESS::policy evaluate -sid $sessionID -profile "test_ldap_accessProfile" session.test.token $tokenFromHeader session.server.landinguri $uriRequested session.logon.last.logonname $tokenFromHeader] if {$logDebug}{log local0. "=>|$logId| Executed /Common/test_ldap_accessProfile with token: $tokenFromHeader with result: $ldapAPResultByToken\n"} set result [ACCESS::policy result -sid $sessionID] if {$logDebug}{log local0. "=>|$logId| result: $result\n"} set policyResult [ACCESS::session data get -sid $sessionID session.policy.result] if {$logDebug}{log local0. "=>|$logId| policy.result: $policyResult \n"} ... } ... } The logger print this: User not in session sessionID empty, creating a new session new sessionID is 1562e4dd6119e43dca7f7154c3b1a4cc Executed /Common/test_ldap_accessProfile with token: pippo with result: error result: not_started policy.result: not_started284Views0likes1CommentBranch evaluation fails with Rule evaluation error: invalid command name "session.logon.last.username"
Hopefully somebody is able to enlighten me, I have the code below in a branch rule expression of an AD Query element. I get an 'Rule evaluation failed with error: invalid command name "session.logon.last.username"' error. The purpose is to translate an email entered to the matching AD logon username from AD. The AD query succeeds (mail=%{session.logon.last.username}). It looks like the variable assign element is not able to change the session.logon.last.username variable. if { [mcget {session.ad.last.queryresult}] == 1 } { session.logon.last.username = mcget {session.ad.last.attr.sAMAccountName}; return 1; }; return 0; Thanks for sharing your thoughts / ideas.703Views0likes2CommentsAPM sessions broken out by access policy?
I don't believe this is possible, but I'll ask just to be sure... For VPN, based on their user ID or an Active Directory query, etc., a user is assigned an APM access policy appropriate for their level of access. Is it possible, beyond running a custom report via the GUI, to display/track the current number of users connected via one access policy or another? I've used "tmsh show /apm license" to see how many licenses are consumed, and have also run reports via the GUI to see how many people have connected via a specific APM policy, but this is a bit beyond that. I'd think there would have to be some mechanism to tally not only connections via an APM policy, but one to update the total whenever a session terminates. Thanks!Solved557Views1like2CommentsWindows Group Policy Trigger on Network Connect
Hi, I'm wondering if there is a way to trigger Windows Group Policy to be triggered when a user connects to VPN. We are able to run gpudate.exe as an application on connect, but this is visible to the end user. We have User and Machine Windows Group Policies on our domain which we'd like to ensure gets applied once the user is connected to VPN and not have to wait for the usual Windows GPO refresh cycle.410Views0likes2CommentsMultiple Client Certificates - Query using single Virtual Server SSL Profile (Client)
I have an interesting one, and just started digging into its creation. I need to perform an OCSP check (easy), collect information off of 1 of 3 certificates a client might have on their token (easy), and pass that information on to the webserver (got that one all day long). Now for the curve ball. At somepoint in the APM policy, I have to query 1 of the other 2 certificates for another piece of information (think an email certificate vs. one used for authentication), but I can't mess with the data (or session) from the original certificate. My first few tries forces the session to reset and I lost the session data collected on the initial query. Thoughts?? open to ideas.. One knowledge nugget, I have to use the same URL, maintain the current session, and pass the data from both certs (that are in the same chain, covered by the same cert bundle) on to the web/app server. I might be able to use different URIs, so not sure if that helps.. Thanks260Views0likes0CommentsKerberos "Max Logon Attempts" Meaning
When adding the "Kerberos" Auth Item to an APM Policy what affect does the "Max Logon Attempts" have. What actually happens here, does it send another 401 to the client to get another kerb token? Is there a best practice here? default I think is 3 but allows 1 to 5 Cheers204Views0likes0CommentsAPM :: Remote Desktop List :: Remote Sound Not Working
Has anybody ran into where the remote audio is not being played locally? I have the local sound box checked, and I even tried the audiomode:i:0 custom parameter (even though it's defaulted to zero), and neither seem to be working. I know it's nothing wrong with the workstation (or so it seems) because the other VPN solution that I'm trying to migrate off of works perfectly fine. General Properties: Local Resources: I haven't been able to get monitor spanning to work either (no matter what combination of anything I use)... but that's a whole other issue. Thanks-376Views0likes2CommentsAPM Variable assign to change email attribute?
Hello, Does any one know the best way to do a custom variable assign to modify the ending of our mail attribute to always be the same thing? The problem we have is we allow multiple domains as our default email for users but when trying to authenticate to a hosted site using email address it won't match for some users. I got help a while ago on here and was told how to convert a specific email domain to another but now I need to convert at least 10 different emails to a single domain. Here is how I was able to convert one email domain to another but not sure how to adapt that to many. string map {@test.org @example.org} [string tolower [mcget {session.ad.last.attr.mail}]] Now I need to convert around 10 different domains to @example.org. Note all of them are different names so just made up a few examples @john.org @smith.org @joey.org395Views0likes1Comment