Client SSL Profile set to Require Client Certificate breaks RDP in APM
Hello, I have a policy set up in the BIG-IP F5 VE 15.1.10.5 APM to allow access to a handful of Remote Desktop (RDP) links. I'm attempting to set the authentication to require Common Access Card (CAC) Certificate login. In my access policy visual editor, I have a Client Cert Inspection branch that leads into OCSP Authentication and then if successful assigns the RDP resources through LDAP.This all works perfectly fine as long as the Client SSL profile connected to the access policy has Client Authentication > Client Certificate set to "Request" or "Require." If set properly, when a user attempts to connect to the webtop URL they are prompted for their certificate, authorized against the OCSP, and given access to the resources as corresponds to LDAP group. However when attempting to use one of the Remote Desktop Links it'll download the RDPconnection as intended and fail to connect with "There was a problem connecting to the remote resource. Ask your network administrator for help." I know this is because of the Client SSL profile because if i change it back to "Ignore" and have the user click the Remote Desktop link, it downloads and connects to the specified resource with no issue. The server the RDP connects to is configured with a client certificate that is trusted by the Root and Intermediate CA in the "Trusted Certificate Authorities" under the Client SSL Client Authentication profile. I was originally able to get around this by, instead of using Client Cert Inspection in my access policy, using On-Demand Cert Auth and leaving the Client SSL profile to "Ignore" client certificate. This allowed the user to be prompted and authenticated when originally accessing the webtop and utilize the RDP resources assigned. Unfortunately, On-Demand Cert Auth recently broke and users are not being prompted for their certificate and as such cannot connect to the webtop without the Client SSL profile being set to "Request" or "Require" to force the certificate prompt. https://my.f5.com/manage/s/article/K63123740 I've read the above KB where it says "the RDP client doesn't like the certificate request." but I'm not sure why, RDP should support certificate requests, users authenticate with token certificates all the time when RDP'ing to resources unless I'm misunderstanding what is happening? With that article I thought maybe the Server SSL profile would be an issue, but only changing the Client SSL profile certificate settings affects login. Any help would be appreciated, thanks!
[APM] URL stops working , location : /my.policy?ORG_URI=1f931c35
hello Team , We have a strange issue . User is able to access the url but sometimes the url doesn't work and when he checks in developer tool it has a status code of : 302 Found. After 10-15min it starts to work without any intervention. Response Headers : Connection : close Content-Length:0 Location : /my.policy?ORIG_URI=1f931c35 We are using APM for ACL and URL filtering , so where can I find my.policy ? I did not find any logs with this id 1f931c35 in cat apm or cat ltm logs , cat pktfilter logs , cat urlfilter logs .. Kindly please advice .
F5 webmail exchange 2016 - "Access policy evaluation is already in progress for your current session."
We recently moved over to outlook 2016. Users that are on 2010 connect fine and never have an issue. the new users that have moved over to 2016 mailboxes get the error message above in the title. When they connect, they get the following addons to their URL: ?bO=1 sessiondata.ashxappcacheclient=1&acver=15.1.1591.8&crr=1 I have tried irules from the following devcentral questions and answers with no success: Access policy evaluation is already in progress for your current session How to avoid "Access policy evaluation is already in progress" - (irules from matt, Misty Spillers & Stanislan Piron tested and didn't help) If i have users open a browser in "InPrivate Browsing" or "Incognito" mode, they don't get the error. I have also tried the windows_10_anniversary_fix as well as all the irules on page 76 of the iapp deployment guide for exchange 2016. Deployment guide stuff i tested and doesn't work: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } and tried this: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } } I have a ticket open with F5 but they are saying oh just check the guide. not helpful. Hoping someone from the community can help me. thanks in advance!
APM Access Policy - Pass LDAP or AD Query variable
Is it possible to query whether a user has a value for one or another variable then use that to pass or fail passage down the rest of the swimlane for access? (e.g.-expr {[mcget {session.ad.session.ad.last.attr.variable1}] != 0 || [mcget {session.ad.session.ad.last.attr.variable2}] != 0} where the two variables are numbers or a non-constant string, but do have a value...and are not "<not set>". Is it also possible to have another path where the lack of a value for theexpr {[mcget {session.ad.session.ad.last.attr.variable1}] == 0, can be sent to a uri or url? Any assistance would be greatly appreciated!ACCESS::policy result "not_started"
Hi all! I try to invoke a access profile but the result of "ACCESS::policy result" is not_started. Why? Can someone help me? This is the code when HTTP_REQUEST { .... if { $sessionID ne ""}{ The user in session, TODO } else { The user not in session, check token if {$logDebug}{log local0. "=>|$logId| User not in session\n"} if {$logDebug}{log local0. "=>|$logId| sessionID empty, creating a new session"} set sessionID [ACCESS::session create -lifetime 30 -timeout 30] if {$logDebug}{log local0. "=>|$logId| new sessionID is $sessionID"} call APM HTTP::header insert "clientless-mode" 1 set ldapAPResultByToken [ACCESS::policy evaluate -sid $sessionID -profile "test_ldap_accessProfile" session.test.token $tokenFromHeader session.server.landinguri $uriRequested session.logon.last.logonname $tokenFromHeader] if {$logDebug}{log local0. "=>|$logId| Executed /Common/test_ldap_accessProfile with token: $tokenFromHeader with result: $ldapAPResultByToken\n"} set result [ACCESS::policy result -sid $sessionID] if {$logDebug}{log local0. "=>|$logId| result: $result\n"} set policyResult [ACCESS::session data get -sid $sessionID session.policy.result] if {$logDebug}{log local0. "=>|$logId| policy.result: $policyResult \n"} ... } ... } The logger print this: User not in session sessionID empty, creating a new session new sessionID is 1562e4dd6119e43dca7f7154c3b1a4cc Executed /Common/test_ldap_accessProfile with token: pippo with result: error result: not_started policy.result: not_started
Branch evaluation fails with Rule evaluation error: invalid command name "session.logon.last.username"
Hopefully somebody is able to enlighten me, I have the code below in a branch rule expression of an AD Query element. I get an 'Rule evaluation failed with error: invalid command name "session.logon.last.username"' error. The purpose is to translate an email entered to the matching AD logon username from AD. The AD query succeeds (mail=%{session.logon.last.username}). It looks like the variable assign element is not able to change the session.logon.last.username variable. if { [mcget {session.ad.last.queryresult}] == 1 } { session.logon.last.username = mcget {session.ad.last.attr.sAMAccountName}; return 1; }; return 0; Thanks for sharing your thoughts / ideas.
Windows Group Policy Trigger on Network Connect
Hi, I'm wondering if there is a way to trigger Windows Group Policy to be triggered when a user connects to VPN. We are able to run gpudate.exe as an application on connect, but this is visible to the end user. We have User and Machine Windows Group Policies on our domain which we'd like to ensure gets applied once the user is connected to VPN and not have to wait for the usual Windows GPO refresh cycle.Multiple Client Certificates - Query using single Virtual Server SSL Profile (Client)
I have an interesting one, and just started digging into its creation. I need to perform an OCSP check (easy), collect information off of 1 of 3 certificates a client might have on their token (easy), and pass that information on to the webserver (got that one all day long). Now for the curve ball. At somepoint in the APM policy, I have to query 1 of the other 2 certificates for another piece of information (think an email certificate vs. one used for authentication), but I can't mess with the data (or session) from the original certificate. My first few tries forces the session to reset and I lost the session data collected on the initial query. Thoughts?? open to ideas.. One knowledge nugget, I have to use the same URL, maintain the current session, and pass the data from both certs (that are in the same chain, covered by the same cert bundle) on to the web/app server. I might be able to use different URIs, so not sure if that helps.. ThanksKerberos "Max Logon Attempts" Meaning
When adding the "Kerberos" Auth Item to an APM Policy what affect does the "Max Logon Attempts" have. What actually happens here, does it send another 401 to the client to get another kerb token? Is there a best practice here? default I think is 3 but allows 1 to 5 Cheers