Client SSL Profile set to Require Client Certificate breaks RDP in APM
Hello, I have a policy set up in the BIG-IP F5 VE 15.1.10.5 APM to allow access to a handful of Remote Desktop (RDP) links. I'm attempting to set the authentication to require Common Access Card (CAC) Certificate login. In my access policy visual editor, I have a Client Cert Inspection branch that leads into OCSP Authentication and then if successful assigns the RDP resources through LDAP.This all works perfectly fine as long as the Client SSL profile connected to the access policy has Client Authentication > Client Certificate set to "Request" or "Require." If set properly, when a user attempts to connect to the webtop URL they are prompted for their certificate, authorized against the OCSP, and given access to the resources as corresponds to LDAP group. However when attempting to use one of the Remote Desktop Links it'll download the RDPconnection as intended and fail to connect with "There was a problem connecting to the remote resource. Ask your network administrator for help." I know this is because of the Client SSL profile because if i change it back to "Ignore" and have the user click the Remote Desktop link, it downloads and connects to the specified resource with no issue. The server the RDP connects to is configured with a client certificate that is trusted by the Root and Intermediate CA in the "Trusted Certificate Authorities" under the Client SSL Client Authentication profile. I was originally able to get around this by, instead of using Client Cert Inspection in my access policy, using On-Demand Cert Auth and leaving the Client SSL profile to "Ignore" client certificate. This allowed the user to be prompted and authenticated when originally accessing the webtop and utilize the RDP resources assigned. Unfortunately, On-Demand Cert Auth recently broke and users are not being prompted for their certificate and as such cannot connect to the webtop without the Client SSL profile being set to "Request" or "Require" to force the certificate prompt. https://my.f5.com/manage/s/article/K63123740 I've read the above KB where it says "the RDP client doesn't like the certificate request." but I'm not sure why, RDP should support certificate requests, users authenticate with token certificates all the time when RDP'ing to resources unless I'm misunderstanding what is happening? With that article I thought maybe the Server SSL profile would be an issue, but only changing the Client SSL profile certificate settings affects login. Any help would be appreciated, thanks!
Changing Virtual Server's Access Profile with TMSH
I'm trying to perform an action in TMSH that would be otherwise simple in the f5 Console GUI. When you navigate to Local traffic -> Virtual Servers -> Virtual Server List and click on a given virtual server, you can then scroll down and change the Access Profile assigned to that virtual server in the Access Profile dropdown, click update, and you're done ... quite simple. It seems like the way to change to a different profile for a given virtual server in TMSH is to just delete the old one and then add a new one. However, when I tab to try to see my options for autocomplete after the add or delete part of my command, it only shows SSL Profiles and HTTP Profiles as options, not Access Profiles. Here is the TMSH command I'm talking about ... modify ltm virtual MY_VIRTUAL_SERVER profiles add { [NO OPTION FOR ACCESS PROFILES HERE] Is there a way to change a virtual server's assigned access profile using a TMSH command without having to directly edit bigip.conf directly?
<RESOLVED> APM Per-session Policy ERR_CONNECTION_RESET
We have an issue on access profiles per-session policy. We tried to create SAML Identity Provider for Applications, Network Access Setup Wizard for Remote Access, or manual create configuration using this guide https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-saml-configuration/using-apm-as-a-saml-idp-sso-portal.html#GUID-42E93E4B-E4FC-4C3D-AE53-910641D5755C. We also tried to create VS and Per-session policy profile manually. In our testing all method we tested above result in connection reset. It seems to stuck or failed on step LOGON from visual editor policy. We did tcpdump during this operation, we found out that F5 send connection reset after return agent_logon_form.eui. Any place we should look into? note: There is no firewall in between. We manage to resolve this with help from F5 engineer. It turns out that BigIP need Ipv6 to be activated, even though your external client use ipv4 only.
Is SSO from LTM+APM VS to Webtop w/Advanced Resource Assignment possible?
Hello, I am attempting to get SSO working between Access Profiles and I have hit a road block. Here is the behavior I am experiencing (as summarized by support): 1) Client connects to LTM+APM VS, authenticates to APM and is granted access to the Sharepoint Pool. 2) While the LTM+APM session is still valid, client initiates connection to a third party SP which redirects the user to BIG-IP as IdP for auth. 3) When Client sends request to BIG-IP as IdP, it provides the LastMRH_Session cookie that it received from the LTM+APM VS. This is because the LTM+APM VS is configured with an SSO Domain of company.com and the APM VS hostname is in that domain (portal.company.com). 4) Because the Session Cookie provided to the APM VS is already valid/authenticated it doesn't process through the Access Policy and as a result the user is never assigned the Webtop and SAML Resources, and then receives a connection reset. You should be able to prevent the same session cookie being provided to both Virtual Servers by removing the SSO Domain in both Access Profiles. While it did fix the issue, it broke SSO between VSs on the same Access Profile. I’ve thought about using a multi-domain SSO profile for the LTM+APM VS, which would resolve that issue. But I would still be unable to SSO from the LTM+APM VS to the APM VS. So here is my question: Is there any way to accomplish SSO between an LTM+APM VS and an APM (Webtop w/advanced resource assignment) VS? Or is my only option to switch the SAML IdP with Webtop configuration to a SAML IdP without Webtop configuration (https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/29.html)? Please let me know. The primary reason why we went with a Webtop was to limit who could access which SAML resources. It appears to me that we have to choose between SSO and dynamic assignment of resources. Thanks for taking the time to read this. Please let me know if you have any questions.
Public / Free Internet Access portal using external logon page
Hi, I am building an access portal for an Internet hotspot that a customer will offer as a free service for their custommers. My idea is to use a virtual server using performence layer 4 to route all traffic to the internet using a 0.0.0.0/0 destination. To this virtual server I have added an iRule that checks if the source IP have a valid session in the APM session table. If it does I will let the user through to the Internet. If not I will redirect the user to another virtual server that has an access policy that directs the user to an external logon page. This where I run into problems. When the user starts the browser for the first time it gets redirected by my iRule to the virutal server using the access policy and the user gets the login page presented. A pending session is also created which is all as it should. However, when the user enters the form information and press "logon" the following message is presented Invalid Session ID. Your session may have expired. When I click on the "create new session" link on the page presenting the above message the external logon page starts working and I can POST the information. After posting the session turns green and the user can safely pass to the Internet. To add is that I host the external logon page behind another virtual server within the same BIG-IP device, not sure if that should cause problems. Also, when trying the built-in logon page this works fine. Only when using the external logon page it fails. Anyone have any bright ideas?Importing APM 11.3 Access Profile to 11.4 APM
Hello I'm trying to import an access profile that has been exported from a 11.3 APM. We need to do it in order to check that the Profile will run properly after we upgrade. The import process fails with all the profiles I've tried. It always show a similar error: Import Error: /shared/tmp/import/imp-140121-141624-954/access_profile.conf doesn't exist. This doesn't happen when I import an 11.4 Access Profile. Isn't it possible to import a previous version profile? Is there any way to convert it?
SSO / Auth Domains not maintaining session
I am setting up an SSO/Auth Domain Multiple Domains config to share access sessions across multiple Virtual Servers and have struck an issue. I am following the details from here: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-1-0/4.html and http://blog.garraux.net/2013/05/f5-access-policy-manager-multi-domain-sso/, as well as the training material (where I did this in the course and it worked). But what I am finding in my environment (which is 11.4.1HF2) is that when I go to the Primary Auth URI I get in all good, if I go to any of the auth domains then it redirects me to the Auth URI, but this does not see any existing session, and then sends me back to the auth domain, and back to the primary URI in a loop. Am wondering if its related to this Q from a few weeks ago as the session resetting behaviour sounds about right for what is happening - https://devcentral.f5.com/questions/apm-recreating-session-when-user-hits-default-url Anyone seen this or have any good ides