For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

email

18 Topics

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF
Hi Team, We’re running Microsoft Exchange Server 2016 CU24 on Windows Server 2019, and have enabled Kerberos (Negotiate) authentication due to NTLM being deprecated in F5 Cloud WAF. Environment summary: Exchange DAG setup: 4 servers in Primary Site, 2 in DR Site Active Directory: Windows Server 2019 F5 Component: Cloud WAF (BIG-IP F5 Cloud Edition) handling inbound HTTPS traffic Namespaces: mail.domain.lk, webmail.domain.lk, autodiscover.domain.lk Authentication configuration: Negotiate (Kerberos) with NTLM, Basic, and OAuth as fallback SPNs: Correctly registered under the ASA (Alternate Service Account) computer account Certificate: SAN includes mail, webmail, and autodiscover Current status: Internal domain-joined Outlook 2019 clients work without issue. Outlook 2016, Office 2021, and Microsoft 365 desktop apps continue to prompt for passwords. Internal OWA and external OWA through F5 Cloud WAF both work correctly. Observation: Autodiscover XML shows <AuthPackage>Negotiate</AuthPackage> for all URLs. Kerberos authentication works internally, so SPNs and ASA setup are confirmed healthy. Password prompts appear only when traffic passes through F5 Cloud WAF, which terminates TLS before reaching Exchange. Suspected cause: F5 Cloud WAF may not support Kerberos Constrained Delegation (KCD) in the current configuration. TLS termination on F5 breaks the Kerberos authentication chain. NTLM/Basic fallback might not be fully passed through from WAF to backend. We would appreciate clarification on: Does F5 Cloud WAF support Kerberos Constrained Delegation (KCD) for backend Exchange 2016 authentication? If not, can Kerberos pass-through or secure fallback methods (NTLM/Basic) be enabled? Recommended configuration for supporting Outlook 2016 and Microsoft 365 clients when Exchange advertises Kerberos (Negotiate)? Is there an F5 reference configuration or iRule template for this scenario (Exchange 2016 + Kerberos)? Thank you for your guidance.
Solved
Kayjay88
Nov 18, 2025 Place Technical Forum
180Views
0likes
7Comments
F5 APM EMAIL Alert : failed VPN connection
Hello All, I need a solution for APM VPE editor Macros for the below. any help on this would be much helpful Actually, when the user fails to log in to the VPN they should receive an email with due to what reason they failed to log in. reasons might be like this. 1 pass 0 fail ===================================================================================== Subject: F5 VPN session failed: session ID Message: Hello User: username, Your VPN session failed. 1. Certificate check: 1 2. MFA : 0 or 1 3. AV check: 1 or 0 4. Firewall check: 1:0 5. AD Auth: 1 or 0 Your session has failed due to the above reason where it's mentioned as 0. Kindly get in touch Network administrator to get the issue fixed. To self troubleshoot click on the link: SNOW KB link. =============================================================================================== TIA
imabbas_90
Jul 15, 2023 Place Technical Forum
453Views
0likes
1Comment
LTM :: SMTPS Command Injection
It seems the SMTPS profile on the LTM allows command injection. It is detected as: SMTP Service STARTTLS Plaintext Command Injection (52611) :: The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials. To test, we modified the standard python smtplib library to send a malicious version of the command by appending the HELP command after STARTTLS. Packet capture shows execution of the command: What have folks done to get around this outside of writing an iRule? This is what I came up with... which SEEMS to work... but I'm by no means an expert. when CLIENT_DATA { if { [string tolower [TCP::payload 10]] starts_with "starttls" } { TCP::payload replace 0 [TCP::payload length] "STARTTLS\r\n" } TCP::release TCP::collect } when SERVER_CONNECTED { TCP::collect } when SERVER_DATA { TCP::release clientside { TCP::collect } }
Ryan_34424
Jun 06, 2023 Place Technical Forum
426Views
0likes
0Comments
email alert notification not working when member came up again
Hello guys i've configured this: https://support.f5.com/csp/article/K3667 https://support.f5.com/csp/article/K59616664 I receive alerts when node goes down, but not when going up again What could be the problem? Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01070640:5: Node /Common/172.17.70.18 address 172.17.70.18 monitor status down. [ /Common/icmp: down ] [ was up for 24hrs:2mins:5sec ] Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01070640:5: Node /Common/172.17.70.19 address 172.17.70.19 monitor status down. [ /Common/icmp: down ] [ was up for 24hrs:2mins:6sec ] Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01071682:5: SNMP_TRAP: Virtual /Common/dev-myweb has become unavailable Oct 3 23:02:59 my.website.com notice mcpd[8459]: 01070728:5: Node /Common/172.17.70.18 address 172.17.70.18 monitor status up. [ /Common/icmp: up ] [ was down for 0hr:0min:2sec ] Oct 3 23:03:02 my.website.com notice mcpd[8459]: 01070728:5: Node /Common/172.17.70.19 address 172.17.70.19 monitor status up. [ /Common/icmp: up ] [ was down for 0hr:0min:5sec ]
Abed_AL-R
Jun 05, 2023 Place Technical Forum
702Views
0likes
9Comments
Wrong SNMP Trap email alert being triggered in user_alert.conf
I currently have two webpages being hosted on the same server. I am using f5 to monitor those pages with the HTTPS health monitor. I have two separate monitors for the two pages. My goal was to be able to receive email alerts when one of the monitors would fail but i wanted the email to state which monitor exactly was the one generating the alert so that i can know immediately which page is no longer up. I did the following in the user_alert.conf alert WEBPAGE1 Monitor Fail " SNMP_TRAP: Pool /Common/Test_Pool member Server_Test (ip:port=10.100.X.X:0) state change green --> red ( Monitor /Common/WebPage1_Monitor from 10.10.X.X : connect: timeout search result false)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.200"; email toaddress="anton639@email.com" fromaddress="F5_BIGIP " body="Webpage1 Monitor Fail" } alert WEBPAGE2 Monitor Fail " SNMP_TRAP: Pool /Common/Test_Pool member Server_Test (ip:port=10.100.X.X:0) state change green --> red ( Monitor /Common/WebPage2_Monitor from 10.10.X.X : connect: timeout search result false)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.201"; email toaddress="anton639@email.com" fromaddress="F5_BIGIP " body="Webpage2 Monitor Fail" } My issue is that when i am testing and i intentionally stop webpage 2 from running, i am receiving the email alert for webpage one. I am assuming the snmp trap text used to identify the event is not differentiating between the two monitors and is sending the first snmmp trap in the list. Is it possible to send an email alert for the specific health monitor that is failing even though the monitors are of the same type? What can be changed in my configuration to achieve this? Your assistance will be appreciated.
Anton639_262757
Jun 05, 2023 Place Technical Forum
395Views
0likes
2Comments
Just upgraded to 12.1 and getting many 'cron' emails?
I just recently upgraded from 11.3 to 12.1 and am for some reason now getting my email appliance spammed with cron job emails. Any idea how to stop this? Since yesterday I have over 2,000 emails queued because the mail server doesn't recognize the domain name. Seems to happen every minute from the two F5 appliances. Example of one email: Sender: root@f5name.fqdn.com Recipient: postmaster@f5name.fqdn.com Subject: Cron /sbin/lsusb -v -d 0451:3410 >/dev/null
adambaack_13393
Jun 04, 2023 Place Technical Forum
374Views
0likes
2Comments
F5 ASM Custom Block Response - mailto link insert support-id into subject
Hello! How can I create a block response that would copy the <%TS.request.ID()%> into the subject of the e-mail when clicking the mailto-link. HTML-encode doesn't work cause user would get a value <%TS.request.ID()%> instead of the actual number. When I put the stuff in the mailto link in "" then it doesn't work at all. Is there any Javascript or other means of sorcery that could accomplish this? Kind regards, Erkki Request Rejected The requested operation was rejected by Web Application Firewall. If this is a mistake then please kindly inform the WAF team. Contact by phone: +372-blah and tell them the support ID: <%TS.request.ID()%> You can also reach us by e-mail:
ErkkiS_295148
Jun 03, 2023 Place Technical Forum
493Views
0likes
3Comments
Sending HTML Emails via APM Email Action
Hi All, Is it possible at all to send HTML emails (so to include an image in the email body) via the APM policy by default. I see a few threads from years gone by where people were asking for this, but no solid answers. Alternatively, without having the write out the entire SMTP conversation and instead leveraging the email options on F5, is it possible to iRule this in it's simplest form? Many thanks, JD
Solved
JD1
Feb 08, 2022 Place Technical Forum
1.5KViews
0likes
3Comments
Bit Bucket for SMTP Traffic
I'm looking for a solution that basically accepts SMTP connections, but sends all mail to a bit bucket -- almost like a /dev/null. The problem im running into, is I cant just use a simple irule that "drops" or "rejects" the traffic. I would need to accept the connection and somehow find a way to spoof the initial EHLO response from the f5. Any suggestions would be greatly appreciated.
arn87
Jun 01, 2021 Place Technical Forum
500Views
0likes
0Comments
Email notification for pool members
Hi, Is possible to send an email when a specific pool member goes down or up? i tried to do configuring the user_alert.conf but i cannot see the email
Solved
dirome
May 27, 2021 Place Technical Forum
1.9KViews
0likes
5Comments