f5 big-ip
6 TopicsEnabling SharePoint 2013 Hybrid Search with the BIG-IP
Over my past several blog posts, I’ve talked about federating our on-premise environments with Office 365. Now, that we have that handled, (it’s handled right?) let’s talk about another lesser known piece of the puzzle; hybrid SharePoint environments. With federation and SSO between on-premise applications and Office 365 provided by the BIG-IP and APM, (Access Policy Manager) users can move seamlessly between their on-premise SharePoint and SharePoint online as if they were one integrated application. Cool right? But what about when I need to search for content across environments? Funny I should ask. That’s what this post is all about. Microsoft actually has this figured out. The only piece missing is a device that can act as the reverse proxy for the on-premise environment and facilitate the secure connection between the two environments. Hmmm… What could we use? Configuring Hybrid Search for SharePoint 2013 This post covers the pieces required to use the BIG-IP as a reverse-proxy for a hybrid SharePoint search deployment. For guidance on configuring both your on-premise SharePoint 2013 and SharePoint Online environments refer to the Hybrid for SharePoint 2013 guidance provided by Microsoft. It’s quite thorough and, to be honest a little daunting. Currently, Microsoft’s SharePoint 2013 hybrid capabilities are intended to let users in Office 365 access and search across certain content from an on premises SharePoint farm. For detailed information on architectural recommendations and limitations take a look at the blog post from Microsoft architect, Steve Peschka. Client Certificate authentication is utilized to allow secure access for hybrid search, (SharePoint content located both on-premise and in the cloud) from Office 365 environment. To accomplish this a target application is configured in the SharePoint Online Secure Store where a client certificate, (issued by a public root certificate authority). Figure 1 – SharePoint Online Secure Store & Target application Configuring the BIG-IP for Client Certificate Authentication The following configuration was tested by F5 in collaboration with the Office365 product team. The testing was conducted at the Microsoft Technology Center in Irvine where an environment was provided for hybrid enterprise search & LOB scenarios between O365 and on-premise SharePoint farms. We collaborated with the MTC’s expert staff and took advantage of the alliance partnership between Microsoft and F5, whose solutions were made available as part of their engagement. For the purposes of hybrid search, the BIG-IP and LTM, (Local Traffic Manager) acts as a reverse proxy providing a secure Internet facing endpoint for connections from the SharePoint Online environment. The deployment of SharePoint behind the BIG-IP can either be configured manually or via the BIG-IP iApp configuration. Once SharePoint 2013 has been successfully deployed it is simple matter of modifying the virtual server’s Client SSL Profile. Figure 2 – SharePoint 2013 On-Premise Virtual Server The SSL Profile is configured to require a client certificate for successful access. Additionally, the certificate must be issued from the specified certificate authority whose CA certificate is installed on the BIG-IP. In the example below, (Figure 3) the client certificate presented must be issued by StartCom, Ltd. Figure 3 – Client SSL Profile with Client Authentication Required As long as the certificate installed and configured in the SharePoint Online Secure Store is valid and issued by the appropriate certificate authority, users in O365 will be able to search for and receive results from the on-premise SharePoint environment. Enhancing Security with iRules Ok, the above configuration provides security to the hybrid connection via client certificates. However, it’s still vulnerable. As previously noted, the certificate used must be issued by a public root certificate authority. While this is good, this does not guarantee that the certificate presented is the actual certificate configured in the SharePoint Online environment. Merely, it just guarantees that the certificate was issued from the same place, (StartCom, Ltd. in our example). Fortunately, there’s an iRule for that! The iRule provided below examines the client certificate provided and ensures that the serial number of the certificate matches the SharePoint Online configured certificate. This ensures that not only is the presented certificate issued from a specific and valid certificate authority, but also ensures that the certificate itself is an exact match. Figure 4 – Granular_Cert_Verification iRule validating the Client Certificate Serial Number 1: when CLIENTSSL_CLIENTCERT { 2: 3: # Check if client provided a cert 4: if {[SSL::cert 0] eq ""}{ 5: 6: # Reset the connection 7: reject 8: 9: } else { 10: 11: #Example Subject SN: 01 ED 51 12: set subject_sn [X509::serial_number [SSL::cert 0]] 13: log "Client Certificate Received: $subject_sn" 14: #Check if the client certificate contains the correct serial number 15: if {$subject_sn contains "0c e4 11"} { 16: #Accept the client cert 17: log "Client Certificate Accepted: $subject_sn" 18: } else { 19: log "No Matching Client Certificate Was Found Using: $subject_sn" 20: reject 21: } 22: } 23: } Figure 5 – Client Certificate Subject Name Figure 6 – iRule Assigned to Virtual Server That’s It! Not too bad huh? Of course this is the easy part. We still need to ensure that we have properly configured both environments, (on-premise and Office 365) to enable the hybrid search functionality. Accomplishing that is a little more tricky, but definitely doable. Be sure to refer to the links below for information from Microsoft on how to set this up. In addition, check out Steve Peschka’s blog posts for information. Additional Links: Hybrid for SharePoint Server 2013 Configure hybrid Search for SharePoint Server 2013 F5 and SharePoint 2013 – Deployment Guidance Architecture Design Recommendation for SharePoint 2013 Hybrid Search Features – Steve Peschka Blog Big-IP and ADFS Part 1 – “Load balancing the ADFS Farm”1.7KViews0likes1CommentF5 BIG-IP LTM pool no outbound traffic
Hello, I am trying to setup a new virtual server (port 80) on F5 BIG-IP. I can ping the VIP and all its member IP. I can ping to the self IP of the F5 from the member server. Service is http and it's running normaly when I'm accessing the server directly, but it gave me a blank page if I access it using the VIP. When I check the pool statistics, it shows bits & packet IN but no bits & packets OUT. I am totally new into this BIG-IP thing, can someone please guide me as clear as possible of what I should do to get this working? Thanks in advance :)1.4KViews0likes15CommentsF5 App Error - Routing Table Could Not be Patched - MacOS
Hi All, I've been having issues with connecting to F5 VPN BIG-IP Edge client with the newer Macbook Pro with the i9 Processor 15" running the Mojave MacOS. It goes through the checks ok and before it connects it disconnects straight away and keeps reconnecting then disconnecting again. Using another mac machine (Macbook Air) I'm able to connect perfectly fine with the exact same settings. I've done a clean install on both machines to see if I could replicate the issue but it looks like it could either be a software/hardware locally with the machine not being able to write to the routing table. I've contacted the our F5 support team that we use and the logs say that it's connecting fine but it just drops out on the local machines end. Looking at the debugging logs I can see that I get an error: 2019-07-16, 15:45:35:000, 853, 853, edge, 48, Tunnel Server, Connecting state 2019-07-16, 15:45:36:000, 853, 853, edge, 2, Disconnected state, Error code, Routing table cannot be patched Can anyone shed some light on this issue? Or how to resolve the Routing Table cannot be patched? Any help would be greatly appreciated. Cheers, Gez559Views0likes1CommentFirst Time setting up F5
Hi all, this is my first time setting up F5 VE from scratch which was different from managing one which is already setup. I have both application server up & running and both server's firewall is disable. The F5 external IP and the server's IP are on the same subnet and no firewall in between. 1) It seems F5 is able to reach port 5005 and 80 but not 15005. I check back on both servers and port 15005 is in "Listening" state Ltm::Node: 10.1.1.1 (10.1.1.1) Status Availability : available State : enabled Reason : Node address is available Monitor : /Common/icmp (default node monitor) Monitor Status : up Session Status : enabled Ltm::Node: 10.1.1.2 (10.1.1.2) Status Availability : available State : enabled Reason : Node address is available Monitor : /Common/icmp (default node monitor) Monitor Status : up Session Status : enabled Ltm::Pool: QA_Pool_15005 Status Availability : offline State : enabled Reason : The children pool member(s) are down Monitor : QA_15005 Minimum Active Members : 0 Current Active Members : 0 Ltm::Pool: QA_Pool_80 Status Availability : available State : enabled Reason : The pool is available Monitor : QA_80 Minimum Active Members : 0 Current Active Members : 2 Ltm::Pool: QA_Pool_5005 Status Availability : available State : enabled Reason : The pool is available Monitor : QA_5005 Minimum Active Members : 0 Current Active Members : 1241Views0likes0Commentslogger /Common/Interface_failsafe_monitor: interface 1.1 is not up (status: )
Hello F5 experts. I have an issue with our two load balancers. I am getting this error : logger /Common/Interface_failsafe_monitor: interface 1.1 is not up (status: ) Checked the load balancer interface 1.1 is showing as up. Checked the switch port which connects the interface 1.1 it is also up. Where can be this error comes from ? Many thanks for your help.226Views0likes2CommentsFirst Time setting up F5
Hi all, this is my first time setting up F5 VE from scratch which was different from managing one which is already setup. I have both application server up & running and both server's firewall is disable. The F5 external IP and the server's IP are on the same subnet and no firewall in between. 1) It seems F5 is able to reach port 5005 and 80 but not 15005. I check back on both servers and port 15005 is in "Listening" state Ltm::Node: 10.1.1.1 (10.1.1.1) Status Availability : available State : enabled Reason : Node address is available Monitor : /Common/icmp (default node monitor) Monitor Status : up Session Status : enabled Ltm::Node: 10.1.1.2 (10.1.1.2) Status Availability : available State : enabled Reason : Node address is available Monitor : /Common/icmp (default node monitor) Monitor Status : up Session Status : enabled Ltm::Pool: QA_Pool_15005 Status Availability : offline State : enabled Reason : The children pool member(s) are down Monitor : QA_15005 Minimum Active Members : 0 Current Active Members : 0 Ltm::Pool: QA_Pool_80 Status Availability : available State : enabled Reason : The pool is available Monitor : QA_80 Minimum Active Members : 0 Current Active Members : 2 Ltm::Pool: QA_Pool_5005 Status Availability : available State : enabled Reason : The pool is available Monitor : QA_5005 Minimum Active Members : 0 Current Active Members : 1217Views0likes3Comments