iApp variable scope
Hi all, I'm writing my first iApp to automate deployment of a few virtual servers, nodes, pools and iRule data-groups I have finished the presentation section and am now starting on the implementation. One issue that I'm having though is referencing variables assigned from the presentation within tmsh::create, tmsh:modify etc I can read the variables back fine within the base iApp, for example I have the following: puts "Adding SNAT data. $::private__privateAddr maps to $::public__publicAddr" Which logs the following in scriptd.out: Adding SNAT data. xxx.xxx.xxx.xxx maps to xxx.xxx.xxx.xxx Where I run into the issue though is referencing the same variables in tmsh::modify. For example I have the following: proc tmsh_modify { args } { set args [join $args] puts "tmsh modify $args" tmsh::modify $args return [lindex $args [lsearch -glob $args "*_*"]] } puts "Adding SNAT data. $::private__privateAddr maps to $::public__publicAddr" tmsh_modify { ltm data-group internal /Common/snat-map records add { $::private__privateAddr { data $::public__publicAddr } } } This logs the following: [root@ltm02-dev:Active:Changes Pending] config tail -f /var/tmp/scriptd.out -n0 Adding SNAT data. xxx.xxx.xxx.xxx maps to xxx.xxx.xxx.xxx tmsh modify ltm data-group internal /Common/snat-map records add { $::private__privateAddr { data $::public__publicAddr } } So from this I can see the variables are being treated as normal strings. As expected this errors out on the iApp creation screen: script did not successfully complete: ("$::private__privateAddr" invalid address while executing "tmsh::modify $args" (procedure "tmsh_modify" line 4) invoked from within "tmsh_modify { ltm data-group internal /Common/snat-map records add { $::private__privateAddr { data $::public__publicAddr } ..." line:14) I couldn't find any specific information on the scope of variables when used in this manner, perhaps it is just a simple issue of syntax. I'd appreciate if someone can give me some guidance on this. Thanks!Solved857Views0likes6CommentsF5 automated backup script not removing ucs archives/executing post copy clean up commands.
I've installed the https://devcentral.f5.com/codeshare/complete-f5-automated-backup-solution components and when utilizing the scp option have noticed that, although the archives do get copied to remote storage, the /var/local/ucs archives are not being cleaned up. I've seen posts which recommend changing from exec rm -f BACKUPDIRECTORY/$fnameBACKUPFILESCRIPTEXTENSION to exec rm -f BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION which did not help. To me it appears that once the call to execute the bash script, which handles the scp, is performed it never properly returns back to the calling script. I'm basing this on the fact that neither /var/local/usc archives or the /var bash script are ever cleaned up. The commands to remove them immediately follows the call to the bash script. I've modified the command that builds the scp.sh bash, appending the clean up commands to the end of it, so that the clean up happens w/in the bash script before it returns back to the calling script. Before: exec echo -e "put()\n{\n\tfields=\"username server directory\"\n\ti=1\n\tf5masterkey=\$(f5mku -K)\n\tfor current_field in \$fields ; do\n\t\tsedcommand=\"\${i}p\"\n\t\tcurrent_encrypted_value=\$(sed -n \"\$sedcommand\" $configfile)\n\t\tcurrent_decrypted_value=\$(echo \"\$current_encrypted_value\" | openssl aes-256-ecb -salt -a -d -k \$f5masterkey)\n\t\teval \"\$current_field=\$current_decrypted_value\"\n\t\tlet i=\$i+1\n\t\tunset current_encrypted_value current_decrypted_value sedcommand\n\tdone\n\tsed -n '4,\$p' $configfile | openssl aes-256-ecb -salt -a -d -k \$f5masterkey > /var/tmp/scp.key\n\tchmod 600 /var/tmp/scp.key\n\tscp -i /var/tmp/scp.key BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION \${username}@\${server}:\${directory}\n\trm -f /var/tmp/scp.key\n\treturn \$?\n}\n\nput" > $scriptfile After: exec echo -e "put()\n{\n\tfields=\"username server directory\"\n\ti=1\n\tf5masterkey=\$(f5mku -K)\n\tfor current_field in \$fields ; do\n\t\tsedcommand=\"\${i}p\"\n\t\tcurrent_encrypted_value=\$(sed -n \"\$sedcommand\" $configfile)\n\t\tcurrent_decrypted_value=\$(echo \"\$current_encrypted_value\" | openssl aes-256-ecb -salt -a -d -k \$f5masterkey)\n\t\teval \"\$current_field=\$current_decrypted_value\"\n\t\tlet i=\$i+1\n\t\tunset current_encrypted_value current_decrypted_value sedcommand\n\tdone\n\tsed -n '4,\$p' $configfile | openssl aes-256-ecb -salt -a -d -k \$f5masterkey > /var/tmp/scp.key\n\tchmod 600 /var/tmp/scp.key\n\tscp -i /var/tmp/scp.key BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION \${username}@\${server}:\${directory}\n\tcp /var/tmp/scp.key /var/tmp/scp.key.bak\n\trm -f /var/tmp/scp.key\n\trm -f BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION\n\trm -f $scriptfile\n\treturn \$?\n}\n\nput" > $scriptfile This seems to work but I was wondering if anyone else has encountered this issue and has a better solution?679Views0likes1CommentHow do I disable TLS 1.1 for the SharePoint 2010-2013 IAPP v 1.2.1
I am using the SharePoint IAPP to support our SharePoint farm. We are on 2013. We need to disable TLS 1.0 and 1.1 and I want to do so without breaking our SharePoint implementation. I am not able to change the existing SSL Client Profile because I am using the IAPP. Guidance for the best way to resolve this would be very much appreciated.389Views0likes1CommentPort redirect for only *some* urls
I have a web server that is set up with the basic http iApp, and is configured to accept traffic on port 443, and redirect traffic on port 80 to 443. The web server itself accepts traffic on port 443 for most urls, but requires port 6443 for others, e.g.: https://mywebserver.domain.com/login Only works on port 443, whereas everything under the 'subdir' url https://mywebserver.domain.com/subdir/webpage Requires port 6443 to be accessed. Does anyone know of a way to handle this easily with an irule, preferably without showing :6443 in the url? Thanks in advance!456Views0likes2CommentsF5 iApp Exchange 2016 AD - Authentication Fail - UPN suffix mismatch
Hi Everybody We are in the process of deploying Exchange 2016 / Outlook 2016 with F5 v11.6.0 (build 4.0.420) and APM. Our reference is the Exchange 2016 deployment guide (https://www.f5.com/pdf/deployment-guides/microsoft-exchange-2016-dg.pdf). We are using the latest iApp . Without APM it seems to be working fine, but as soon as we enable APM we are having athentication problems with Outlook Anywhere. When we start Outlook 2016, it tries to authenticate using UPN firstname.lastname@company.com. The internal domain used however is company.local instead of company.com. So we are running into the problem described here (https://support.f5.com/csp/article/K12252), where UPN suffix does not equal domain suffix. I get the same error "... Please verify Active Directory and DNS configuration...." when doing a manual adauth test via CLI. We cannot seem to get the workaround descibed to work (replace APM AD Auth with LDAP). Does anybody have a reference or can tell me if it is even possible to configure the APM (i.e. modify the iApp) to use LDAP instead of AD Auth with SSO in this scenario? Any advice would be greatly appreciated. Thanks in advance. Ingo371Views0likes1CommentCompletely Lost Trying to Set Up SSL For the Skype for Business Reverse Proxy iApp
Hey All. Doing my first ever Skype for Business deployment and I have most everything working properly (Internal/External IM/Presence and AV calls all work great for the desktop client). Now I am trying to set up my two Big-IP's to do reverse proxy traffic and I am honestly completely lost. Allow me to explain. I have a dual Big-IP setup in my test lab. I have one in my DMZ which is set using the iApp to forward reverse proxy traffic to my internal which is set through the same iApp to receive reverse proxy traffic. I have given it it's own public IP which is NAT'd to the DMZ F5 DMZ address. The DMZ F5 also has a self IP on the DMZ subnet for which I have opened 443, 80, 4443, and 8080 up to the VIP of the F5 on my internal lab subnet. The iApp on the DMZ Big IP shows green for the internal server so it looks like they're talking to eachother ok. Here's where I start beating my head against the wall, and before I go into detail I am going to come out and say that I have not yet configured a SSL profile on either Big IP which may be my issue here. If I download the Skype for Business app on my phone and try to sign into Skype with my SIP address and username, I get a certificate warning that comes from the DMZ Big IP so I know that my device at least makes it through the public/NAT IP address to the DMZ Big IP. But then after I click continue on the certificate warnings it will say signing in for a second and then juts kick me back to the logon screen. This has me wondering if the traffic is getting stuck somewhere in the chain of F5's, if it is a SSL issue, or if it is a configuration issue on my Skype Frent Ends somewhere and was hoping someone could provide some guidance. A followup question that I have to this is regarding what certificate to import and set up on my Big IP units. On my edge servers, I have a public certificate issued by a CA. On my FE servers I have a certificate assigned by my internal CA per Microsoft best practices. I would imagine that I should use the public cert, but the iApp states that "The certificate you select here MUST match the certificate you used in your Skype web services configuration." This would indicate that I would need to use the certificate from my FE servers, but then no mobile devices are not going to trust this certificate. Any advice here on exactly what I should do here would be greatly appreciated. Thanks!226Views0likes0CommentsFirewall config for Skype for Business Reverse Proxy
Hey Everyone: I recently completed setting up an edge pool for my Skype for Business 2015 deployment and all of my services are working as intended (IM/Presence and Video calls). I now wish to deploy reverse proxy services to allow mobile devices to connect externally. Fortunately for me I just so happen to have a Big IP in my DMZ and another Big IP in my internal network with my FE pool. I am a bit confused about the ports that need to be open on different sides of the networks. I understand that the DMZ F5 is going to get it's own public IP address which will be NAT'd to my DMZ subnet where my DMZ F5 "lives". I understand also that I will specifically be NAT'ing TCP 80 and 443 to the Big IP. Using the iApp I am going to have it forward reverse proxy traffic over to my internal Big IP which "lives" on my messaging subnet (just the subnet I have Skype and Exchange running on) and the internal will have the Skype iApp configured to receive the reverse proxy traffic from the DMZ Bip IP. My question is, do I open ports 443 and 80 between the two Big IP's and then have 4443 and 8080 open between the internal Bip Ip and the FE pool? Or is there something I am missing where I'd open 4443 and 8080 between the two Big IP's (which I don't think is the case, just verifying). Thanks all!Solved927Views0likes7CommentsSSL Offloading not functioning properly for SharePoint 2013
Dear All, We have a share point application which needs to be load balanced through F5. The applications have been configured using F5 verified iApp and the same is working well when we run as HTTP in both front & back end . Since the requirement is to do the SSL offloading , we have recreated the same using iApp and we realized some application accessibility issue .there are some HTTP references inside the webpage itself and most of the images are not loaded at the client end. When we inspect partially loaded webpage at client browser, have received Mixed content warning . Do you have any suggestion regarding this ? I believe that iApp is designed in such a way that it should support smooth integration of most of the complex applications in F5.300Views0likes3Comments