Questions on when to update a existing iApp
Have the below questions on F5 iApps We were updating a cert on one of the exchange iApps and it worked well on one device but through a error "01b4002b:3:Client SSL Profile (/Common/test-exchang.app/test-exchang_clientssl): the profile has no RSA/Key Pair that can be modified" on another F5. Was able to apply the cert on the iApp using a workaround, Applied clientssl cert and later updated to newcert, it worked. Is there anything we need to check? What is the permanent fix for this, Do we need to update the iApp? How do we update a existing iApp. I see the same iApp version when I download
What is an iApp?
iApp is a seriously cool, game changing technology that was released in F5’s v11. There are so many benefits to our customers with this tool that I am going to break it down over a series of posts. Today we will focus on what it is. Hopefully you are already familiar with the power of F5’s iRules technology. If not, here is a quick background. F5 products support a scripting language based on TCL. This language allows an administrator to tell their BIG-IP to intercept, inspect, transform, direct and track inbound or outbound application traffic. An iRule is the bit of code that contains the set of instructions the system uses to process data flowing through it, either in the header or payload of a packet. This technology allows our customers to solve real-time application issues, security vulnerabilities, etc that are unique to their environment or are time sensitive. An iApp is like iRules, but for the management plane. Again, there is a scripting language that administrators can build instructions the system will use. But instead of describing how to process traffic, in the case of iApp, it is used to describe the user interface and how the system will act on information gathered from the user. The bit of code that contains these instructions is referred to as an iApp or iApp template. A system administrator can use F5-provided iApp templates installed on their BIG-IP to configure a service for a new application. They will be presented with the text and input fields defined by the iApp author. Once complete, their answers are submitted, and the template implements the configuration. First an application service object (ASO) is created that ties together all the configuration objects which are created, like virtual servers and profiles. Each object created by the iApp is then marked with the ASO to identify their membership in the application for future management and reporting. That about does it for what an iApp is…..next up, how they can work for you.
Oracle Weblogic with F5 issue,Jsession your session has expired
What can be done to resolve an issue on an oracle weblogic VIP which offloads SSL, The page loads and a "YOUR SESSION HAS EXPIRED" message is popped out,and the page redirects back to login page. When the backend servers are called directly, no such error is encountered. I already deployed an iapp for this,and it didn't solve the issue.
Office 365 iApp on 13.1.1?
I'm about to setup a Office365 webtop on 13.1.1.4, and I've noticed that the iApp does not officially support that version. According to the README the iApp only supports up to 12.0. This is the top of the README: Version: f5.microsoft_office_365_idp.v1.1.1rc1 Last modified: January 2019 iApp requires: BIG-IP version 11.3 - 12.0 The deployment guide (listing the exact version, 1.1.1rc1, of the iApp file) says "11.3 - 13.0". There's also a note in the README saying an issue was resolved in the iApp for 14.1 users, leading me to believe 13.1 should be fine: Corrected an issue that caused TCL iApps using client-ssl profiles to break when the iApp was reconfigured. This issue only affected iApps running on BIG-IP 14.1. So... am I safe using this in 13.1? The BIGIP in question is in production and it's uptime is important, I don't want to make any mistakes on this.Office 365 iApp on 13.1.1?
I'm about to setup a Office365 webtop on 13.1.1.4, and I've noticed that the iApp does not officially support that version. According to the README the iApp only supports up to 12.0. This is the top of the README: Version: f5.microsoft_office_365_idp.v1.1.1rc1 Last modified: January 2019 iApp requires: BIG-IP version 11.3 - 12.0 The deployment guide (listing the exact version, 1.1.1rc1, of the iApp file) says "11.3 - 13.0". There's also a note in the README saying an issue was resolved in the iApp for 14.1 users, leading me to believe 13.1 should be fine: Corrected an issue that caused TCL iApps using client-ssl profiles to break when the iApp was reconfigured. This issue only affected iApps running on BIG-IP 14.1. So... am I safe using this in 13.1? The BIGIP in question is in production and it's uptime is important, I don't want to make any mistakes on this.
Can we add a variable reference in a Send String via iApp
Hi, I have an application running via an iApp. I need to add a https monitor to it. Now the thing is the fqdn has over 40 ips, so wanted to know if we can add a variable reference in the send string, tried the below but gives an error. I tried using a variable dest1 and tried to call it in the send string but it does not take the template. set dest1 \[ lindex \[ RESOLV::lookup @$::dns_recursor -a $::fqdn__dns \] 0 \] proc create_monitor { } { set monitor_type "https" set monitor_name "external_${tmsh::app_name}-monitor" set monitor_interval "5" set monitor_timeout "16" set send {"GET / HTTP/1.1"} append send {"\n\n\r\n"} set destination /$dest1 tmsh::create / ltm monitor $monitor_type $monitor_name interval $monitor_interval timeout $monitor_timeout send $send destination $destination } can anyone put some light on this. Thanks, Aditya
AutoDiscover Issue with Exchange 2016 iApp
Hello together, got one big problem: I have deployed successfully the iApp template of Exchange 2016 and the customer wants to use OWA and AutoDiscover Service. The AutoDiscover Service is not working as expected.. so the user cannot authenticate with e-mail or domain\username. My Access Policy: Logon Page (Split Domain from full Username YES) -> AD Query (Cross Domain Support DISABLED) -> AD Auth (Cross Domain Support ENABLED) -> SSO Credential Mapping (default). I used the right Domains and Access Profiles. OWA is a logon possible with E-Mail, User and domain\User. But AutoDiscover is just User and domain\User. E-Mail is NOT working. Does anyone know, how the users could finally authenticate via E-Mail? They're claiming that they're not able to use AutoDiscover Thanks in Advance! HankRemoving the 'reject' keyword from a virtual, using TMSH / iApp
I have an iApp which creates a virtual server. Depending on one of my iApp choices, this is either configured as a normal load-balancing virtual server (displayed as "Standard" in the web GUI), or to reject all traffic (displayed as "Reject" in the web GUI) However, I cannot seem to find a way to toggle the 'reject' value and turn it back into a normal virtual server. For example, the current iApp template code contains: set cmd "ltm virtual ${vname} destination ${ip}:${port}" if {[iapp::is ::net__reject "yes"]} { append cmd " reject" } iapp::conf create $cmd If I create a new application based on this template and set the net.reject choice to no, it creates the virtual server without the reject keyword; if I then reconfigure and set the net.reject choice to yes it modifies the virtual server and adds the reject keyword; but if I reconfigure again and set the net.reject choice back to no it does not remove the reject keyword. So how does one remove the reject keyword in my iApp (or in tmsh, for that matter)?
Selecting Server SSL in iRule and iApp
Hi, I know that this is not usual situation to modify anything in iApp objects. Anyway I did it for some test purposes and something took me off guard. Setup: iApp with Client SSL Server SSL iRule with code like that: set profile "SSL::profile ${ssls}" if { [PROFILE::exists serverssl] == 1} { Trying to set profile specified by ssls var if { [catch {eval $profile}] } { Setting profile failed - most probably profile with name specified by ssls var does not exixst catch {eval $disable} Client connection should be rejected reject is triggering LB_FAILED and HTTP respond can be used reject } else { Hide these commands from the iRule parser (in case no serverssl profile is applied) set enable "SSL::enable serverside" if { [catch {eval $enable}] }{ reject } } } Profile specified in [catch {eval $profile}] is from /Common/ folder Profile attached to VS is of course from /Common/iapp_name/ folder Even if there is no error in log and everything looks like success when SERVERSSL_CLIENTHELLO_SEND is triggered (used to set SNI) Server SSL profile reported by [PROFILE::serverssl name] is the one attached to VS. When no iApp based VS is used profile switching works without issue. I wonder if this is because new Server SSL should be in the same folder as iApp attached profile, so not in /Common/ but in /Common/iapp_name/? Piotr
