What is an iApp?
iApp is a seriously cool, game changing technology that was released in F5’s v11. There are so many benefits to our customers with this tool that I am going to break it down over a series of posts. Today we will focus on what it is. Hopefully you are already familiar with the power of F5’s iRules technology. If not, here is a quick background. F5 products support a scripting language based on TCL. This language allows an administrator to tell their BIG-IP to intercept, inspect, transform, direct and track inbound or outbound application traffic. An iRule is the bit of code that contains the set of instructions the system uses to process data flowing through it, either in the header or payload of a packet. This technology allows our customers to solve real-time application issues, security vulnerabilities, etc that are unique to their environment or are time sensitive. An iApp is like iRules, but for the management plane. Again, there is a scripting language that administrators can build instructions the system will use. But instead of describing how to process traffic, in the case of iApp, it is used to describe the user interface and how the system will act on information gathered from the user. The bit of code that contains these instructions is referred to as an iApp or iApp template. A system administrator can use F5-provided iApp templates installed on their BIG-IP to configure a service for a new application. They will be presented with the text and input fields defined by the iApp author. Once complete, their answers are submitted, and the template implements the configuration. First an application service object (ASO) is created that ties together all the configuration objects which are created, like virtual servers and profiles. Each object created by the iApp is then marked with the ASO to identify their membership in the application for future management and reporting. That about does it for what an iApp is…..next up, how they can work for you.1.2KViews0likes4CommentsOracle Weblogic with F5 issue,Jsession your session has expired
What can be done to resolve an issue on an oracle weblogic VIP which offloads SSL, The page loads and a "YOUR SESSION HAS EXPIRED" message is popped out,and the page redirects back to login page. When the backend servers are called directly, no such error is encountered. I already deployed an iapp for this,and it didn't solve the issue.299Views0likes1CommentOffice 365 iApp on 13.1.1?
I'm about to setup a Office365 webtop on 13.1.1.4, and I've noticed that the iApp does not officially support that version. According to the README the iApp only supports up to 12.0. This is the top of the README: Version: f5.microsoft_office_365_idp.v1.1.1rc1 Last modified: January 2019 iApp requires: BIG-IP version 11.3 - 12.0 The deployment guide (listing the exact version, 1.1.1rc1, of the iApp file) says "11.3 - 13.0". There's also a note in the README saying an issue was resolved in the iApp for 14.1 users, leading me to believe 13.1 should be fine: Corrected an issue that caused TCL iApps using client-ssl profiles to break when the iApp was reconfigured. This issue only affected iApps running on BIG-IP 14.1. So... am I safe using this in 13.1? The BIGIP in question is in production and it's uptime is important, I don't want to make any mistakes on this.279Views0likes0CommentsOffice 365 iApp on 13.1.1?
I'm about to setup a Office365 webtop on 13.1.1.4, and I've noticed that the iApp does not officially support that version. According to the README the iApp only supports up to 12.0. This is the top of the README: Version: f5.microsoft_office_365_idp.v1.1.1rc1 Last modified: January 2019 iApp requires: BIG-IP version 11.3 - 12.0 The deployment guide (listing the exact version, 1.1.1rc1, of the iApp file) says "11.3 - 13.0". There's also a note in the README saying an issue was resolved in the iApp for 14.1 users, leading me to believe 13.1 should be fine: Corrected an issue that caused TCL iApps using client-ssl profiles to break when the iApp was reconfigured. This issue only affected iApps running on BIG-IP 14.1. So... am I safe using this in 13.1? The BIGIP in question is in production and it's uptime is important, I don't want to make any mistakes on this.337Views0likes0CommentsCan we add a variable reference in a Send String via iApp
Hi, I have an application running via an iApp. I need to add a https monitor to it. Now the thing is the fqdn has over 40 ips, so wanted to know if we can add a variable reference in the send string, tried the below but gives an error. I tried using a variable dest1 and tried to call it in the send string but it does not take the template. set dest1 \[ lindex \[ RESOLV::lookup @$::dns_recursor -a $::fqdn__dns \] 0 \] proc create_monitor { } { set monitor_type "https" set monitor_name "external_${tmsh::app_name}-monitor" set monitor_interval "5" set monitor_timeout "16" set send {"GET / HTTP/1.1"} append send {"\n\n\r\n"} set destination /$dest1 tmsh::create / ltm monitor $monitor_type $monitor_name interval $monitor_interval timeout $monitor_timeout send $send destination $destination } can anyone put some light on this. Thanks, Aditya270Views0likes1CommentDeleting iApp - Pool and VIPs already gone
Hi, I came accross a situation where the VIP and Pool, etc. were created by an iApp. Strict Updates was disabled and the Pool and VIP was removed outside of the iApp. The iApp is not in use, but I'd like to cleanup. I was concerned about deleting to iApp since many of the objects under it have already been deleted. Is there any consequence to deleting the iApp via the GUI? I don't want to corrupt the config, or at least I'd like to have an idea of any fallout before I pursue it. BigIP version 13.1.3.4 - Thanks for any insights. MikeSolved1.1KViews1like2CommentsAutoDiscover Issue with Exchange 2016 iApp
Hello together, got one big problem: I have deployed successfully the iApp template of Exchange 2016 and the customer wants to use OWA and AutoDiscover Service. The AutoDiscover Service is not working as expected.. so the user cannot authenticate with e-mail or domain\username. My Access Policy: Logon Page (Split Domain from full Username YES) -> AD Query (Cross Domain Support DISABLED) -> AD Auth (Cross Domain Support ENABLED) -> SSO Credential Mapping (default). I used the right Domains and Access Profiles. OWA is a logon possible with E-Mail, User and domain\User. But AutoDiscover is just User and domain\User. E-Mail is NOT working. Does anyone know, how the users could finally authenticate via E-Mail? They're claiming that they're not able to use AutoDiscover Thanks in Advance! Hank446Views0likes1CommentRemoving the 'reject' keyword from a virtual, using TMSH / iApp
I have an iApp which creates a virtual server. Depending on one of my iApp choices, this is either configured as a normal load-balancing virtual server (displayed as "Standard" in the web GUI), or to reject all traffic (displayed as "Reject" in the web GUI) However, I cannot seem to find a way to toggle the 'reject' value and turn it back into a normal virtual server. For example, the current iApp template code contains: set cmd "ltm virtual ${vname} destination ${ip}:${port}" if {[iapp::is ::net__reject "yes"]} { append cmd " reject" } iapp::conf create $cmd If I create a new application based on this template and set the net.reject choice to no, it creates the virtual server without the reject keyword; if I then reconfigure and set the net.reject choice to yes it modifies the virtual server and adds the reject keyword; but if I reconfigure again and set the net.reject choice back to no it does not remove the reject keyword. So how does one remove the reject keyword in my iApp (or in tmsh, for that matter)?468Views0likes14CommentsSelecting Server SSL in iRule and iApp
Hi, I know that this is not usual situation to modify anything in iApp objects. Anyway I did it for some test purposes and something took me off guard. Setup: iApp with Client SSL Server SSL iRule with code like that: set profile "SSL::profile ${ssls}" if { [PROFILE::exists serverssl] == 1} { Trying to set profile specified by ssls var if { [catch {eval $profile}] } { Setting profile failed - most probably profile with name specified by ssls var does not exixst catch {eval $disable} Client connection should be rejected reject is triggering LB_FAILED and HTTP respond can be used reject } else { Hide these commands from the iRule parser (in case no serverssl profile is applied) set enable "SSL::enable serverside" if { [catch {eval $enable}] }{ reject } } } Profile specified in [catch {eval $profile}] is from /Common/ folder Profile attached to VS is of course from /Common/iapp_name/ folder Even if there is no error in log and everything looks like success when SERVERSSL_CLIENTHELLO_SEND is triggered (used to set SNI) Server SSL profile reported by [PROFILE::serverssl name] is the one attached to VS. When no iApp based VS is used profile switching works without issue. I wonder if this is because new Server SSL should be in the same folder as iApp attached profile, so not in /Common/ but in /Common/iapp_name/? Piotr323Views0likes1CommentExchange 2013 iApp - Block Activesync except from one IP
Have only used the iApp templates with their defaults in the past but now I'm needing to allow only one IP to ActiveSync to it. We are using MobileIron for mobile devices and I want to only allow MobileIron to talk to the F5 for ActiveSync traffic. I believe they will be pointing their MobileIron server to the F5 VIP. Any easy way to do this? I've seen one post with code for an iRule to 'block' all activesync traffic but not allow only one IP. This is what I was referring to: when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync*" { drop } } }Solved725Views0likes16Comments