Horizon View "This Page is Not Secure"
I have a connection to my VDI desktops via F5 (build using the iApp) and it essentially works i.e. I can get a virtual desktop although with a slight issue. To start with I enter the URL e.g. https://myvdi.mydomain.com Then after authenticating on the connection server and making my choice of desktop, the URL in the address bar changes to an IP in the range of the private LAN for the virtual desktops e.g. https://10.180.0.80:22443/d/DE841123-FE72-4C6D-A9F3-2E6B7072D7E1/certAccept.html?numPages=3 This results in a typical "this site is not secure" page in IE which I have to manually press on "go on to the webpage." Once I manually continue everything is fine as the URL is then https://myvdi.mydomain.com/portal/webclient/index.html/desktop and I get my authenticated, secure desktop. Does anyone know how I can stop this behaviour?
F5 automated backup script not removing ucs archives/executing post copy clean up commands.
I've installed the https://devcentral.f5.com/codeshare/complete-f5-automated-backup-solution components and when utilizing the scp option have noticed that, although the archives do get copied to remote storage, the /var/local/ucs archives are not being cleaned up. I've seen posts which recommend changing from exec rm -f BACKUPDIRECTORY/$fnameBACKUPFILESCRIPTEXTENSION to exec rm -f BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION which did not help. To me it appears that once the call to execute the bash script, which handles the scp, is performed it never properly returns back to the calling script. I'm basing this on the fact that neither /var/local/usc archives or the /var bash script are ever cleaned up. The commands to remove them immediately follows the call to the bash script. I've modified the command that builds the scp.sh bash, appending the clean up commands to the end of it, so that the clean up happens w/in the bash script before it returns back to the calling script. Before: exec echo -e "put()\n{\n\tfields=\"username server directory\"\n\ti=1\n\tf5masterkey=\$(f5mku -K)\n\tfor current_field in \$fields ; do\n\t\tsedcommand=\"\${i}p\"\n\t\tcurrent_encrypted_value=\$(sed -n \"\$sedcommand\" $configfile)\n\t\tcurrent_decrypted_value=\$(echo \"\$current_encrypted_value\" | openssl aes-256-ecb -salt -a -d -k \$f5masterkey)\n\t\teval \"\$current_field=\$current_decrypted_value\"\n\t\tlet i=\$i+1\n\t\tunset current_encrypted_value current_decrypted_value sedcommand\n\tdone\n\tsed -n '4,\$p' $configfile | openssl aes-256-ecb -salt -a -d -k \$f5masterkey > /var/tmp/scp.key\n\tchmod 600 /var/tmp/scp.key\n\tscp -i /var/tmp/scp.key BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION \${username}@\${server}:\${directory}\n\trm -f /var/tmp/scp.key\n\treturn \$?\n}\n\nput" > $scriptfile After: exec echo -e "put()\n{\n\tfields=\"username server directory\"\n\ti=1\n\tf5masterkey=\$(f5mku -K)\n\tfor current_field in \$fields ; do\n\t\tsedcommand=\"\${i}p\"\n\t\tcurrent_encrypted_value=\$(sed -n \"\$sedcommand\" $configfile)\n\t\tcurrent_decrypted_value=\$(echo \"\$current_encrypted_value\" | openssl aes-256-ecb -salt -a -d -k \$f5masterkey)\n\t\teval \"\$current_field=\$current_decrypted_value\"\n\t\tlet i=\$i+1\n\t\tunset current_encrypted_value current_decrypted_value sedcommand\n\tdone\n\tsed -n '4,\$p' $configfile | openssl aes-256-ecb -salt -a -d -k \$f5masterkey > /var/tmp/scp.key\n\tchmod 600 /var/tmp/scp.key\n\tscp -i /var/tmp/scp.key BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION \${username}@\${server}:\${directory}\n\tcp /var/tmp/scp.key /var/tmp/scp.key.bak\n\trm -f /var/tmp/scp.key\n\trm -f BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION\n\trm -f $scriptfile\n\treturn \$?\n}\n\nput" > $scriptfile This seems to work but I was wondering if anyone else has encountered this issue and has a better solution?
SSO doesn't work with Citrix deployed on BIG-IP
Hi guys, We would like to use our F5 (LTM&APM fully licensed) instead of Netscaler Gateway for access to our Citrix Farm therefore we have recently deployed the newest iApp (f5.citrix_vdi.v2.3.0) to get this configured and I can see some issues with single sign-on already. I can get to the F5 website (Virtual Server - DNS record created) and log-in successfully with my AD credentials but then it will take me to one of our website hosted on our Citrix WI server (Web Interface) which will ask me to log-in again. Providing the same set of credentials I can log in and access all the resources just fine. It looks like the SSO does not work - not passing on my credentials from F5 website to Citrix Web Interface. What am I missing here? Has anyone seen this before? Thanks,
Oracle Weblogic with F5 issue,Jsession your session has expired
What can be done to resolve an issue on an oracle weblogic VIP which offloads SSL, The page loads and a "YOUR SESSION HAS EXPIRED" message is popped out,and the page redirects back to login page. When the backend servers are called directly, no such error is encountered. I already deployed an iapp for this,and it didn't solve the issue.True Source IP address
Currently using an F5 to load balance a Websense web proxy deployment. Using the vendors "; iApp template to load balance the traffic between blades which is working. The issue is that the proxy logs show the FIP of the load balancer rather than the true IP of the users system. I am not using SNAT, XFF is enabled on the HTTP services profile, XFF is also enabled on the web proxy. What am I missing here?
Removing the 'reject' keyword from a virtual, using TMSH / iApp
I have an iApp which creates a virtual server. Depending on one of my iApp choices, this is either configured as a normal load-balancing virtual server (displayed as "Standard" in the web GUI), or to reject all traffic (displayed as "Reject" in the web GUI) However, I cannot seem to find a way to toggle the 'reject' value and turn it back into a normal virtual server. For example, the current iApp template code contains: set cmd "ltm virtual ${vname} destination ${ip}:${port}" if {[iapp::is ::net__reject "yes"]} { append cmd " reject" } iapp::conf create $cmd If I create a new application based on this template and set the net.reject choice to no, it creates the virtual server without the reject keyword; if I then reconfigure and set the net.reject choice to yes it modifies the virtual server and adds the reject keyword; but if I reconfigure again and set the net.reject choice back to no it does not remove the reject keyword. So how does one remove the reject keyword in my iApp (or in tmsh, for that matter)?
