Client side Kerberos problem with Mac OSX 10.9 and Safari 7.0.2
Hi all, I've got a working client side SSO access policy in APM providing access to an internal intranet. It works perfectly with Windows clients (with the right browser config) and I can get it working on Chrome on our Macs, once the macs have been issued with an initial kerberos ticket for the user's AD account (our KDC is Windows AD 2003). Safari just throws up an APM error page when the user connects with it saying, "Invalid Session ID: Your session may have expired." Checking the APM log even in debug mode doesn't show anything obvious for that session, you just see a message saying the session has been deleted, no kerberos processing begins. On the client side, in a HTTP trace I see this: Request GET /my.policy HTTP/1.1 Host: www.victoria.ac.nz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Connection: keep-alive Proxy-Connection: keep-alive Cookie: LastMRH_Session=77c8fbae; MRHSession=d5087e7f0252687cc231819f77c8fbae; TIN=272000; __utma=189107500.700714022.1406696059.1406696059.1406696059.1; __utmb=189107500.3.10.1406696059; __utmc=189107500; __utmz=189107500.1406696059.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Language: en-us Referer: http://www.victoria.ac.nz/ Accept-Encoding: gzip, deflate Response HTTP/1.1 401 Unauthorized Server: Apache Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Pragma: no-cache Cache-Control: no-cache, must-revalidate Accept-Ranges: bytes Connection: close Date: Wed, 30 Jul 2014 04:54:09 GMT Content-Length: 335 WWW-Authenticate: Basic realm="staff.vuw.ac.nz" WWW-Authenticate: Negotiate Set-Cookie: LastMRH_Session=77c8fbae;path=/;secure Set-Cookie: MRHSession=ef9605c9ed0bca0206113f6077c8fbae;path=/;secure Request GET /my.policy HTTP/1.1 Host: www.victoria.ac.nz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Connection: keep-alive Authorization: Negotiate key Snipped for securityYIIHXwYGKwYBBQUCoIIHUzCCB0+gITAfBgkqhkiG9xIBAgIGBiqFcCsOAwYKKwYBBAGCNwICCqKCBygEggckYIIHIAYJKoZIhvcSAQICAQBuggcPMIIHC6ADAgEFoQMCAQ6iBwMFAAAAAACjggYGYYIGAjCCBf6gAwIBBaERGw9TVEFGRi5WVVcuQUMuTlqiJTAjoAMCAQOhHDAaGwRIVFRQGxJ3d3cudmljdG9yaWEuYWMubnqjggW7MIIFt6ADAgEXoQMCAQSiggWpBIIFpdLbJ9FpJ//Bjl+ixeKwBjDZ/1uVgsnoQr4l+kqMazjtr/AILRjfY57mL4hSHX8EWgOObQ+6NlP=******** Proxy-Connection: keep-alive Cookie: LastMRH_Session=77c8fbae; MRHSession=d5087e7f0252687cc231819f77c8fbae; TIN=272000; __utma=189107500.700714022.1406696059.1406696059.1406696059.1; __utmb=189107500.3.10.1406696059; __utmc=189107500; __utmz=189107500.1406696059.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Language: en-us Referer: http://www.victoria.ac.nz/ Accept-Encoding: gzip, deflate Response HTTP/1.0 302 Found Server: BIG-IP Connection: Close Content-Length: 0 Location: /my.logout.php3?errorcode=20 Set-Cookie: LastMRH_Session=77c8fbae;path=/;secure Set-Cookie: MRHSession=d5087e7f0252687cc231819f77c8fbae;path=/;secure So it looks like Safari is presenting its Kerb ticket, but the F5 doesn’t like it. Anyone got any clues? Thanks, Gavin
DNS issue with VPN connection from OSX
Hi all, I have an issue with the DNS resolvers when I'm connecting with a Mac computer. Problem is the local DNS server already configured on the computer still remains as the "resolver 1", i.e. first resolver to query, even though it should be overwritten with the new resolvers provided from the big-ip. At the very least the "local DNS" should be placed after the new ones. The problem with the current situation is that sometimes the local DNS server will respond with a "REFUSED" message after the client is connected to the VPN, the reason for this I'm not sure but is something out of our hands because the DNS server might be random X wifi somewhere... Is there any way I can alter how the DNS servers will be handled? I have tried to play around with the options "Enforce DNS search order" and "Allow local DNS" but both these settings doesn't change how the DNS config on the client look like (at least not on the Mac computer). Also there's no difference between portal access (web based) or Network access (from the Edge client). Best Regards, Marcus
APM :: Obtain Mac OS Version
Anybody know of a reliable way to obtain the Mac OS version from the connecting client (non-Edge)? In versions prior, session.check_software.last.pm.item_1.version worked great. At some point during the last few F5 upgrades, that has since changed to 2.x versioning while the actual OS is 10.13.x Thanks -Ryan
MAC Address Inconsistency
Hi everyone. I have a Strongbox 5250v and I noticed a weird behavior with this box. In the WebGUI the Interfaces List shows me some MAC addresses, listed bellow: Those UP interfaces (2.1 and 2.2) are members of a Trunk and this trunk is member of two VLANs (internal and external). When go to CLI and run a ifconfig, the internal and external interfaces shows me MAC addresses of interfaces that are with state DOWN and have no cable plugged in it (interfaces 1.2 and 1.3). external Link encap:Ethernet HWaddr 00:23:E9:CE:0C:03 internal Link encap:Ethernet HWaddr 00:23:E9:CE:0C:04 I've updated this box from 11.5.4 to 11.6.1 and then to 12.1.1, in all versions I had this "inconsistency" of information. Although there is this difference between WebGUI and the real MAC Addresses in the network, everything is working properly (until now). Have anyone seen this situation before?Edge VPN client for MAC
Hi, I am not very strong with MAC device. When downloading the Edge VPN client for MACs from the F5, it comes as a zip file containing two files: config_tmp.f5c & mac_edgesvpn.pkg I understand that "mac_edgesvpn.pkg" is the file that a MAC user needs to open and install on ther desktop. My question is: What is the purpose of "config_tmp.f5c" and is that file needed for the installation, when and where then? Thanks
APM Machine Certificate Auth - MACs
I've got machine cert check configured on an APM policy which works fine for Windows machines. An issue has been seen where the cert auth on Macs can fail if there are some expired certificates on the machine. I can't find any documentation as to how and in what order the APM/Edge Client checks the certificates on the machines, ie does it check the first certificate in the store and report back the status of that, or does it check through all certs for a valid match? So if the first cert in the store had expired but also had a valid cert, does that cause the cert check to fail? If that is the case is there anything on the F5 config that can be done to check all certs in the store for a match? John
How to access RDP from Mac OSX on BIG-IP APM 12.0
Hello Devcentral, First of, there have been many "MAC OSX RDP" topics on here, I think I've read through all of them but I still cannot seem to get RDP working for my MAC OSX users. As with our Windows users I want them to be able to log onto the BIG-IP APM, click a link (Application Tunnel for MAC OSX of course) and then have them be able to log onto a Windows Server through RDP. I'm getting Java errors, "ClassNotFoundException" from the AppletTunnelProxy (seems to be something wrong with f5apptunnel.jar?). I've tried JRE 1.8 and 1.7 on my test Mac Mini here (OSX 10.11.6 El Capitan) and using Safari as well as Firefox. I did get this to work on BIG-IP APM 11.6 if I recall correctly. Any help on this would be greatly appreciated. I have Java error logs/traces but didn't want to immediately spam this topic. If need be I can paste them into here. Thanks in advance!
OS X F5 Access Scripting
Hello All, Is there any way to script the F5 Access client on the Mac? The documentation does not indicate that any scripting language can be used. AppleScript is not an option because all of tcc is now behind SIP, so we'd like to do BASH or Pyton, but Swift/Coca would also be acceptable if that was my only option. I would like to... Install the app via VPP (using my MDM for this) Configure it to launch through a LaunchAgent Create a new configuration Manage (Enable/Open and Disable/Close) a configuration If none of that is possible, does anybody know if the F5 environment can be configured to allow the Mac's built-in VPN (L2TP over IPSec, IKEv2 or Cisco IPSec) clients and what that configuration may look like. If I can be pointed to the right documentation or if anybody has examples, I would greatly appreciate the assist. Thank You, Nick Lucia
Mac OS X 10.10.3 and F5 SSL VPN Plugin
I've searched the F5 website and DevCentral but I haven't been able to find a current compatibility matrix for Mac OS and the F5 Plug-ins for Big-IP VPN. My Big-IP plug-in (F5 SSL VPN Plugin.plugin version 7091.2014.1120.1) has stopped working after the latest OS X update (10.10.3). I have a few questions, any help would be appreciated: Is there current compatibility information available for OS/Browser supported by the F5 Plug-ins? Is there a newer version of the plug-in available than what I am using? If there is a newer version of the plug-in, can I use that with our current Big-IP version, or do the server and plug-in versions need to match?
