Can SSL VPN client handle multiple simultaneous sessions?
From a single Windows machine, we have a need to have the F5 SSL VPN client connect both to multiple external organizations at once, and also to connect to single organizations by multiple tunnels, with separate credentials. If there's a way to do either of these, it's not obvious to us. It seems like only one SSL VPN client instance can run per machine, and that instance can only handle a single tunnel, with a single set of credentials, to a single remote location. It's testament to F5's market penetration that we find ourselves needing to do more than that. Is there a way? Thanks, WhitProblems load balancing printing
Followed this guide to configure load balancing MS printing with npath routing: http://blog.loadbalancer.org/load-balancing-microsoft-print-server/ The problem is when I try to connect to the printer with the FQDN of virtual server (eg. \\virtualserver.mydomain.com) I get the error "Operation could not be completed (error 0x00000709). Double check the printer name and make sure that the printer is connected to the network.". If I connect to the VIP (eg. \\192.168.0.10) it works fine. If I connect to the host directly (by hostname or IP) it works fine. Any ideas?
Outlook Client Prompting for Password
A few months ago we implemented Exchange 2010 with the help of our LTMs. However it has come to light that people have been complaining about how sometimes they are being prompted to log in after they've been logged in all day. What they don't understand is that when they switch between networks "Wired to wireless" or vice versa, their IP address changes so the CAS server they land on is likely different, prompting them to re-authenticate. I don't suppose there is an F5 solution to stop these password prompt. The best solution I came up with was to run Outlook anywhere and do the persistence based on cookies. Are there any other ideas out there?
SSL Connection Configuration between Apache Web server and Weblogic server
I'm currently using Apache web server as a front end server for Weblogic server 8.1 and now i' facing some configuration problem to setting up the SSL connection between this 2 server. When i open my web application page, it shows Failure of Server Apache bridge No backend server available for connection: timed out after 10 seconds or idempotent set to OFF. and my proxy.log shows: Thu Nov 03 09:36:41 2011 <182413202842013> INFO: SSL is configured Thu Nov 03 09:36:41 2011 <182413202842013> INFO: SSL configured successfully Thu Nov 03 09:36:41 2011 <182413202842013> Using Uri /favicon.ico Thu Nov 03 09:36:41 2011 <182413202842013> After trimming path: '/favicon.ico' Thu Nov 03 09:36:41 2011 <182413202842013> The final request string is '/favicon.ico' Thu Nov 03 09:36:41 2011 <182413202842013> SEARCHING id=[ebwdsk298.ebworx.com:7002] from current ID=[ebwdsk298.ebworx.com:7002] Thu Nov 03 09:36:41 2011 <182413202842013> The two ids matched Thu Nov 03 09:36:41 2011 <182413202842013> @@@FOUND...id=[ebwdsk298.ebworx.com:7002], server_name=[10.122.50.218], server_port=[80] Thu Nov 03 09:36:41 2011 <182413202842013> attempt 0 out of a max of 5 Thu Nov 03 09:36:41 2011 <182413202842013> general list: trying connect to '10.122.50.48'/7002/7002 at line 2696 for '/favicon.ico' Thu Nov 03 09:36:41 2011 <182413202842013> New SSL URL: match = 0 oid = 22 Thu Nov 03 09:36:41 2011 <182413202842013> Connect returns -1, and error no set to 10035, msg 'Unknown error' Thu Nov 03 09:36:41 2011 <182413202842013> EINPROGRESS in connect() - selecting Thu Nov 03 09:36:41 2011 <182413202842013> Setting peerID for new SSL connection Thu Nov 03 09:36:41 2011 <182413202842013> 0a7a 3230 5a1b 0000 .z20Z... Thu Nov 03 09:36:41 2011 <182413202842013> Local Port of the socket is 2121 Thu Nov 03 09:36:41 2011 <182413202842013> Remote Host 10.122.50.48 Remote Port 7002 Thu Nov 03 09:36:41 2011 <182413202842013> general list: created a new connection to '10.122.50.48'/7002 for '/favicon.ico', Local port:2121 Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Host]=[10.122.50.218] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Connection]=[keep-alive] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept]=[*/*] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Encoding]=[gzip,deflate,sdch] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Language]=[en-US,en;q=0.8] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3] Thu Nov 03 09:36:41 2011 <182413202842013> URL::sendHeaders(): meth='GET' file='/favicon.ico' protocol='HTTP/1.1' Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Host]=[10.122.50.218] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept]=[*/*] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Encoding]=[gzip,deflate,sdch] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Language]=[en-US,en;q=0.8] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Connection]=[Keep-Alive] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[WL-Proxy-SSL]=[false] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[WL-Proxy-Client-IP]=[10.122.50.48] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Proxy-Client-IP]=[10.122.50.48] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[X-Forwarded-For]=[10.122.50.48] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset] Thu Nov 03 09:36:41 2011 <182413202841921> INFO: No session match found Thu Nov 03 09:36:41 2011 <182413202842013> INFO: No CA was trusted, validation failed Thu Nov 03 09:36:41 2011 <182413202841921> INFO: DeleteSessionCallback Thu Nov 03 09:36:41 2011 <182413202842013> ERROR: SSLWrite failed Thu Nov 03 09:36:41 2011 <182413202842013> SEND failed (ret=-1) at 789 of file ../nsapi/URL.cpp Thu Nov 03 09:36:41 2011 <182413202842013> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 790 of ../nsapi/URL.cpp Thu Nov 03 09:36:41 2011 <182413202842013> Marking 10.122.50.48:7002 as bad Thu Nov 03 09:36:41 2011 <182413202842013> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 790 of ../nsapi/URL.cpp]: at line 3078 Thu Nov 03 09:36:41 2011 <182413202842013> INFO: Closing SSL context Thu Nov 03 09:36:41 2011 <182413202842013> INFO: Error after SSLClose, socket may already have been closed by peer Thu Nov 03 09:36:41 2011 <182413202842013> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest() Here is my step to setup the SSL connection: 1. Create a keystore( SSLkey.jks ) for weblogic use. 2. Create a certificate signing request(certreq.pem) and sent to the trusted certificate authority. 3. Download Root CA(rootca.cer) and signed certificate(supportcert.pem) from certificate authority. 4. Import rootca.cer into a custom trust key store(supporttrust.jks). 5. Configure the Weblogic console -> keystores and ssl -> Custom identity and custom trust. 6. use SSLkey.jks as custom identity keystore and supporttrust as custom trust keystore. 7. Extract the trusted CA file from supporttrust.jks to trustedcafile.der 8. Convert trustedcafile.der into trustedcafile.pem 9. Copy trustedcafile.pem into 10. Configure httpd.conf in apache LoadModule weblogic_module modules/mod_wl_20.so Notes: replace [ to < [IfModule mod_weblogic.c] WebLogicHost abc WebLogicPort 7002 SecureProxy ON TrustedCAFile conf/ssl/trustedcafile.pem RequireSSLHostMatch false Debug ALL WLLogFile logs/proxy.log [/Ifmodule] [ Location /secureWebAuth] SetHandler weblogic-handler [/Location] Can anyone tell me what should i do in order to correct this error? Your help is kindly appreciate!!! Please~
Optimizing application delivery with F5 Secure ICA proxy
F5's Secure ICA proxy solution on APM/EDGE is over a year old now, and has been successfully deployed at many of our customers. Besides the simplicity and ease of administration it provides, F5 customers are looking for more value and want to make sure that the solution they implement can provide the fastest deliver of Citrix XenApp and XenDesktop to the remote users. In one scenario, we've found that leveraging the following TCP profile on the APM ICA proxy virtual can drastically improve performance of applications where large data transfers are happening between the client and the XenApp/XenDesktop farm. This profile was tested in a typical WAN scenario with client connecting over T1 on a 200 ms link with 0.5-1% packet loss. In this scenario, F5 ICA proxy was able to maintain almost full bandwidth throughput(close to 1.5 Mbits/sec on the ICA connection, which was more than 2x improvement over throughput with regular TCP stack. This is the snippet of the TCP profile configuration from bigip.conf profile tcp optimized_xenapp_wan { defaults from tcp-lan-optimized reset on timeout enable time wait recycle enable delayed acks disable proxy mss disable proxy options disable deferred accept disable selective acks disable dsack disable ecn disable limited transmit disable rfc1323 disable slow start disable bandwidth delay disable nagle disable abc enable ack on push enable verified accept disable pkt loss ignore rate 0 pkt loss ignore burst 0 md5 sign disable cmetrics cache enable md5 sign passphrase none proxy buffer low 98304 proxy buffer high 131072 idle timeout 300 time wait 2000 fin wait 5 close wait 5 send buffer 65535 recv window 65535 keep alive interval 1800 max retrans syn 4 max retrans 8 ip tos 0 link qos 0 congestion control scalable zero window timeout 20000 } If you are running or deploying F5 Secure ICA proxy solution, we encourage you to try this tcp profile and see if it improves ICA performance in your environment as well. Any and all feedback will also be greatly appreciated.
Agile PLM - Weblog - Java Client
My company is upgrading from Agile PLM 9214 to 93. At the same time we are migrating from Oracle Application Server (OAS) to Weblogic (WLS). In front of the servers is a Big IP LTM 1600, v 9.4.6 Build 401.0 Final. The WLS environment consists of (1) node manager server. (2) managed servers. (1) file manager server. There are two clients for the user to login with: web and java. The web client works fine. The java client, when going through the LTM, does not. It does work connecting directly to either of the managed servers. This does give us some options for our small in number but noisy java client users, but we loose the LTM functions of availability and traffic management - we'd like to have those. This is what happens: User connects to the page with the link to launch the .jnlp file. http://agl.plexus.com:7001/JavaClient/start.html Clicks 'launch'. WLS sends the .jnlp file to the client, which opens Java Web Start. A login widget displays. Enter valid credentials. After 90 seconds this error displays: Server is not valid or is unavailable. I've got a ticket (C688392) open with support, they've got snoop captured packets from the server's POV of a session that works connecting directly to a managed server, and tcpdump captures of the malf'd session. Anyone have experience w/ Agile PLM, Weblogic and the java client? This is the jnlp file. Agile 9.3.0.1 Oracle Corporation Agile 9.3.0.1 Agile 9.3.0.1 Product Lifecycle Management (PLM) serverURL=t3://agl.plexus.com:7001 jvuecodebase=http://://jVue jvueserver=http://agl.plexus.com/Agile/VueServlet installationinfo=/opt/agl/agile93/agsetup.enc serverType=wls tunneling.shortcut=true webserverName=agl.plexus.com appserverVersion=10.3 UpdateVersions=9.3.0.1 useSessionGenerator=true
TCP Payload String Swap for Oracle HA
Hi, I would like to use an iRule on a VIP that heads 4 Oracle DB RAC servers. Each server helps serve a single DB on SAN attached storage. However, Oracle requires that each rac host have a unique SID. So host db01 uses SID "acmesid1" So host db02 uses SID "acmesid2" So host db03 uses SID "acmesid3" So host db04 uses SID "acmesid4" The application servers which use the database hosted by these 4 RAC servers can only have a single SID configured. I would like the Application server to be configured with "acmesid_vip" and when when the application server hits the BigIP on port 1521 with this SID in tow the BigIP will open the TCP Payload and swap this incoming SID "acmesid_vip" with "acmesid1" or "acmesid2" or "acmesid3" or "acmesid4" based on which DB server the BigIP is planning on forwarding the request to, respectivley. So in short is there a way to do a regular expression on the TCP payload of all incoming packets s/acmesid_vip/acmesid1/ in the case of going to the first DB server? I have seen the TCP::payload function and this is what I have so far which I am sure is horribly busted as it uses a mix of pseudo code to get my goal across as I am no irules guru What do you think? set payload [TCP::payload] if { destDBHost=db01 } { set END_SID "acmesid1" regsub -all "(acmesid_vip)" $payload "\\1\\2$END_SID" payload TCP::payload replace 0 [TCP::payload length] $payload } if { destDBHost=db02 } { set END_SID "acmesid2" regsub -all "(acmesid_vip)" $payload "\\1\\2$END_SID" payload TCP::payload replace 0 [TCP::payload length] $payload } if { destDBHost=db03 } { set END_SID "acmesid3" regsub -all "(acmesid_vip)" $payload "\\1\\2$END_SID" payload TCP::payload replace 0 [TCP::payload length] $payload } if { destDBHost=db04 } { set END_SID "acmesid3" regsub -all "(acmesid_vip)" $payload "\\1\\2$END_SID" payload TCP::payload replace 0 [TCP::payload length] $payload }
Looking for some Windows help
First time here. Pretty new to Load Balancing with the F5 Looking for some answers. I am trying to find out if F5 can be used in place of Microsoft Load Balancing. What they (work) are looking to do is this... They want to be able to use the F5 for drive mapping. they want the vs ip address to map to a folder that will be set up across multiple servers. example: run \\servername\Testfolder$ will map to a the Testfolder on specified server Can I set up a vs with say four servers in the pool so the users can map \\vs\Testfolder$ Thanks
SharePoint 2007 with DoD CAC authentication
I have a Sharepoint 2007 installation that wants to convert to CAC authentication. We have a BIG-IP LTM running the 9.4.8 code and the ACA module. I need some guidance on what gets setup where. I have not worked with this authentication mode before. Thanks! Any help is appreciated. Mike Harpe