portal access
26 TopicsAPM Portal Access Rewriting
Hi all, A customer of us is using the F5 with APM and a Full Weptop Config. They're using a Full Webtop Portal with Portal Access Ressources and Rewriting. One of the Portal Access is connecting to a Document Management Application (https://backend.com) where the Source IP is allowed for access from the F5. Now the Backend Provider of the Document Management App has upgraded the Application and integrated a Keycloak IAM, since then the included OpenID Connect SSO Requests are not properly rewriten by the F5. The Client connects then directly to the SSO URL for OIDC and not through the Portal Access Rewriting. We created a HAR File on the client and see the following: ******* Requests to rewriting: https://portal.f5.com/f5-w-abc123/page1.html https://portal.f5.com/f5-w-abc123/somejavascript.js https://portal.f5.com/f5-w-abc123/somepic.jpg ..... Then the following: https://api.essentials.backend.com/api/userrequest And: https://id.backend.com/realms/essentials/protocol/openid-connect/auth?client_id...... ******* The obfuscated path /f5-w-abc123 results in the URL https://backend.com So how can we have the other URL also rewritten so that https://api.essentials.backend.com/... is rewritten to https://portal.f5.com/f5-w-xyz123 ? Thank you for your helpSolved37Views0likes1Commentchrome vs firefox access pb through apm
Hi, We have differences in behavior between firefox and chrome accessing sites through APM BIG-IP 16.1.2.1 Build 0.0.10 Point Release 1 on a link, firefox keeps the original URL https://xxx/F5-w... while Chrome wants to access the server directly With developpers tools, we can see chrome doing things like: original URL (the good one) decoded URL (bad..??) Why? How to avoid it? I haven't find any link about that and I don't know how to solve this issue. If you have any clue... Thank you a lot. Have a good day, Herve831Views0likes3CommentsAPM webtop + portal access DNS error
Hi, we use v14 with partitioned environment, each partition has own route domain with strict isolation enabled. We have APM with webtop and few links in it. One of them is a portal access which points to server IP address. We cannot use FQDN as APM uses system DNS and we cannot use system DNS for customer environment. Anyway, since we use IP address as a resource item it should be OK, but is not, user access to portal access fails at "DNS lookup error. The requested server does not exist.". Using hostfile does not help, it is ignored by APM. What are the options to fix it?505Views0likes5CommentsAPM/Analytics - Log click on webtop resources [serverside]
Problem this snippet solves: When providing VPN SSL portal to the client, you publish several applications like Portal access, Remote Desktop, Webtop links, SAML Resources, Citrix/Vmware VDI, etc. APM log access to the webtop, once connected, there is no more visibility on who click on which icon. We provide Visibility and Analytics capabilities through a simple irule. How to use this snippet: Installation You just need to put this irule in the Virtual Server configuration that handle your access profile. Logging information Clicks are logged in the local0 (ltm logs). You can see below examples : virtual=/Common/test, apm=1239853, user=testuser, resource_type=portal, resourcename=owa virtual=/Common/test, apm=1239853, user=testuser, resource_type=remote_desktop, resourcename=ActiveDirectory Features You can currently log the following application types : Portal access Remote Desktop access The irule provide the additional features : Decode Portal access uri logging of username, apm session and resource name Credits Inspired from an original irule in a reply from Kevin Stewart : Logging for Portal Access External links Github : github.com/e-XpertSolutions/f5 Code : when ACCESS_ACL_ALLOWED { switch -glob [HTTP::uri] { "*resourcetype=remote_desktop*" { # # Basic logging. Remote or local logging settings can be configured # # log local0. "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" # # ACCESS logging before v13.x # log -noname accesscontrol.local1.notice "$static::ACCESS_LOG_PREFIX /Common/ap-ad-auth:Common:$session: virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" # # ACCESS::log is available in v13.x. Log saved in Access report too. # # ACCESS::log accesscontrol.notice "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" } "*f5-w-*" { catch { set resource [binary format H* [findstr [HTTP::uri] "/f5-w-" 6 "\$\$"]] if { [table lookup -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource"] eq "" } { table set -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource" [clock format [clock seconds] -format %Y%m%d-%H%M%S] 3600 # # Basic logging. Remote or local logging settings can be configured # # log local0. "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" # # ACCESS logging before v13.x # log -noname accesscontrol.local1.notice "$static::ACCESS_LOG_PREFIX /Common/ap-ad-auth:Common:$session: virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" # # ACCESS::log is available in v13.x. Log saved in Access report too. # # ACCESS::log accesscontrol.notice "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" } } } } } Tested this on version: 11.5466Views0likes4CommentsPortal Access Security Problem - Manipulation with HEX string in URL mangle allows access to any internal website!! How to restrict?
Hi, We are running simple Portal Access policy on our APM, which provides authenticated external users an access to our public web site located behind the APM, basically a simple reverse proxy with authentication. The URL rewrite works as expected: URL of internal web site: https://public.mycompany.com/logon.asp URL for external users: https://apm.company.com/f5-w-[HEX-String]$$/logon.asp I realized that when I swap the [HEX-String] part of the external URL with another HEX string (representing URL of other internal web site, for example http://intranet.company.com) I gain access to this intranet web site, although as a remote user I am not allowed to access anything else except "public.mycompany.com". Is this a bug or standard behavior? How can I restrict the access to only one particular web site? How can I prevent the rewritten URL to be changed by external user and misused for accessing other internal websites? Thanks for hints.287Views0likes4CommentsAPM Deep Linking iRule Help
We are running APM v12.1.3; VCMP guest, two active-standby clusters. APM is internet facing and uses portal access to send traffic to internal application/web servers. Right now we just have a single virtual server with the access policy applied. As this is already in production I would prefer to keep it that way, but if needed will consider other options. Employees are given links with https://employeeaccesspage.com/insert/deep/link/here. This http host/domain will have a CNAME to a DNS entry that resolves to a WideIP for our APM virutal servers and get the login page. At this point there is the standard APM redirect to /my.policy...normal operation. We can get the original host from the variable "session.server.network.name' and the original URI from the variable "session.server.landinguri". What I want to do is that when the access policy completes and they are presented with the webtop either redirect their page to the deep link destination or open a new tab still being rewritten/proxied by APM to the deep link destination. Here is what I have so far. when HTTP_REQUEST { set http_host [ACCESS::session data get session.server.network.name] set http_uri [ACCESS::session data get session.server.landinguri] log local0. "Requested Host is $http_host" log local0. "Requested URI is $http_uri" switch -glob [string tolower $http_uri] { "**" { set redirect 1 ACCESS::session data set session.custom.link $redirect log local0. "$redirect : $http_uri" } "**" { set redirect 1 ACCESS::session data set session.custom.link $redirect log local0. "$redirect : $http_uri" } } } when ACCESS_POLICY_COMPLETED { log local0. "Policy Completed" set http_host [ACCESS::session data get session.server.network.name] set http_uri [ACCESS::session data get session.server.landinguri] set redirect [ACCESS::session data get session.custom.link] log local0. "ACL Event: $redirect : $http_uri" if { $redirect } { switch -glob [string tolower $http_uri] { "**" { HTTP::redirect "https://$http_host/f5-w-$$/$http_uri" log local0. "Redirect Concluded for $http_host" } "**" { HTTP::redirect "https://$http_host/f5-w-$$/$http_uri" log local0. "Redirect Concluded for $http_host" } } } HEX/ASCII hash for internal hosts would be hard coded at this time we only want this to work for certain internal platforms and do not want that to be done programmatically } I receive this error in the LTM logs, APM deletes the session and I am returned to the login page (/my.policy): Sep 14 08:15:38 hostname err tmm[18859]: 01220001:3: TCL error: /Common/Deep_Linking - Illegal argument. Can't execute in the current context. (line 7) invoked from within "HTTP::redirect "https://$http_host/f5-w-$$/$http_uri" " ("**" arm line 2) invoked from within "switch -glob [string tolower $http_uri] { "**" { HTTP::redirect "https://$http_host/f5-w- These two articles look like they contain what I probably need to make this work, but I'm unsure of how to integrate them and get this working. Please help. Webtop Deeplink APM Second Browser After Webtop Launch629Views0likes2CommentsSAP GUI HTTPS
Hi, i'm trying to deploy the SAP GUI over https (aka SAP Easy Access) on a Portal Access. All works fine, i've configured the Full Patching (also with Java Patching), but when i try the export of a tables, nothing happen. I've checked the content and it seems that the export run a Java application ... but behind portal access i haven't any link to start it. Does anyone has done this configuration successfully?342Views0likes0CommentsAPM Portal Access Peoplesoft application
I am new to Portal Access, I have done alot with APM, but never Portal piece. I have setup a VIP, with rewrite policy, access policy, connectivity profile and web acceleration profile due to needing Java patching. I can login into the portal with AD credentials, and see my Portal Links. I click on it and i get "you do not have permission to access the page" Configuration error Virtual server does not support connections to HTTPS resources. Please contact your system administrator for more information" I exit out and click on Portal link again, and the internal page for Peoplesoft pops up and looks perfect. I exit out and try again, Yep you guess it, the Peoplesoft page pops us looking perfect. of course I cannot login, it goes back to the above "You do not have permission to access this page" Am i missing something. Im confused. Can anyone shed some light on this. I have exhausted the internet and its very little on portal access let alone with peoplesoft being the app you want to use. any help or comments would be great apprecaited635Views1like2CommentsSSO in HTTPS Portal Access Resource Items
Hi I made a small FormBased SSO Configuration (URI Triggert) for a Website, which i'm publishing trough a PortalAccess on my Webtop. If i assign the SSO-Configuration to the AccessProfile, the SSO-Configuration triggers as soon as i click on the Link on the Webtop and Login works. But if i assign the SSO-Configuration on the PortalAccessResourceItem instead of the AccessProfile, nothing is happen if i click on the Webtop Link. Because i need to publish more than one Website on the Webtop, assigning to the AccessProfile is no option. I also tried to workaround this Problem with a VirtualServer and assigning the SSO-Configuration to a simple AccessProfile from this VS, but then SSO only works every second time (i think because the SSO-Variables are not known in the second APM-Session on the first time). I'm running out ouf Ideas :-( Does anybody know how to configure such a Setup? Thanks in advance sbu388Views0likes4CommentsAPM Webtop VIP with Multiple Private Applications Configuration
I am working on a project that needs to have a APM Webtop/Portal that links to multiple backend applications. I am running into issues configuring the routing once the users are authenticated to the APM Webtop. To get to the webtop, users present their PIV card and PIN, an AD LDAP query is done to confirm they are a user and to store session variables with that information, and they are presented a list of Webtop resources based on that. These Webtop resources are relying on SSO from F5 (currently working on SAML). I have explored multiple options for the applications on the Webtop. The first that I explored was the Portal Access Resource with Rewrite profile. This worked fine for the application without SAML. The issue I am running into is that there are routing issues with the IdP/SP communication in that Portal Access Resource session. I am not sure how to get the AuthN to F5 and then the Assertion back to the Portal Access Resource session, or if this is even possible without huge iRules. In this scenario, I was using the same Virtual Server for the Webtop and F5 IdP. The second option I am trying is using multiple F5 Virtual Servers, one for the initial Webtop APM, one for the applications, and one for the IdP itself. I am using a Public IP for each Virtual Server. The application is setup as a standard Webtop Link (not Portal Access) pointing to the Virtual Server of the application, which has it's default pool as the app itself. The application has the name of the Virtual Server of the IdP itself, with a return URL of the Virtual Server of the application. The problem here is that it seems to log out the initial Webtop session once you click the link to the application. The application also has a problem with the assertion. Being very new to F5/APM in general, I am wondering if either of these options are the right way to do things. If there is a way to do everything I am mentioning with one Virtual Server, I would think that would be best. Any and all advice is greatly appreciated.308Views0likes0Comments