Logging for Portal Access
Hello Dev Central community.. I'm hoping someone can point me in the right direction in regards to reports or logs for particular Portal Access resources. My APM (ver. 11.3.0) has a Full Webtop configured with multiple Portal Access resources configured. What I would like to be able to do is run a report, or generate information from logs, showing how many times each Portal Access resource has been visited each month. I may just be missing it, but I can't find a way to create a report with this data. Any ideas? Thanks very much..
chrome vs firefox access pb through apm
Hi, We have differences in behavior between firefox and chrome accessing sites through APM BIG-IP 16.1.2.1 Build 0.0.10 Point Release 1 on a link, firefox keeps the original URL https://xxx/F5-w ... while Chrome wants to access the server directly With developpers tools, we can see chrome doing things like: original URL (the good one) decoded URL (bad..??) Why? How to avoid it? I haven't find any link about that and I don't know how to solve this issue. If you have any clue... Thank you a lot. Have a good day, HervePortal Access is doing unencrypted http over port 443
I have an https VS with an APM policy that displays a Webtop with several Portal Access objects. Each is defined similar to the following: "; . But tcpdump shows that the initial request goes from the Big-IP's self IP to 10.x.y.z as http on port 443, and Wireshark gives "Unencrypted HTTP protocol detected over encrypted port" warnings. All of my other working PA configurations are http, so I can't really compare them. What's up?APM webtop + portal access DNS error
Hi, we use v14 with partitioned environment, each partition has own route domain with strict isolation enabled. We have APM with webtop and few links in it. One of them is a portal access which points to server IP address. We cannot use FQDN as APM uses system DNS and we cannot use system DNS for customer environment. Anyway, since we use IP address as a resource item it should be OK, but is not, user access to portal access fails at "DNS lookup error. The requested server does not exist.". Using hostfile does not help, it is ignored by APM. What are the options to fix it?APM Portal Access Peoplesoft application
I am new to Portal Access, I have done alot with APM, but never Portal piece. I have setup a VIP, with rewrite policy, access policy, connectivity profile and web acceleration profile due to needing Java patching. I can login into the portal with AD credentials, and see my Portal Links. I click on it and i get "you do not have permission to access the page" Configuration error Virtual server does not support connections to HTTPS resources. Please contact your system administrator for more information" I exit out and click on Portal link again, and the internal page for Peoplesoft pops up and looks perfect. I exit out and try again, Yep you guess it, the Peoplesoft page pops us looking perfect. of course I cannot login, it goes back to the above "You do not have permission to access this page" Am i missing something. Im confused. Can anyone shed some light on this. I have exhausted the internet and its very little on portal access let alone with peoplesoft being the app you want to use. any help or comments would be great apprecaited
APM Deep Linking iRule Help
We are running APM v12.1.3; VCMP guest, two active-standby clusters. APM is internet facing and uses portal access to send traffic to internal application/web servers. Right now we just have a single virtual server with the access policy applied. As this is already in production I would prefer to keep it that way, but if needed will consider other options. Employees are given links with https://employeeaccesspage.com/insert/deep/link/here. This http host/domain will have a CNAME to a DNS entry that resolves to a WideIP for our APM virutal servers and get the login page. At this point there is the standard APM redirect to /my.policy...normal operation. We can get the original host from the variable "session.server.network.name' and the original URI from the variable "session.server.landinguri". What I want to do is that when the access policy completes and they are presented with the webtop either redirect their page to the deep link destination or open a new tab still being rewritten/proxied by APM to the deep link destination. Here is what I have so far. when HTTP_REQUEST { set http_host [ACCESS::session data get session.server.network.name] set http_uri [ACCESS::session data get session.server.landinguri] log local0. "Requested Host is $http_host" log local0. "Requested URI is $http_uri" switch -glob [string tolower $http_uri] { "**" { set redirect 1 ACCESS::session data set session.custom.link $redirect log local0. "$redirect : $http_uri" } "**" { set redirect 1 ACCESS::session data set session.custom.link $redirect log local0. "$redirect : $http_uri" } } } when ACCESS_POLICY_COMPLETED { log local0. "Policy Completed" set http_host [ACCESS::session data get session.server.network.name] set http_uri [ACCESS::session data get session.server.landinguri] set redirect [ACCESS::session data get session.custom.link] log local0. "ACL Event: $redirect : $http_uri" if { $redirect } { switch -glob [string tolower $http_uri] { "**" { HTTP::redirect "https://$http_host/f5-w-$$/$http_uri" log local0. "Redirect Concluded for $http_host" } "**" { HTTP::redirect "https://$http_host/f5-w-$$/$http_uri" log local0. "Redirect Concluded for $http_host" } } } HEX/ASCII hash for internal hosts would be hard coded at this time we only want this to work for certain internal platforms and do not want that to be done programmatically } I receive this error in the LTM logs, APM deletes the session and I am returned to the login page (/my.policy): Sep 14 08:15:38 hostname err tmm[18859]: 01220001:3: TCL error: /Common/Deep_Linking - Illegal argument. Can't execute in the current context. (line 7) invoked from within "HTTP::redirect "https://$http_host/f5-w-$$/$http_uri" " ("**" arm line 2) invoked from within "switch -glob [string tolower $http_uri] { "**" { HTTP::redirect "https://$http_host/f5-w- These two articles look like they contain what I probably need to make this work, but I'm unsure of how to integrate them and get this working. Please help. Webtop Deeplink APM Second Browser After Webtop Launch
APM/Analytics - Log click on webtop resources [serverside]
Problem this snippet solves: When providing VPN SSL portal to the client, you publish several applications like Portal access, Remote Desktop, Webtop links, SAML Resources, Citrix/Vmware VDI, etc. APM log access to the webtop, once connected, there is no more visibility on who click on which icon. We provide Visibility and Analytics capabilities through a simple irule. How to use this snippet: Installation You just need to put this irule in the Virtual Server configuration that handle your access profile. Logging information Clicks are logged in the local0 (ltm logs). You can see below examples : virtual=/Common/test, apm=1239853, user=testuser, resource_type=portal, resourcename=owa virtual=/Common/test, apm=1239853, user=testuser, resource_type=remote_desktop, resourcename=ActiveDirectory Features You can currently log the following application types : Portal access Remote Desktop access The irule provide the additional features : Decode Portal access uri logging of username, apm session and resource name Credits Inspired from an original irule in a reply from Kevin Stewart : Logging for Portal Access External links Github : github.com/e-XpertSolutions/f5 Code : when ACCESS_ACL_ALLOWED { switch -glob [HTTP::uri] { "*resourcetype=remote_desktop*" { # # Basic logging. Remote or local logging settings can be configured # # log local0. "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" # # ACCESS logging before v13.x # log -noname accesscontrol.local1.notice "$static::ACCESS_LOG_PREFIX /Common/ap-ad-auth:Common:$session: virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" # # ACCESS::log is available in v13.x. Log saved in Access report too. # # ACCESS::log accesscontrol.notice "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" } "*f5-w-*" { catch { set resource [binary format H* [findstr [HTTP::uri] "/f5-w-" 6 "\$\$"]] if { [table lookup -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource"] eq "" } { table set -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource" [clock format [clock seconds] -format %Y%m%d-%H%M%S] 3600 # # Basic logging. Remote or local logging settings can be configured # # log local0. "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" # # ACCESS logging before v13.x # log -noname accesscontrol.local1.notice "$static::ACCESS_LOG_PREFIX /Common/ap-ad-auth:Common:$session: virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" # # ACCESS::log is available in v13.x. Log saved in Access report too. # # ACCESS::log accesscontrol.notice "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" } } } } } Tested this on version: 11.5
Portal Access to OWA Requires Refresh
Hello, I currently have Portal Access setup to our OWA (Exchange 2013) site and have configured an Client Intiated Forms based SSO profile. For all intensive purposes it works, however on first connection OWA spins it wheels endlessly unless it hit F5 or refresh then OWA opens instantly and as expected. Anyone else experience this behavior before or and hny suggestions of how to resolve this issue? I followed the instructions in this article: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-2-0/3.htmlunique_1316790788 However these instructions are for OWA 2010 but was told they should work for OWA 2013 as well.Adding session variable into Portal Access resouce header value
I have a portal resource access object working fine and passing the headers I assign. However when I try to insert a value of a session variable into the header value I do not get the actual session variable, but only the text I insert. For example I know I have a session variable of session.logon.last.upn as a variable in the session (I have verified this during my active session), but when I input this into the header value I get "session.logon.last.upn" as the header not the actual upn value of the user. I tried - session.logon.last.upn and %{session.logon.last.upn}. Any help would be greatly appreciated.Using different SSO methods for different portal applications through APM
Hi All, Have an existing APM policy with a Portal application that is accessed through a Webtop. This application is integrated to AD and the F5 is correctly collecting credentials and forwarding through Basic headers to the backend application. I now have a second application that uses a different set of credentials (not integrated with AD). When I have created the new application as Portal and try to access the application it is posting the SSO credentials of the other application (and failing). There seems to be many places to configure SSO and I am getting a bit confused as to which does what. In the Access Profile -> SSO/Auth Domains you select a SSO Configuration (which is the original Basic one). Then in Visual Policy Editor I have a pipeline step of SSO Credential Mapping - to extract from Logon Page and stick into Basic headers. Finally in Access Profile -> Portal Access: Portal Access List for the backend application there is SSO Configuration - which is set to None. This all works fine. Now I add a new Portal Access resource and a new Portal Access List and try setting SSO Configuration to None (as I actually want no SSO for this second site). This was in the hope it would ignore the existing SSO of Basic. This did not work, so tried created a Form based SSO with nothing in it and assign to the Portal Access List - this does not seem to make a difference. So - what/when/why is this extra SSO Configuration used - I had hope it was to override a default. Is there another way to allow two different types of SSO (well actually the second one is 'none')? Thanks, Jason