APM multiple policies on one virtual server
is it possible to have different policies on one virtual server? would like to have something with two urls (see below) with different policies (authentication methods), but can't find how to set that up on APM. https://vpn.customer.com/employees https://vpn.customer.com/contractors
Configuring TACACS v4.2 with F5 Remote Role Groups
Hi everyone, I'm trying to get our F5s working with TACACS and i was successful in getting individual user accounts to work. However im trying to setup the groups but am having some trouble. Working through a user guide i found online i set the following attributes in the TACACS+ Settings custom attributes: set F5-LTM-User-Info-1 = adm set F5-LTM-User-Console = 1 set F5-LTM-User-Role = 0  Then on the F5 side i have the attribute string set to F5-LTM-User-Info-1=adm with similar settings for the console, role, etc. However the users in TACACS assigned to the group with the above attributes are not authenticating in the F5. Any thoughts to why this is would be greatly appreciated. Thanks! Brent
how to run F5 Network Access on a 64-bit linux?
How to run F5 Network Access on a 64-bit linux? Particularly, can I use the VPN without a browser plugin? If not, which browser versions are supported? What I mean, why I ask: My employer is giving me remote access via an RSA SecurID token and instructions for web-based access using the F5 Network Access Plugin. My personal systems are all 64-bit linux, running versions of debian (with 3.2 kernels). My primary laptop has 2 browser versions installed: Firefox 12.0 and Iceweasel 13.0.1. (Note that Iceweasel is just Firefox with an open-license logo and branding. The debian package=iceweasel tracks the latest release version of Firefox from Mozilla.) Using Iceweasel (my usual browser), I received and activated my token and set my credentials on the provided remote-access website. I was then instructed to install the F5 Network Access Plugin. Unfortunately, that fails: the xpi begins running, but then quits with the message F5 Network Access Plugin could not be installed because it is not compatible with Iceweasel 13.0.1 I quit Iceweasel, started Firefox, logged into the remote-access site, and attempted to install the plugin, which similarly failed: F5 Network Access Plugin could not be installed because it is not compatible with Firefox 12.0 So my first question is, with which current linux and browser versions *is* F5 Network Access Plugin compatible? My second question is, can one obtain F5 network access on 64-bit linux *without* the browser plugin? I am also a graduate student, and obtain VPN access to my school's compute clusters via the Cisco VPN client built into debian's stock Gnome NetworkManager. I also find good comments regarding an unofficial F5 VPN client. Hence I'm not seeing why one needs to install a browser plugin to do networking.
VPN client package shows "already exists" error
I'm using the VPN client to connect to a Firepass 6.0.3 and when I log in and the client is setting up the connection it shows an error message "Already exists" and then logs in successfully. Looking in the log file I see: (APPCTRL:1052,1104) CAppTunnelEx:: OpenByParam(VPN,Full Access) already opened (Standalone:1052,1104) CMainFrame::MessageBox: Already exists The resource group in question is configured to auto launch based on endpoint protection and use an alternate webtop. The thinking there is that when users connect via a web interface, the network tunnel opens and the window shows their connected status - so the login experience is relatively consistent whether using a browser or the client application to connect. It seems like the autolaunch feature is called again by the VPN client and this is causing the error (more like a notification) I'm seeing. Is there a way to prevent this error from appearing while still using the auto-launch option for users connecting directly via browser?Installed HF603 2.1.1 and controller list changed
I installed the hotfix rollup for 6.0.3 Sunday which went smoothly. We have a broad deployment of the F5 Networks VPN Client which generally works very well. When I ran the client after applying the hotfix it downloaded updates, since I have the following settings enabled for the client: Automatically Update Components Dynamically Download Session Settings During Logon Now to my problems - 1) After updating, a host was added to the "Firepass Controller List" which I have not configured in the "customize client components" configuration section. 2) The client apparently automatically connects to this new host after updating, and users get an error. Why? Because my pre-logon inspection does not allow connections to the base URI of the server. How can I prevent the F5 Networks VPN Client from adding entries to the Controller List when I have not configured them in the client configuration? Why does it try to log on to the newly added controller after updating? For example For example, say my client has the following controllers configured: https://foobar.domain.com/vpn1 https://foobar.domain.com/vpn2 https://bozboo.domain.com/vpn1 . . . When the updates occur they are retrieved from (say) https://bozboo.domain.com/ and then a new entry is created in the controller list for "https://bozboo.domain.com/" and after updating the client tries connecting there and errors out since I don't allow logons to "https://bozboo.domain.com/" but instead require one of a set of landings. Thoughts?APM Limited on LTM VE not working
I have an LTM VE lab edition (10.2.1 HF2) that I provisioned APM Limited on. I configured a web app and got everything setup with no user restrictions (although I understand the APM limited restriction is 10) and on first request (and all subsequent) to the APM virtual I get: Your session could not be established. The session reference number: The maximum number of concurrent user sessions has been reached. No new user sessions can start at this time. Any ideas?HOWTO: Firepass Component Automated Uninstallation
ABOUT Sometimes we find it necessary to uninstall the VPN components from a user's machine if they've got a corrupted installation or have other issues. Unfortunately, the BEST way to do this is to lead them through uninstallation via the F5-supplied "f5wininfo.exe" program. You have to get the .exe to them first, which can be tricky to do with some mail systems... This is a way to create an automated uninstaller to which you can direct a user. It works under Vista and XP quite well. It'd be nice if F5 took a design cue here and ran with this approach -- it's quite "HelpDeskUseful(tm)"! REQUIRED COMPONENTS - Microsoft Cabinet Software Development Kit (http://support.microsoft.com/kb/310618) - Microsoft Authenticode Tools (in the Platform SDK, http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en) - F5WinInfo.exe (Diagnostic tool from 6.0.2) - Codesigning certificate and key for your organization (from Verisign) INSTRUCTIONS 1. Obtain CABARC.EXE from the Microsoft Cabinet Software Development Kit. You will need this utility to create the distributable CAB file that will be embedded in the web page. 2. Create a folder to contain your work and put CABARC.EXE and F5WinInfo.exe into that folder. 3. Open a command window and change to that directory. 4. In Windows explorer, find F5WinInfo.exe, right click on it, and select "Properties". Click on the tab labeled "Version" and copy down the value you see under "File Version." It should look like "6040.2008.215.2127". You will need to use this value in creating your CAB file. 5. Create a file in your working directory called "f5wininfo.inf". It will contain the following content: ; Version number and signature of INF file. ; [version] signature="$CHICAGO$" AdvancedINF=2.0 [Add.Code] f5wininfo.exe=f5wininfo.exe [f5wininfo.exe] FileVersion=6030,2008,215,2127 clsid={21449A90-C484-21d1-8D75-00C04FC23CE6} RegisterServer=no Hook=runinstaller [runinstaller] run=%EXTRACT_DIR%\f5wininfo.exe /r Note the FileVersion above. The value you put here is the value you obtained in step 4, only with commas instead of periods in between the numbers. The CLSID value is a bogus one, but will work. If you like, you can generate your own CLSID and use it here. 6. (Optional) You may choose to re-sign the f5wininfo.exe file if you like (removing the F5 signature and replacing it with your own). This is not strictly necessary but may be required in some organizations that have restrictive software load policies. 7. From the command line, create the cab file: cabarc.exe -s 6144 n f5wininfo.cab f5wininfo.inf f5wininfo.exe This command line will create the CAB file, reserving enough space at the beginning of the file for the signing certificate. 8. Sign this cab file with your codesigning certificate. You will need Microsoft's Authenticode tools to do this. How to do this is beyond the scope of this particular HOWTO, but Google can direct you to some wonderful resources about signing CAB files. 9. Create an HTML file called "uninstall.html". It MUST contain the following content, but the look and feel is up to you: height=1 CODEBASE="f5wininfo.cabVersion=6030,2008,215,2127"> I'm attaching some example HTML files that do the job and actually attempt to use the control-interface "statusbar" that Firepass uses. It will track the download and execution of the f5wininfo.exe program and watch for its completion. I don't know if it functions COMPLETELY well (in fact, I am fairly sure it does not handle error conditions at all), but it mostly works. 10. Upload all HTML files and the cab file to your WebDAV sandbox on the Firepass controller. Users can then access the utility at "https:///sandbox/uninstall.html". When the page launches, the CAB file will download and automatically uninstall all VPN components. Enjoy!Citrix Webinterface
has anyone successfully got this to work? https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4882.html I have created the sed script but the packetdump is still seeing the direct ip address not the loopback. Content-Type is application/x-ica so not sure why its not working via the re-write engine anyway. dump: HTTP/1.1 200 OK Connection: keep-alive Date: Mon, 07 Jul 2008 12:02:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: WINGSession=; path=/Citrix/MetaFrame/ Set-Cookie: WIUser=NFuse_CurrentFolder=; expires=Tue, 07-Jul-2009 12:02:35 GMT; path=/Citrix/MetaFrame/ Set-Cookie: WINGDevice=NFuse_ClientName=WI_CfIsPyJpUcx1Z7L2b; expires=Tue, 07-Jul-2009 12:02:35 GMT; path=/Citrix/MetaFrame/ Cache-Control: private Expires: Mon, 30 Jun 2008 13:22:35 GMT Content-Type: application/x-ica Content-Length: 1118 [Encoding] InputEncoding=ISO8859_1 [WFClient] ClientName=WI_CfIsPyJpUcx1Z7L2b ProxyFavorIEConnectionSetting=Yes ProxyTimeout=30000 ProxyType=Auto ProxyUseFQDN=Off RemoveICAFile=yes TransparentKeyPassthrough=Local TransportReconnectEnabled=On Version=2 VirtualCOMPortEmulation=Off [ApplicationServers] APP DO10= [APP DO10] Address=10.128.136.152:1494 AutologonAllowed=ON ClientAudio=Off DesiredColor=8 DesiredHRES=4294967295 DesiredVRES=4294967295 InitialProgram=APP DO10 Launcher=WI LongCommandLine= ProxyTimeout=30000 ProxyType=Auto SSLEnable=Off SessionsharingKey=8-basic-none-FMCI2 TWIMode=On TransportDriver=TCP/IP UseLocalUserAndPassword=On WinStationDriver=ICA 3.0 [Compress] DriverNameWin16=pdcompw.dll DriverNameWin32=pdcompn.dll [EncRC5-0] DriverNameWin16=pdc0w.dll DriverNameWin32=--------------------------------------------------------------- 0.1993 (0.0000) S>C --------------------------------------------------------------- pdc0n.dll [EncRC5-128] DriverNameWin16=pdc128w.dll DriverNameWin32=pdc128n.dll [EncRC5-40] DriverNameWin16=pdc40w.dll DriverNameWin32=pdc40n.dll [EncRC5-56] DriverNameWin16=pdc56w.dll DriverNameWin32=pdc56n.dll sed code: skipping the javascript for testing Content Type field: application/x-ica sed processing script field: s/Address=10\.128\.136\.152/Address=127\.100\.100\.100/g Thanks in advance for any help. Cheers.DNS error with SSL VPN and OS X 10.7.2
When connecting to our network via the F5 SSL VPN from a Mac OS X 10.7.2 Client running Safari 5.1.2 under an ordinary user account the name servers are not set properly for internal resources, breaking DNS. I still have external DNS, and have full access to internal resources vi IP address, but no ability to resolve internal DNS records. I can see VPN attempting to set the records in the resolv.conf file, but the records do not actually get set despite the "DNS configuration was saved successfully" message in the svpn.log file. Anyone else experiencing these symptoms?
