SharePoint 2016 large file upload and LTM ICAP configuration
Hi Guys, I have a special case here: Configuration: BigIP Version 13 HTTPS VS (SharePoint Web App with adapt request/response profiles) ICAP VS (Internal with an icap profile) ICAP sever Bluecoat ProxySG with a Symantec scan engine What's happening: When I upload a file with a size less than 100 MB SharePoint upload page sends the file to the SharePoint server in a single block with the header content-type mutilpart. LTM ICAP client sends the file to the ICAP Server (bluecoat) and the file gets scanned and we get back a response according to what we expect. Pass if clean and block is virus detected. Now if I upload a file bigger the 100 MB SharePoint switches to REST API mode and sends the file in multiple chunks of 8MB. The LTM ICAP client sends the files to the ICAP server (bluecoat) and the files get scanned and we get a response for the all the files scanned BUT the answer is always 'file is CLEAN' even if we test with a 110 MB zip file containing an eicar file or multiple eicar files or even a pack or 500MB of real deadly viruses :-) SharePoint sends the file chunks in a JSON payload with the header ACCPET: application/json Anyone managed to make file uploads bigger than 100MB scannable with this type of setup? Any configuration steps I'm missing to make the 110MB zip file scannable when it arrives in small chunks on the ICAP server. I understand that this might be an issue with the ICAP server but I want to rule out the LTM configuration. We are talking to talking to Broadcom/Symantec too. It will not be possible to do anything on the SharePoint side unfortunately since this is the preferred method of uploading large files.Microsoft SharePoint 2016 iApp template
Problem this snippet solves: f5.microsoft_sharepoint_2016.v1.0.0rc1 Use this Release Candidate iApp template to configure availability, encryption, security, and remote access for Microsoft SharePoint 2016. This template will configure the BIG-IP Local Traffic Manager (LTM) module, the Access Policy Manager (APM), the Application Acceleration Manager (AAM), the Advanced Firewall Manager (AFM), as well as Application Security Manager (ASM) for SharePoint deployments. The deployment guide for SharePoint 2016 can be found at http://www.f5.com/pdf/deployment-guides/iapp-sharepoint-2016-dg.pdf How to use this snippet: Go to downloads.f5.com and download the iApp template package. From the RELEASE_CANDIDATE directory, extract (unzip) the f5.microsoft_sharepoint_2016v1.0.0rc1.tmpl file. Log on to the BIG-IP system web-based Configuration utility. On the Main tab, expand iApp, and then click Templates. Click the Import button on the right side of the screen. Click the Browse button, and then browse to the location you saved the iApp file. Click the Upload button. The iApp is now available for use. For completely instructions, see the deployment guide. Code : https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=iApp_Templates
APM Forms-based logon with NTLM SSO Backend
I've been fighting this a bit and not finding the solution on other DevCentral Articles. Goal Synopsis: User opens internet portal page. Presented with Forms-based login page, user enters this username (e.g. firstinital.lastname) and password A chain of 5 AD forests is tested against this username. On Success, the F5 passes NTLM auth to a backend webserver, in this instance sharepoint 2016. What's working: Everything up until the SSO mapping/ntlm result which needs to be passed to sharepoint. Below is the flow I've made, NTLM auth result I threw in as a test, the message boxes are just debug to see which branch is hit without digging in logs. The All AD Auth is the AD chain I mentioned, I'm also assigning a variable after each success to set the session.logon.last.domain to the corresponding AD in case it's needed later in the chain. I'm also doing a basic 401 challenge for internal NTLM and redirecting to either internal or logon page based on client IP. Backend things: BIG-IP 13.1.1.2 Build 0.0.4 Point Release 2 NTLMv2 SSO is on the SSO cred mapping, however, it's targeting 1 domain only. This one domain is the hub in a hub/spoke AD trust layout, so any user from any domain can auth to it. I'm using iRules to handle the resource assignment since I'm directing to pools based on the hostname requested (we have a lot, it's annoying), but isn't an issue. I've not set up that one NTLM setting I can't remember off the top of my head that can only be done via TMM CLI because I could only find it mentioned in version 11 or older BIG-IPs. Next Steps: I'm really not sure, everything I've been finding says this should be working but it's not and I can't find anything on DevCentral that matches what I'm trying to do. It's all either been 401 challenge pages or something to do with SSO to MS Exchange. So I'm throwing this on here hoping someone has an idea as to what I'm missing.
Sharepoint 2016 without APM shows only RO word documents
I have SP 2016 and we deployed it with iApp but not using the APM. Everything works but the document only shows read-only. Then when I use the SP without f5 it works fine. I saw many posts pointing to an irule for this same problem but that's with APM - https://devcentral.f5.com/codeshare/apm-sharepoint-authentication How can I fix this problem if I am not even using APM in the first place. We are doing SSL offloading and the backend is http only. Thanks.
How can I identify the SharePoint Application in Access Policy?
Hi All, I'm taking over the responsibility of our F5 and don't have any experience as of yet. We have an Access Policy which identifies users accessing out SharePoint services over the Internet using SSO and Client OS session variables. I'm unable to figure out how to identify what people are using the SharePoint application to where I would just forward the user to the server and bypass SSO as credentials are already added in the application. I've included a picture of our current Access Policy. The "SharePoint Application" branch doesn't work and contains this code: expr { [mcget {session.client.platform}] contains "com.microsoft.sharepoint" } Does anyone know a different way of defining a branch for identifying the SharePoint application? The App works just fine when bypassing the F5 altogether. I opened a support case, but since we have an AWS F5 instance, it doesn't include the "full" support in our license and the tech suggested to get that for "installation" assistance. Any help would be greatly appreciated!Configuring Big IP APM with sharepoint integration.
Hi We have just configured a Big IP APM for with sharepoint access. The sharepoint solution has two webpages that our customer want's to access. But the customer do not want a landing page in between. Is it possible to configure a direct access to a multiple Sharepoint solution and bypass the landing page, if so, how?
