f5 sharepoint tenacious session issue
Good evening! We are experiencing a security issue with our f5 sharepoint deployment. I have used the iapp f5.microsoft_sharepoint_2010, Software Version is BIG-IP 11.4.1 Build 608.0 Final The problem is that once a browser session is established, it will continue even though the browser is closed and even if the client is rebooted. When I call up the url of the sharepoint it will connect me without asking for authentication. How can I achieve that upon closing the browser the session becomes invalid? Thanks for advice! Alex
Sharepoint health monitors
Hey Everyone, I am currently load balancing two servers in my SharePoint setup. I am currently using the default "http" health monitor. Sometimes in the morning, one of the servers goes into an error and responds back with a 503 error. The F5 still sees the server as up and 50% of the people get the error page. I am looking for a health monitor that checks the ICMP of the server and also checks to see is the server responds back with a 503 error. If the server responds back with a 503 error I need the F5 not to send traffic to the server. In a perfect world I would also love to receive an email when this server shows a 503 response. I don't play with health monitors too often and was wondering if anyone out there could help me out. Cheers!
SharePoint Server Farm F5 LoadBalancer with SSL
Hi All, First off i should let you know that i am not managing the F5, I am posting here to maybe find out if error is caused from f5 config, if so steer the customer to fix their f5 config with regards to specific sharepoint settings. I have a 2x2 MinRole HA SharePoint Server Farm. 2 App servers, 2 WFE servers. I have had the customer set up F5 LoadBalancer with SSL being handled with F5. I have setup my alternate access mapping as follows. public url is the dns set up for f5. and in internal urls i have added http/s version of app server, and the two web servers. https://i.hizliresim.com/CiSVLD.png As for problems I have faced, I found out when i want to pick a date from calendar the widget is not loaded from server. It throws a x-frame set to deny error. https://i.hizliresim.com/ezYNAZ.png One other problem i found out is that workflows dont work and throw an ssl connection can not be established error. https://i.hizliresim.com/Djt61R.png How should the customer set up f5 load balancing with ssl handled in f5? Thanks in advance.
Office Online Server with SharePoint 2016
I am in the process of deploying Office Online Server (OOS) with SharePoint 2016. Had a ticket open with support where it was suggested that I look at https://www.f5.com/pdf/deployment-guides/microsoft-office-web-apps-dg.pdf as an option. I cannot install this iApp on my system as I am running 14.1.0.2 and it seems that AAM is no longer an option. Being that OOS alongside SharePoint should be a pretty standard deployment, is there some documentation that describes how to properly deploy the two solutions together with LTM?
SharePoint Redirect To New Path Using Public Name
Hello, I'm trying to use the following code to redirect public traffic over a secure link (https://) to a SharePoint 2013 server that's listening on port "33230" at "/sites/BI/". I did this before with a SharePoint 2010 server listening on port "80" at "/" without a problem, but this time I'm just getting text from the site in one long column instead of text on top of graphics with the proper formatting (Browsers don't make a difference and I have the same problem with-in the company unless I access the server with the server name in the URL with-in our company and then it looks fine). Firewall has port 80 and 443 open to accept incoming connections to the Virtual IP. Here's the iRule: "dashboards.domain.com" { switch [TCP::local_port] { 80 { HTTP::redirect "https://[HTTP::host]/sites/BI/" } 443 { if { [HTTP::uri] != "/sites/BI/" } { HTTP::redirect "https://[HTTP::host]/sites/BI/" } pool SharePoint_Dashboards_pool } } } I have the following SharePoint Alternate Access Mappings setup in this order: http://SERVER[Default]http://SERVER http://SERVER:33230[Default]http://SERVER:33230 https://dashboards.domain.com:33230[Internet]https://dashboards.domain.com:33230 http://dashboards.domain.com:33230[Internet]https://dashboards.domain.com:33230 Thanks, Brian
Kerberos authentication not working after IIS/SharePoint rebuild.
Hi! We have an environment with an F5 delegating kerberos for our SharePoint environment. We made the decision to rebuild IIS/SharePoint due to some various issues. After the rebuild, IIS/SharePoint kerberos authentication is no longer working and we continually get a 401 back. F5 is reporting that it is getting the kerberos ticket correctly, however, IIS still sends a 401 negotiate back every time a request is made. As far as we can tell, the IIS/SharePoint configuration is identical to what it was before. Is there any additional changes to the F5 to support new IIS/SharePoint? SharePoint is setup for kerberos and IIS authentication is "negotiate"? Any help appreciated, thanks!
Sharepoint 2013 Login redirect iRule problems
Hi, I'm having a problem with a Irule applied to a VS loadbalancing a sharepoint site. when HTTP_REQUEST { switch [HTTP::host] { sh.domain.com { if { [active_members SHAREPOINT_2013_HTTPS_pool] < 1 } { HTTP::respond 200 content {some content} } if { ( [string tolower [HTTP::uri]] contains "login.aspx" ) and ( [IP::addr [IP::client_addr] equals 10.0.0.0/8]) } { HTTP::redirect "https://sh.domain.com/_windows/default.aspx?ReturnUrl=/" } pool SHAREPOINT_2013_HTTPS_pool } sh.domain2.com { if { [active_members SHAREPOINT_2013_HTTPS_pool] < 1 } { HTTP::respond 200 content {some content} } if { ( [string tolower [HTTP::uri]] contains "login.aspx" ) and ( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) } { HTTP::redirect "https://sh.domain2.com/_windows/default.aspx?ReturnUrl=/" } pool SHAREPOINT_2013_HTTPS_pool } } } What happens: Internal users: User wants to access URL: https://sh.domain.com/testguy Without the irule, internal clients connects to the sharepoint site from a ip in the 10.0.0.0/8 subnet, and are automaticly redirected to a sharepoint login page. The user then has to click a link to log inn. Clicking this link does nothing but redirect to https://sh.domain.com/_windows/default/.aspx?ReturnUrl=/testguy With the iRule, internal clients buypass the login screen correctly, but they are riderected to the home page of sharepoint (another redirect that happens when you request https://sh.domain2.com/_windows/default.aspx?ReturnUrl=/) Trying to access the original URL : https://sh.domain.com/testguy again within the same browser now works correctly because the user is never redirected to login page, and therefor just sent straight to the pool. External users: Is currently working as expected. They are sent to login page, and have to click the login button and present credentials, and then redirected to the correct page. How can I have my internal users buypass the login page, and automaticly redirected to the requested URI? Is there a way to append the original URI to https://sh.domain2.com/_windows/default.aspx?ReturnUrl=/[HTTP::uri] without causing a redirection loop? I have tried the above statement, but it creates a loop because the HTTP:uri is now the login page. Appreciate all input!
SharePoint and SAML Single Log Out
I have an APM Policy doing SAML authN client side (APM is the SAML service provider) and Kerberos AuthN server side. All working well there. Dealing with Single Log Out and I want both the APM session cleared as well as the external IdP session so need to do SP initiated Single Log Out over SAML. Because of RFE ID 440234 where the APM policy does not detect the logout URI when there are various paths before the defined Logout URI, I have the following iRule taking care of detecting and initiating Single Log Out. when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/_layouts/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/mobile/authn_signout.aspx"} { HTTP::respond 302 Location "/my.logout.php3" } } This works perfectly and clears both APM Session, as well as takes care of the SAML Single Log out. The only problem is that the user ends up at the F5 Logout page at a URI of: /vdesk/hangup.php3 I Need the user to get sent back to the host name that existed when the above iRule was triggered to log out the user. Similar to how the vdesk/hangup.php3 has a link "To open a new session, please click here" that simply sends the user back to the host name they just logged out from, and in my case starts the SAML Single Sign On flow dropping them as the IdP logon page. Any creative ideas on how to get the user back to the host name after this type of login? The desired behavior is what I get when I do NOT use an irule, and leverage the APM Policy "Logout URI include" option, but then I have the issue that any URI that is not at the root host name is not picked up (ID 440234) as a logout request and user is not signed out at all. Thanks E.R.
