How to properly create Intermediate SSL Certificate
Hello all. I believe this should be an easy question but i need some guidance. I am publishing Skype for Business reverse proxy services with a Big IP and I am using the iApp to do so. I can get my mobile clients to connect and sign in through the reverse proxy and I can do a lot of what needs to happen, but sometimes I can't connect to calls on my phone and when I run into the issue I also simultaneously get a certificate warning stating that the Godaddy certificate that i purchased and set up on my reverse proxy could not be verified. This is making me think that I set this up wrong somewhere. So what I did was I exported the certificate as a .pfx from my Edge server with it's private key and imported it to my F5 unit where I imported it as: Import Type: PKCS 12 (IIS) Certificate Name: Skype_Public Certificate Source: PFX I exported Password: ********** Key Security: Normal Then for the chain certificate I imported the godaddy bundle (labeled gd_bundle-g2-g1). There is also a PKCS7 certificate labeled as gd-g2_iis_intermediates but i couldn't get it imported into the Big IP and i was fairly confident it needed the bundle anyway. I imported the bundle as follows: Import Type: Certificate Certificate Name: Skype_Public_Bundle Certificate Source: gd_bundle-g2-g1 Then in the iApp i just went and set it to create a new client ssl profile and used the Skype_Public-PFX.crt as the ssl certificate and used Skype_Public_PFX.key as they Key. Finally I used the Skype_Public_Bundle.crt as my intermediate cert, fired up the iApp, and could sign in with my phone. But i got the above errors so I am thinking I dropped the ball somewhere as i am relatively inexperienced with SSL certificates.
APM: Office365 Skype for Business On-Premise Authentication
I've spent a few days working on an Office 365 lab hybrid deployment and have been unable to get Skype for business to authenticate or work properly. Is this supported? In my configuration I am attempting to use the F5 as the IDP. Azure AD connect is syncing properly and is not syncing password hashes to Azure. According to this document, Rich client application such as Lync or authenticating an Office subscription are not supported: Azure AD federation compatibility list However I am able to authenticate other thick-clients like Word, Excel, Outlook, etc without issue. A window with the APM login screen is displayed when authenticating--I would expect similar behavior for the Skype client. This makes me believe maybe this document is incorrect? I have gathered SSLdumps and see the authentication request reach the VIP: 1 10 1472838567.6975 (0.0018) C>SV3.3(448) application_data --------------------------------------------------------------- POST /saml/idp/profile/ecp/sso HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; WOW64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; MSOIDCR L 7.250.4556.0; App lync.exe, 16.0.7167.2040, {12B07E85-1B47-41C4-A4E2-43XXXXXXXXXX}) Content-Length: 1583 Host: idp.xxxxx.xxx --------------------------------------------------------------- 1 11 1472838567.6975 (0.0000) C>SV3.3(1632) application_data --------------------------------------------------------------- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuehttps://idp.xxxxx.xxxx:443/saml/idp/profile/ecp /sso1472838xxx xxxx@xxxx.xxxxxxxxxxxxxx 2016-09-02T17:52:11Z2016-09-02T17:57:11Z http://schemas.xmlsoap.org/ws/2005/02/trust/ Issueurn:federation:MicrosoftOnline http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey --------------------------------- ------------------------------ 1 12 1472838567.7042 (0.0067) S>CV3.3(336) application_data --------------------------------------------------------------- HTTP/1.0 302 Found Server: BigIP Connection: Close Content-Length: 0 Location: /my.policy Set-Cookie: LastMRH_Session=9c7be893;path=/;secure Set-Cookie: MRHSession=xxxxxxxxxxxxxxxxxxxxxxxxxxx;path=/;secure Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/ --------------------------------------------------------------- 1 1472838567.7042 (0.0000) S>C TCP FIN 1 13 1472838567.7046 (0.0003) C>SV3.3(48) Alert I would expect that the APM should be responding to the request rather than closing the connection as seen above. To me the soap envelope looks OK, or maybe I'm missing something simple? I'm running 12.1.1, and have also tried 11.6.1. I have no on-premise Skype/Lync environment and have validated that all DNS entries for Skype are correct. Microsoft's Connectivity Analyzer succeeds on all tests. The Skype client produces a generic failure on login: "Cannot sign in because the server is temporarily unavailable". Any guidance would be appreciated, thanks!Skype for Business: Using the Big IP as my Default Gateway
Hello All: I am in the process of rolling out Skype for Business for my company. As it stands, I have my internal pool up and load balanced via the Skype for Business 2015 iApp template. The issue is that it is set to use SNAT (no routing enabled directly through the appliance). Skype for Business AV does not support NAT which is even referenced in the deployment guide so I need to set the Big IP as the default gateway for my three front end servers. The short version of this story is that I do not have even the faintest idea of how to configure this on my F5. The longer version is that I have readhttps://devcentral.f5.com/articles/ltm-per-vlan-default-gateways.U6LtcHWx3UZ which confused me more than it did help and I read https://packetpushers.net/stateless-routing-f5-ltm/ which seemed to be on the right track but I don't see how I'd set the next hop address to my actual router so that traffic can traverse VLAN's and the WAN if necessary after hopping through my F5. Can someone please shed some light on this? Thanks!DoS and NTLM Brute force protection for SIP traffic
Problem this snippet solves: This snippet has been designed to mainly protect against NTLM's downgrade attacks present in a widely used Instant Messaging solution. This solution authenticate users on the SIP/TLS protocol. This irule block brute forced users and source IP address. How to use this snippet: This snippet should be applied on the Virtual Server that handle SIP/TLS traffic. SSL bridging is required to make this irule work properly. Moreover, Skype for Business may require that you change your cipher suite to a weak one. The internal domain should be define in " email_domain " and " user_domain " variables. The script will focus on those domains. The max attempts before blocking is defined in the " max_failures " variable. This setting should be under the max attempts allowed on the Active Directory. The blocking duration is configured in the " block_duration " variable. (in seconds) The " fail_memory " variable define the window that we increase the attempt counter. After reaching the end of this duration, the entry is removed until a new invalid attempt occurs. External links Github : github.com/e-XpertSolutions/f5 Related Articles DoS and NTLM Brute force protection for HTTP(s) flow Code : when RULE_INIT { array set NTLMFlags { unicode 0x00000001 oem 0x00000002 req_target 0x00000004 unknown1 0x00000008 sign 0x00000010 seal 0x00000020 datagram 0x00000040 lmkey 0x00000080 netware 0x00000100 ntlm 0x00000200 unknown2 0x00000400 unknown3 0x00000800 ntlm_domain 0x00001000 ntlm_server 0x00002000 ntlm_share 0x00004000 NTLM2 0x00008000 targetinfo 0x00800000 128bit 0x20000000 keyexch 0x40000000 56bit 0x80000000 } set static::email_domain "domain.org" set static::user_domain "DOMAIN" set static::log_pri "local0." set static::fail_tab "NTLMfails" set static::blacklist_tab "NTLMblackhole" set static::userfail_tab "NTLMUserfails" set static::userblacklist_tab "NTLMUserblackhole" set static::max_failures 5 set static::fail_memory 300 set static::block_duration 300 } when CLIENT_ACCEPTED { if {[table lookup -subtable $static::blacklist_tab [IP::client_addr]] == 1} { log $static::log_pri "[virtual] - BLACKHOLED IPADDR [IP::client_addr]:[TCP::client_port] (Reputation=[IP::reputation [IP::client_addr]])" reject return } } when CLIENTSSL_HANDSHAKE { SSL::collect } when CLIENTSSL_DATA { set payload [SSL::payload] if { ($payload contains "3 REGISTER") } { regexp -nocase {gssapi-data=\"([A-Za-z0-9+\/=]*)\",} $payload match gssapi garbage if { [info exists match] } { unset match unset garbage if { $gssapi != "" } { set ntlm_msg [ b64decode [string trim $gssapi]] binary scan $ntlm_msg a7ci protocol zero type if { $type eq 3} { binary scan $ntlm_msg @12ssissississississii \ lmlen lmlen2 lmoff \ ntlen ntlen2 ntoff \ dlen dlen2 doff \ ulen ulen2 uoff \ hlen hlen2 hoff \ slen slen2 soff \ flags set ntlm_domain {}; binary scan $ntlm_msg @${doff}a${dlen} ntlm_domain set ntlm_user {}; binary scan $ntlm_msg @${uoff}a${ulen} ntlm_user set ntlm_host {}; binary scan $ntlm_msg @${hoff}a${hlen} ntlm_host set unicode [expr {$flags & 0x00000001}] if {$unicode} { set ntlm_domain_convert "" foreach i [ split $ntlm_domain ""] { scan $i %c c if {$c>1} { append ntlm_domain_convert $i } elseif {$c<128} { set ntlm_domain_convert $ntlm_domain_convert } else { append ntlm_domain_convert \\u[format %04.4X $c] } } set ntlm_domain $ntlm_domain_convert set ntlm_user_convert "" foreach i [ split $ntlm_user ""] { scan $i %c c if {$c>1} { append ntlm_user_convert $i } elseif {$c<128} { set ntlm_user_convert $ntlm_user_convert } else { append ntlm_user_convert \\u[format %04.4X $c] } } set ntlm_user $ntlm_user_convert set ntlm_host_convert "" foreach i [ split $ntlm_host ""] { scan $i %c c if {$c>1} { append ntlm_host_convert $i } elseif {$c<128} { set ntlm_host_convert $ntlm_host_convert } else { append ntlm_host_convert \\u[format %04.4X $c] } } set ntlm_host $ntlm_host_convert } binary scan $ntlm_msg @${ntoff}a${ntlen} ntdata binary scan $ntlm_msg @${lmoff}a${lmlen} lmdata binary scan $ntdata H* ntdata_h binary scan $lmdata H* lmdata_h set interesting 1 if { ($ntlm_domain equals $static::user_domain or $ntlm_user ends_with $static::email_domain) } { set attack 1 if {[table lookup -subtable $static::userblacklist_tab $ntlm_user] == 1} { log $static::log_pri "[virtual] - BLACKHOLED $ntlm_domain\\$ntlm_user from $ntlm_host at [IP::client_addr]:[TCP::client_port] (Reputation=[IP::reputation [IP::client_addr]])" reject return } else { log $static::log_pri "[virtual] - Login attempt by $ntlm_domain\\$ntlm_user from $ntlm_host for SIP." } } else { set attack 0 log $static::log_pri "[virtual] - Not a valid user - Login attempt by $ntlm_domain\\$ntlm_user from $ntlm_host for SIP." } } } } } # Release the payload SSL::release SSL::collect } when SERVERSSL_HANDSHAKE { SSL::collect SSL::release 0 } when SERVERSSL_DATA { set payload [SSL::payload] if {[info exists interesting] && $interesting == 1} { set client [IP::client_addr]:[TCP::client_port] set node [IP::server_addr]:[TCP::server_port] if { $payload contains "401 Unauthorized ms-user-logon-data" and ([info exists attack] and $attack == 1) } { table set -subtable $static::fail_tab -notouch -excl [IP::client_addr] 0 indef $static::fail_memory table incr -subtable $static::fail_tab [IP::client_addr] set now [clock seconds] set now_date [split [clock format $now -format {%X %x}] " "] set later [expr {$now + $static::block_duration}] set later_date [split [clock format $later -format {%X %x}] " "] if {[info exists ntlm_user]} { table set -subtable $static::userfail_tab -notouch -excl $ntlm_user 0 indef $static::fail_memory table incr -subtable $static::userfail_tab $ntlm_user if {[table lookup -subtable $static::userfail_tab $ntlm_user] >= $static::max_failures} { log $static::log_pri "[virtual] - BLACKHOLING USER - $ntlm_user at $now_date until $later_date" table set -subtable $static::userblacklist_tab -excl $ntlm_user 1 indef $static::block_duration } } if {[table lookup -subtable $static::fail_tab [IP::client_addr]] >= $static::max_failures} { log $static::log_pri "[virtual] - BLACKHOLING IPADDR - [IP::client_addr] (Reputation=[IP::reputation [IP::client_addr]]) at $now_date until $later_date" table set -subtable $static::blacklist_tab -excl [IP::client_addr] 1 indef $static::block_duration } } } SSL::release SSL::collect } Tested this on version: 11.5
Split tunnel VPN Skype for Business - rewriting DNS
Hi, We are deploying an F5 VPN and have and existing SfB environment. We need to enable a split tunnel so external users don't register to the internal SfB server but resister to the SfB Edge server. When the server DNS is queried the result gives the internal server. We need to intercept the request and return with the SfB Edge server. How can this be done? Is this using iRules or is this a standard feature of the F5? Thanks.Big IP Reverse Proxy Does not Seem to be passing traffic onto my Skype for Business Front End Servers
Hey all. I posted a question a little while ago but i never really got an answer because I think I overworded it. Long story short, I have all of my Skype for Business internal and external services running (AV, IM, and presence). I set up a DMZ Big IP set to forward reverse proxy traffic to my FE servers using the iAPP. When I connect to the public IP/URL NAT'd to the device, I get a certificate warning (have not set up SSL yet) but then I cannot connect. I can see the three FE servers lit up as green from the Big IP so I know they're connected, but when I run wireshark I don't see any extra traffic flowing from the Big IP to my FE servers when I attempt a sign in so I'm not sure that the traffic is even getting through the Big IP and I'm not sure why. Does anyone have any thoughts on this? I have 443, 80, 4443, and 8080 allowed from my Big IP to my FE servers so I do not believe it is my firewall but I could be wrong. Any help would be appreciated. Thanks all!
Skype For Business - TLS
We're in the process of migrating from an older LTM running 11.6 to a new LTM running 13.1. In our existing environment we have configured Skype for Business with the iApp for Lync. This has worked well and we've been running with this for nearly 2 years. Upon attempted migration to the new LTM, this using the latest Skype for Business iApp, we found that were having issues with some users. Further investigation revealed that on the new LTM, for the SIP (port 5061) virtual server, SSL passthrough was used. This is the same as on the existing LTM. However, when we tried connecting the this address and port with cURL, we do not get a response from any of the Skype front-end servers behind the F5. Adding client and server SSL profiles, thus putting the Virtual Server in SSL bridging mode, a response is received from one of the Skype servers (round robin, as expected) Connecting to the VIP on the older LTM, with cURL, in SSL passthrough mode gets a response from the Skype servers. We do have a case open with support and they are going to take a look at a trace, but their initial assessment is the configs look pretty similar. The question to the community, is what is the recommended setup for SSL/TLS with Skype for Business?Completely Lost Trying to Set Up SSL For the Skype for Business Reverse Proxy iApp
Hey All. Doing my first ever Skype for Business deployment and I have most everything working properly (Internal/External IM/Presence and AV calls all work great for the desktop client). Now I am trying to set up my two Big-IP's to do reverse proxy traffic and I am honestly completely lost. Allow me to explain. I have a dual Big-IP setup in my test lab. I have one in my DMZ which is set using the iApp to forward reverse proxy traffic to my internal which is set through the same iApp to receive reverse proxy traffic. I have given it it's own public IP which is NAT'd to the DMZ F5 DMZ address. The DMZ F5 also has a self IP on the DMZ subnet for which I have opened 443, 80, 4443, and 8080 up to the VIP of the F5 on my internal lab subnet. The iApp on the DMZ Big IP shows green for the internal server so it looks like they're talking to eachother ok. Here's where I start beating my head against the wall, and before I go into detail I am going to come out and say that I have not yet configured a SSL profile on either Big IP which may be my issue here. If I download the Skype for Business app on my phone and try to sign into Skype with my SIP address and username, I get a certificate warning that comes from the DMZ Big IP so I know that my device at least makes it through the public/NAT IP address to the DMZ Big IP. But then after I click continue on the certificate warnings it will say signing in for a second and then juts kick me back to the logon screen. This has me wondering if the traffic is getting stuck somewhere in the chain of F5's, if it is a SSL issue, or if it is a configuration issue on my Skype Frent Ends somewhere and was hoping someone could provide some guidance. A followup question that I have to this is regarding what certificate to import and set up on my Big IP units. On my edge servers, I have a public certificate issued by a CA. On my FE servers I have a certificate assigned by my internal CA per Microsoft best practices. I would imagine that I should use the public cert, but the iApp states that "The certificate you select here MUST match the certificate you used in your Skype web services configuration." This would indicate that I would need to use the certificate from my FE servers, but then no mobile devices are not going to trust this certificate. Any advice here on exactly what I should do here would be greatly appreciated. Thanks!
