F5 edge client on demand vpn NTLM sso

can you share your config, certainly the irule. the example doesn't show anything about an URI or redirects so i don't quite understand where you get those from.

I have tried the following articles with zero success. https://devcentral.f5.com/wiki/APM.MultipleNTLMSSO.ashx https://devcentral.f5.com/wiki/APM.ShareAccessCookies.ashx

It is possible that my layered virtual servers are not configured right. With the second article setting the session.policy.result.start_uri value in APM does not work as it gets changed to /myvpn?sess... at the end. There doesnt seem to be any authentic documentation from anyone who has actually implemented this scenario.

My understanding is that setting the domain cookie in sso configuration should transparently enable NTLM sso across multiple VIPs but that is not working at all with the edge client landing VIP being one of them.

The second article posted earlier does not work because without a webtop the vpn connection does not complete and once a webtop is added setting session.policy.result.start_uri in APM no longer works.

so the issue is there apm_session_handover_uri URI isn't hit?

can't you check with an iRule and logging the [HTTP::URI] to check for something else to use.

are your domains different? because in a setup i build long ago i didn't have to go through all these hoops to make this work.

can you share some of your current config?

Issue is resolved.Problem was the layered VIP IPs did not have permission entries in the edge client ACL.No iRules were required.Only issue was a additional workgroup DNS server had to be added to point to the layered VIPs for the edge client.This is because static host entries do not work due to iPhone security.Still checking if there is a more elegant solution for the DNS outcome.Domain cookie was used to achieve NTLM passthrough.

nice, thanks for reporting back.