[APM] URL stops working , location : /my.policy?ORG_URI=1f931c35
hello Team , We have a strange issue . User is able to access the url but sometimes the url doesn't work and when he checks in developer tool it has a status code of : 302 Found. After 10-15min it starts to work without any intervention. Response Headers : Connection : close Content-Length:0 Location : /my.policy?ORIG_URI=1f931c35 We are using APM for ACL and URL filtering , so where can I find my.policy ? I did not find any logs with this id 1f931c35 in cat apm or cat ltm logs , cat pktfilter logs , cat urlfilter logs .. Kindly please advice .41Views0likes1CommentF5 webmail exchange 2016 - "Access policy evaluation is already in progress for your current session."
We recently moved over to outlook 2016. Users that are on 2010 connect fine and never have an issue. the new users that have moved over to 2016 mailboxes get the error message above in the title. When they connect, they get the following addons to their URL: ?bO=1 sessiondata.ashxappcacheclient=1&acver=15.1.1591.8&crr=1 I have tried irules from the following devcentral questions and answers with no success: Access policy evaluation is already in progress for your current session How to avoid "Access policy evaluation is already in progress" - (irules from matt, Misty Spillers & Stanislan Piron tested and didn't help) If i have users open a browser in "InPrivate Browsing" or "Incognito" mode, they don't get the error. I have also tried the windows_10_anniversary_fix as well as all the irules on page 76 of the iapp deployment guide for exchange 2016. Deployment guide stuff i tested and doesn't work: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } and tried this: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } } I have a ticket open with F5 but they are saying oh just check the guide. not helpful. Hoping someone from the community can help me. thanks in advance!1KViews0likes1CommentAPM Access Policy - Pass LDAP or AD Query variable
Is it possible to query whether a user has a value for one or another variable then use that to pass or fail passage down the rest of the swimlane for access? (e.g.-expr {[mcget {session.ad.session.ad.last.attr.variable1}] != 0 || [mcget {session.ad.session.ad.last.attr.variable2}] != 0} where the two variables are numbers or a non-constant string, but do have a value...and are not "<not set>". Is it also possible to have another path where the lack of a value for theexpr {[mcget {session.ad.session.ad.last.attr.variable1}] == 0, can be sent to a uri or url? Any assistance would be greatly appreciated!1.4KViews0likes9CommentsACCESS::policy result "not_started"
Hi all! I try to invoke a access profile but the result of "ACCESS::policy result" is not_started. Why? Can someone help me? This is the code when HTTP_REQUEST { .... if { $sessionID ne ""}{ The user in session, TODO } else { The user not in session, check token if {$logDebug}{log local0. "=>|$logId| User not in session\n"} if {$logDebug}{log local0. "=>|$logId| sessionID empty, creating a new session"} set sessionID [ACCESS::session create -lifetime 30 -timeout 30] if {$logDebug}{log local0. "=>|$logId| new sessionID is $sessionID"} call APM HTTP::header insert "clientless-mode" 1 set ldapAPResultByToken [ACCESS::policy evaluate -sid $sessionID -profile "test_ldap_accessProfile" session.test.token $tokenFromHeader session.server.landinguri $uriRequested session.logon.last.logonname $tokenFromHeader] if {$logDebug}{log local0. "=>|$logId| Executed /Common/test_ldap_accessProfile with token: $tokenFromHeader with result: $ldapAPResultByToken\n"} set result [ACCESS::policy result -sid $sessionID] if {$logDebug}{log local0. "=>|$logId| result: $result\n"} set policyResult [ACCESS::session data get -sid $sessionID session.policy.result] if {$logDebug}{log local0. "=>|$logId| policy.result: $policyResult \n"} ... } ... } The logger print this: User not in session sessionID empty, creating a new session new sessionID is 1562e4dd6119e43dca7f7154c3b1a4cc Executed /Common/test_ldap_accessProfile with token: pippo with result: error result: not_started policy.result: not_started302Views0likes1CommentBranch evaluation fails with Rule evaluation error: invalid command name "session.logon.last.username"
Hopefully somebody is able to enlighten me, I have the code below in a branch rule expression of an AD Query element. I get an 'Rule evaluation failed with error: invalid command name "session.logon.last.username"' error. The purpose is to translate an email entered to the matching AD logon username from AD. The AD query succeeds (mail=%{session.logon.last.username}). It looks like the variable assign element is not able to change the session.logon.last.username variable. if { [mcget {session.ad.last.queryresult}] == 1 } { session.logon.last.username = mcget {session.ad.last.attr.sAMAccountName}; return 1; }; return 0; Thanks for sharing your thoughts / ideas.738Views0likes2CommentsAPM sessions broken out by access policy?
I don't believe this is possible, but I'll ask just to be sure... For VPN, based on their user ID or an Active Directory query, etc., a user is assigned an APM access policy appropriate for their level of access. Is it possible, beyond running a custom report via the GUI, to display/track the current number of users connected via one access policy or another? I've used "tmsh show /apm license" to see how many licenses are consumed, and have also run reports via the GUI to see how many people have connected via a specific APM policy, but this is a bit beyond that. I'd think there would have to be some mechanism to tally not only connections via an APM policy, but one to update the total whenever a session terminates. Thanks!Solved564Views1like2CommentsWindows Group Policy Trigger on Network Connect
Hi, I'm wondering if there is a way to trigger Windows Group Policy to be triggered when a user connects to VPN. We are able to run gpudate.exe as an application on connect, but this is visible to the end user. We have User and Machine Windows Group Policies on our domain which we'd like to ensure gets applied once the user is connected to VPN and not have to wait for the usual Windows GPO refresh cycle.419Views0likes2CommentsMultiple Client Certificates - Query using single Virtual Server SSL Profile (Client)
I have an interesting one, and just started digging into its creation. I need to perform an OCSP check (easy), collect information off of 1 of 3 certificates a client might have on their token (easy), and pass that information on to the webserver (got that one all day long). Now for the curve ball. At somepoint in the APM policy, I have to query 1 of the other 2 certificates for another piece of information (think an email certificate vs. one used for authentication), but I can't mess with the data (or session) from the original certificate. My first few tries forces the session to reset and I lost the session data collected on the initial query. Thoughts?? open to ideas.. One knowledge nugget, I have to use the same URL, maintain the current session, and pass the data from both certs (that are in the same chain, covered by the same cert bundle) on to the web/app server. I might be able to use different URIs, so not sure if that helps.. Thanks263Views0likes0CommentsKerberos "Max Logon Attempts" Meaning
When adding the "Kerberos" Auth Item to an APM Policy what affect does the "Max Logon Attempts" have. What actually happens here, does it send another 401 to the client to get another kerb token? Is there a best practice here? default I think is 3 but allows 1 to 5 Cheers206Views0likes0CommentsAPM :: Remote Desktop List :: Remote Sound Not Working
Has anybody ran into where the remote audio is not being played locally? I have the local sound box checked, and I even tried the audiomode:i:0 custom parameter (even though it's defaulted to zero), and neither seem to be working. I know it's nothing wrong with the workstation (or so it seems) because the other VPN solution that I'm trying to migrate off of works perfectly fine. General Properties: Local Resources: I haven't been able to get monitor spanning to work either (no matter what combination of anything I use)... but that's a whole other issue. Thanks-392Views0likes2Comments