APM replacing ADFS proxy 3.0 : different behavior based on user agent value
Hi, I am deploying F5 APM as ADFS proxy using deployment guide v1.4. I configured AD auth and NTLM SSO. when authenticating with firefox, SSO does not work and ADFS server request form based authentication (it is my default test browser and I did not try with IE). I searched on devcentral if there is anything else to configure to support ADFS 3.0. I found this article about configuring form based authentication on ADFS server. To support ADFS proxy for any browser, I customized the irule provided in the deployment guide like that: when HTTP_REQUEST { set keepua 0 For external Lync client access all external requests to the /trust/mex URL must be routed to /trust/proxymex. Analyze and modify the URI where appropriate HTTP::uri [string map {/trust/mex /trust/proxymex} [HTTP::uri]] Analyze the HTTP request and disable access policy enforcement WS-Trust calls if {[HTTP::uri] contains "/adfs/services/trust"} { ACCESS::disable set keepua 1 } OPTIONAL ---- To allow publishing of the federation service metadata if {[HTTP::uri] ends_with "FederationMetadata/2007-06/FederationMetadata.xml"} { ACCESS::disable set keepua 1 } if { !($keepua) } { HTTP::header replace "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko msie7" } } it replace the client user agent by one supported by ADFS server for NTLM auth. Am I the first who get this error? is there a better solution to solve this issue? Regards, Stanislas
"Application Launch" doesn't execute (SSL VPN)
Hi, I am using the F5 to setup up an SSL VPN into our network. Am using APM to do authentication and posture checking. Once everything has passed there is a Resource assign and and then a Variable assign to setup an application launch. When connecting using the BipIP edge client (on Windows) I can see the posture checks occurring and the I am authenticated and connected to the network. However the application doesn't launch. The F5 application Helper UAC prompt occurs, to which I click YES. I went and had a look through the client logs and found the following entries 2016-04-15, 6:09:23:886, 2624,1752,Standalone, 48, \NetworkAvailabilityMonitor.cpp, 282, WaitForConnectionToSettle::WaitForConnectionToSettle, Network event occured while waiting for connection to settle I assume the network event that occurred was the application launch, because when looking through the logs of a different connection that does work I can see the following 2016-04-15, 4:07:10:335, 3296,2552,HOST, 48,,,, CHostCtrl::ExecuteApplication:launch cmd="mstsc.exe" which is no where to be found in the logs when it doesn't work. Does anyone know what causes the connection settle issue and how I might be able to resolve it? Cheers, Simon
One of my Company Vendor application want to call My web service and want to authenticate the traffic in APM . How can i authenticate
One of My Vendor wants to call my web service in their application. No Manual interaction is involved . I provide them a personal certificate and service account with password. Now I want to authenticate the traffic coming from my vendors application and pass it to my web service . I am running 11.6 , so no oauth is possible . How can I authenticate the traffic in this situation. any help will be highly appreciated .
APM special cases
Hi All/DC Experts, I have a question 2 question regarding Access Policy Manager. First scenario, I have users that is member of multiple groups, does f5 can automatically merged resources if it detects that this user is member of multiple groups? Second I have a users of multiple groups and I just want that this user only can use this specific resources even though he is member of a multiple groups. THank you everyone, I am hoping that you can help me with this. -Nathan