Forum Discussion
hooleylist
Oct 28, 2009Cirrostratus
That is a legitimate concern. In pre-v10 you can set a /32 mask on the OneConnect profile to ensure that the serverside TCP connection is only re-used for the same client IP address. In pre-v10, if you have multiple clients connecting from the same IP address to an app that uses NTLM, it would probably be best to not use OneConnect on the VIP.
SOL10477: Optimizing NTLM traffic in BIG-IP version 10.x
https://support.f5.com/kb/en-us/solutions/public/10000/400/sol10477.html
However, since NTLM is connection-oriented and allows multiple requests on the same connection without re-authentication, issues can occur after the initial handshake when the OneConnect feature adds NTLM-authenticated requests to the connection pool to potentially be reused by unauthenticated client(s). Prior to version 10.0.0, this issue could be mitigated or avoided only by using special techniques such as:
* Configuring the OneConnect source mask feature to limit serverside flows by subnet or to the original client IP address
* Configuring an iRule to disable the OneConnect profile for NTLM, or to provide special handling for NTLM
In v10, you can use the NTLM profile with OneConnect as described in SOL10477.
Aaron