SharePoint Issues with F5 LTM and APM.

Question

Hi everyone,&nbsp;
&nbsp;Is there a way for the APM to pass-through credentials to a server for users that are already logged in to their domain computers with domain credentials?&nbsp;
&nbsp;We have a new SharePoint 2010 site that is being used internally and externally. Right now everyone needs to authenticate through the F5 before accessing the site. However, I want people who are already logged in to the domain to not have to go through the extra login step each time. If the users browse via netbios name, the credentials are passed through and no login is needed - however, I would rather not have users browsing to sites in that fashion.&nbsp;
&nbsp;My second issue is my calendar items are not working properly when pumped through the F5. For instance, when users try to interact with the calendar (clicking to the next month, etc) it just says "Loading..." indefinitely. I have gone through the deployment guide and added a snippet of code as an iRule that was identified as correcting a similar issue with the top-bar Ribbon, but it doesn't seem to have any effect on this particular problem. Any ideas?&nbsp;
&nbsp;Thanks in advance!&nbsp;&nbsp;&nbsp;

jared_46987 · Answer

Posted By dubdub on 09/11/2012 06:00 AM&nbsp;
Hi Jared,&nbsp;
&nbsp;
How were you able to get the source IP check working? I need to bypass an APM policy based on source IP and it's proving more difficult than I expected.&nbsp;
&nbsp;
Thanks,&nbsp;
Jen
Hey Jen -&nbsp;
Here is the solution that worked for me:&nbsp;
I added the "Check Source IP" variable to the beginning of my SharePoint access policy. Within that variable, go to Branch Rules, then Advanced, and enter this expression:&nbsp;
expr { [mcget {session.userlocation}] == "internal" }&nbsp;
Ok - now I have my completed Access Policy (see the attached picture for the full VPE). Now, go to Local Traffic -&gt; iRules -&gt; Data Group List and create a new list. I called mine "dg-internal-networks". Then select "Address" as the field type. Now you can add address records (i.e. a single IP address, or an entire network) to the list. I then created an iRule called "ir-apm-set-internal-netflag" and populated it with the following code:&nbsp;
when ACCESS_SESSION_STARTED {&nbsp;
    if { [class match [ACCESS::session data get "session.user.clientip"] equals "dg-internal-networks" ] } {&nbsp;
       ACCESS::session data set "session.userlocation" "internal"&nbsp;
    } else {&nbsp;
       ACCESS::session data set "session.userlocation" "external"&nbsp;
    }&nbsp;
}&nbsp;
Now we're going to save the iRule and then apply this iRule to the virtual server in question. Once the iRule is applied, and assuming your Access policy is set correctly, you should be good to go. In the case of SharePoint, I had to add my sites public address to the "Intranet Trusted Sites" section within Internet Explorer before it would work correclty. This is also assuming your using NTLM on the backend and not kerberos.&nbsp;
If you need some more help, just let me know!!&nbsp;
 &nbsp;
Jared&nbsp;
 &nbsp;

michael_koyfma1 · Answer

Jared, 
&nbsp;  
&nbsp; Regarding issue 2 - I suggest you open a case with F5 support to troubleshoot it further.  It is likely that either Sharepoint or F5 is misconfigured(maybe something with Alternate Access Mapping on Sharepoint?)   
&nbsp;  
&nbsp; Regarding authentication issue - can you please elaborate on your exact use case a bit more so that we can give you proper guidance?  Do you have users internally that are not accessing Sharepoint from non-domain-joined machines?  Just trying to properly understand your desire to have APM in front of Sharepoint internally and all the exact end-user behaviors you desire.  Please clarify your exact desired scenarios a bit - thanks.

michael_koyfma1 · Answer

Jared, 
&nbsp;  
&nbsp; Thanks.   I do have an idea on how you can potentially address this issue.  You can leverage APM's end-point inspection capabilities for that.  So, you would modify the policy to first check for user's source IP-address(I assume that the same VS is used for both external and internal users, else you can skip this step).  Then you would invoke our end-point inspection to detect whether the user's machine is a domain-joined machine(a registry check or Windows info check and get Windows machine name and/or logged-on user for that machine, and if you are able to detect that, just let them through to the resource(end the policy in Allow ending) - that way client machine should authenticate to Sharepoint via NTLM silently, as you'd expect.  For all other users, you'd want then to follow essentially the branch that you have depicted in your post.

jared_46987 · Answer

Just an update for anyone else in case this issue occurs for others: the calendar issue ended up being a problem with compression applied to SharePoint content from the F5. Once we turned off compression and the OneConnect policy, the calendar and some other ribbon functionality started working again.  
&nbsp;  
&nbsp; I was also able to get source IP checking working, and have a proof of concept model setup and rocking out, but not deployed company wide just yet. 
&nbsp;  
&nbsp; Thanks for the help!!

dubdub · Answer

Hi Jared, 
&nbsp;  
&nbsp; How were you able to get the source IP check working?  I need to bypass an APM policy based on source IP and it's proving more difficult than I expected. 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Jen

Forum Discussion

SharePoint Issues with F5 LTM and APM.

9 Replies

Recent Discussions

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Related Content

APM Sharepoint authentication

Regex issue

APM Sharepoint authentication v2

iRule for migrating to Sharepoint Online

F5 GTM resolution issue