Forum Discussion

Lyonell_165736's avatar
Lyonell_165736
Icon for Nimbostratus rankNimbostratus
Aug 06, 2014
Solved

TMG Migration - Deny Authentication

Good afternoon! I'm relatively new to BIG-IP, as we're working on a migration from TMG 2010 to BIG-IP 11.5.1 build 4.0.128. I searched documentation and the forums here but didn't find an answer to what I'm trying to do:

 

In TMG, there is an option to publish a website (in this case, SharePoint 2010) while preventing authentication (in the "Authentication Delegation" tab of a rule property, you can select "No delegation, and the client cannot authenticate directly"). In this configuration, when a client tries to access a resource that requires authentication, the proxy denies access to the URL.

 

My current iApp configuration is using the latest SharePoint iApp (f5.microsoft_sharepoint_2010_2013.v1.1.0). It's publishing just fine, but it doesn't block direct authentication like we need to. I do not have APM configured for this particular site, but I do have the license for it.

 

Thank you in advance for your help!

 

APM
application delivery
deployment
devops
iApps
LTM
security
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Aug 07, 2014

    Sounds like you could create an iRule to drop or otherwise respond to requests for the Authentication URL and add it to the virtual server using the iApp. Maybe something like this:

    when RULE_INIT {
    set static::response "Access DeniedWe are sorry, but you may not authenticate to the SharePoint server."
}

when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] contains "/authenticate.aspx" } { 
        HTTP::respond 200 content $static::response         
    }
} 

when HTTP_RESPONSE {
    if { [HTTP::header exists "WWW-Authenticate"] } {
        HTTP::respond 200 content $static::response 
    }
}

4 Replies

Sort By
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Aug 07, 2014

    Hi Lynonell, APM offers two modes of proxying SharePoint requests. The iApp supports using APM to proxy authentication and then forwarding the request directly to the server.

     

    Another option is to publish SharePoint as an APM portal resource, where the BIG-IP rewrites every response and the client requests are never sent to the SharePoint servers.

     

    It sounds like the second scenario is what you want, correct? It's covered on page 18 of this guide: http://www.f5.com/pdf/deployment-guides/microsoft-forefront-tmg-dg.pdf

     

    I've also put in a request for this option to be added to the iApp template, but don't have an ETA yet.

     

    Mike

     

  • Lyonell_165736's avatar
    Lyonell_165736
    Icon for Nimbostratus rankNimbostratus
    Aug 07, 2014

    Mike, thank you for the reply. In this case, we're publishing a SharePoint server as an anonymously accessible website that does not require authentication to access the content. Authentication should be blocked by the proxy if attempted - that way internal users can authenticate to the site (for content updates, etc, not through BIG-IP), but outside users cannot.

     

    Does that help clarify the use case?

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Aug 07, 2014

    Sounds like you could create an iRule to drop or otherwise respond to requests for the Authentication URL and add it to the virtual server using the iApp. Maybe something like this:

    when RULE_INIT {
    set static::response "Access DeniedWe are sorry, but you may not authenticate to the SharePoint server."
}

when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] contains "/authenticate.aspx" } { 
        HTTP::respond 200 content $static::response         
    }
} 

when HTTP_RESPONSE {
    if { [HTTP::header exists "WWW-Authenticate"] } {
        HTTP::respond 200 content $static::response 
    }
}