APM Clientless Mode

Clientless-mode removes the 302 redirect pattern from the access policy creation and evaluation process. So instead of getting the APM session cookie in that initial 302 redirect to /my.policy, you get it on the first response from the server. Any subsequent requests from the client, assuming the client sends back the session cookie, will use the same session. If the client does not send back the session cookie, then a new APM session is created for each request. The existing sessions will be removed based on the timeout settings in the access policy.

You would normally use an iRule to insert the clientless-mode header:

when HTTP_REQUEST {
    HTTP::header insert "clientless-mode" 1
}

Kevin, It's being a while since you answered this question. We have few vendors who uses API calls and the APM's 302 is causing issues. So we decided to introduce clientless mode for only who has issues and leave other traffic as it is.

Requirements:

a)Our external partners will be connecting to our webserver from the internet.

b)We will check for certificate using APM and also check for the certificate subject value.

c)If it matches what we already defined for each vendor, they will be allowed to access the web server and we will configure additional http header X-CUSTOM-UPN “ and also add clientless mode http header value HTTP::header insert "clientless-mode" 1 for vendors that have problem with 302 redirect. For other vendors, we dont use clientless-mode http header.

The rule that I already created:

when ACCESS_POLICY_COMPLETED {
if {[SSL::cert count] > 0}{
                            set cert [SSL::cert 0]
                            set subject [string tolower [X509::subject $cert]]
                            set clientIP [IP::client_addr]
                            if { $subject contains “cn=vendor-a.mycompany” }
                                            {
                                            HTTP::header insert X-CUSTOM-UPN vendor-a
                                            }
            elseif { $subject contains “cn=vendor-b.mycompany.com” }{
    We only wanted clientless mode for specific applications that cant handle the 302 redirect coming from F5.
                                            HTTP::header insert X-CUSTOM-UPN vendor-b
                                            HTTP::header insert “clientless-mode” 
                    } else {
                    log $clientIP
                                            log local0. “cert CN not valid”
                                            reject
           }                                               
                            }
}

As you noticed, I put them under ACCESS_POLICY_COMPLETED. So this does not help as to redirect to APM's my.policy, there will be a 302. So I tried to put them under HTTP_REQUEST and it is still not working. What am I missing?

I guess "ACCESS_POLICY_COMPLETED" is to late since the header is needed in an early request so the APM react - it should be used in "HTTP_REQUEST" like Kevin's example.

Also in your pasted code/irule the "1" is missing in the header command, should be:

HTTP::header insert "clientless-mode" 1

... maybe you can also try "replace" which in rare cases works better then "insert"

Sorry; I missed the 1 while pasting it here. I will try to use "replace" instea dof insert.

Another question: I used this iRule along with APM policy where I check AD group membership. I used print statement to follow the traffic flow within iRule and also within APM.

I noticed that the flow only hits iRule and not passing thru the APM. So my AD group check fails. What am i missing?

Try configuring admin name and password for the AD.

Admin Name - If Active Directory is configured for anonymous queries, you do not need to provide an Admin Name. Otherwise, type an administrator name that has Active Directory administrative permissions. The administrator name is case-sensitive.

As Michael stated, the clientless-mode header has to get inserted BEFORE the access policy starts, so only in the HTTP_REQUEST event. And since you're making the vendor determination based on certificate data, you have to request that certificate via the client SSL profile (not the APM on-demand cert auth agent).

Hi,

I am running into the issue with APM module.... Have tech open and no luck.,,,, Found that they have stop providing support for auth profile in LTM... and F5 preferring to use APM.. I have iRule assigned to vserver for client mode 1 when HTTP_REQUEST { HTTP::header insert "clientless-mode" 1 } With browser it works fine but not with http client. Hope to get some help and instruction around how I can get clientless working with APM or using iRule '

Thanks.

When you say "With browser it works fine but not with http client", do you mean "non-http client"? A browser is an HTTP client, so can you elaborate on what the other client is? Clientless-mode removes the 302 redirects in APM's session establishment, but it does not remove the requirement to store a cookie for session persistence.