TMG Migration - Deny Authentication
Good afternoon! I'm relatively new to BIG-IP, as we're working on a migration from TMG 2010 to BIG-IP 11.5.1 build 4.0.128. I searched documentation and the forums here but didn't find an answer to what I'm trying to do:
In TMG, there is an option to publish a website (in this case, SharePoint 2010) while preventing authentication (in the "Authentication Delegation" tab of a rule property, you can select "No delegation, and the client cannot authenticate directly"). In this configuration, when a client tries to access a resource that requires authentication, the proxy denies access to the URL.
My current iApp configuration is using the latest SharePoint iApp (f5.microsoft_sharepoint_2010_2013.v1.1.0). It's publishing just fine, but it doesn't block direct authentication like we need to. I do not have APM configured for this particular site, but I do have the license for it.
Thank you in advance for your help!
Sounds like you could create an iRule to drop or otherwise respond to requests for the Authentication URL and add it to the virtual server using the iApp. Maybe something like this:
when RULE_INIT { set static::response "Access DeniedWe are sorry, but you may not authenticate to the SharePoint server." } when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/authenticate.aspx" } { HTTP::respond 200 content $static::response } } when HTTP_RESPONSE { if { [HTTP::header exists "WWW-Authenticate"] } { HTTP::respond 200 content $static::response } }