Welcome to the F5 deployment guide for Microsoft® SharePoint®. This document contains guidance on configuring the BIG-IP system version 11.4 and later for Microsoft SharePoint 2016 implementations, resulting in a secure, fast, and available deployment. This guide shows how to quickly and easily configure the BIG-IP system using the SharePoint iApp Application template. There is also an appendix with manual configuration tables for users who prefer to create each individual object.
iApp template question |
Your answer |
|
How should the BIG-IP system handle SSL traffic (on page 16) |
Select the appropriate option for your configuration: |
|
SSL offload: SSL bridging: SSL pass-through No SSL: Server-side encryption: |
Encrypt to clients, plaintext to servers Terminate SSL from clients, re-encrypt to servers Encrypted traffic is forwarded without decryption Plaintext to clients and servers Plaintext to clients, encrypt to servers |
This deployment guide is intended to help users deploy Microsoft SharePoint using the BIG-IP system. This document contains guidance configuring the BIG-IP system using the iApp template, as well as manually configuring the BIG-IP system.
We recommend using the iApp template to configure the BIG-IP system for your Microsoft SharePoint implementation. The majority of this guide describes the iApp template and the different options the template provides for configuring the system for Microsoft SharePoint.
The iApp template configuration portion of this guide walks you through the entire iApp, giving detailed information not found in the iApp or inline help. The questions in the UI for the iApp template itself are all displayed in a table and at the same level. In this guide, we have grouped related questions and answers in a series of lists. Questions are part of an ordered list and are underlined and in italics or bold italics. Options or answers are part of a bulleted list, and in bold. Questions with dependencies on other questions are shown nested under the top level question, as shown in the following example:
Advanced options/questions in the template are marked with the Advanced icon: These questions only appear if you select the Advanced configuration mode.
Users already familiar with the BIG-IP system can use the manual configuration tables to configure the BIG-IP system for the SharePoint implementation. These configuration tables only show the configuration objects and any non-default settings recommended by F5, and do not contain procedures on specifically how to configure those options in the Configuration utility. See Appendix B: Manual configuration tables .
In order to use the iApp for Microsoft SharePoint, it is helpful to have some information, such as server IP addresses and domain information before you begin. Use the following table for information you may need to complete the template. The table includes the information that is helpful to have in advance. More information on specific template questions can be found on the individual pages.
BIG-IP system Preparation Table |
|||
Basic/Advanced mode |
In the iApp, you can configure the system for Microsoft SharePoint with F5 recommended settings (Basic mode) which are a result of extensive testing and tuning with Microsoft SharePoint. Advanced mode allows configuring the BIG-IP system on a much more granular level, configuring specific options, or using your own pre-built profiles or iRules. Basic/Advanced "configuration mode" is independent from the Basic/Advanced list at the very top of the template which only toggles the Device and Traffic Group options (see page 11) |
||
Network |
Type of network between clients and BIG-IP |
Type of network between servers and BIG-IP |
|
LAN | WAN | WAN through another BIG-IP system |
LAN | WAN | WAN through another BIG-IP system |
||
If WAN through another BIG-IP system, you must have BIG-IP AAM pre-configured for Symmetric Optimization. |
|||
Where are BIG-IP virtual servers in relation to the servers |
Expected number of concurrent connections per server |
||
Same subnet | Different subnet |
More than 64k concurrent | Fewer than 64k concurrent |
||
If they are on different subnets, you need to know if the SharePoint servers have a route through the BIG-IP system. If there is not a route, you need to know the number of concurrent connections. |
If more than 64k per server, you need an available IP address for each 64k connections you expect for the SNAT Pool |
||
SSL Encryption |
SSL Offload or SSL Bridging |
Re-encryption (Bridging and server-side encryption) |
|
If configuring the system for SSL Offload or SSL Bridging, you must have imported a valid SSL certificate and key onto the BIG-IP system. You have the option of also using an Intermediate (chain) certificate as well if required in your implementation. Certificate: Key: Intermediate Certificate (optional): |
When the BIG-IP system encrypts traffic to the servers, it is acting as an SSL client and by default we assume the servers do not expect the system to present its client certificate on behalf of clients traversing the virtual server. If your servers expect the BIG-IP system to present a client certificate, you must create a custom Server SSL profile outside of the template with the appropriate certificate and key. |
||
Virtual Server and Pools |
Virtual Server |
SharePoint server pool |
|
The virtual server is the address clients use to access the servers. |
The load balancing pool is the LTM object that contains the servers. |
||
IP address for the virtual server: Associated service port: FQDN clients will use to access the Microsoft SharePoint servers: |
IP addresses of the servers: 2: 4: 6: 8: |
1: 3: 5: 7: 9: |
|
Profiles |
For each of the following profiles, the iApp will create a profile using the F5 recommended settings (or you can choose ‘do not use’ many of these profiles). While we recommend using the profiles created by the iApp, you have the option of creating your own custom profile outside the iApp and selecting it from the list. The iApp gives the option of selecting our the following profiles (some only in Advanced mode). Any profiles must be present on the system before you can select them in the iApp |
||
HTTP | Persistence | HTTP Compression | TCP LAN | TCP WAN | OneConnect | Web Acceleration | NTLM | iSession |
|||
Health monitor |
HTTP Request |
User Account |
|
In Advanced mode, you have the option of selecting the type of HTTP request the health monitor uses: GET or POST. You can also specify Send and Receive strings to more accurately determine server health. Send string (the URI sent to the servers): Receive string (what the system expects in return): POST Body (only if using POST): |
Also in advanced mode, the monitor can attempt to authenticate to the SharePoint servers as a part of the health check. If you want the monitor to require credentials, create a user account specifically for this monitor that has no additional permissions and is set to never expire. Account maintenance becomes a part of the health monitor, as if the account is deleted or otherwise changed, the monitor will fail and the servers will be marked down. |
||
BIG-IP AAM |
You can optionally use the BIG-IP Application Acceleration Manager (AAM) module to help accelerate your SharePoint traffic. To use BIG-IP AAM, it must be fully licensed and provisioned on your BIG-IP system. Consult your F5 sales representative for details. |
||
BIG-IP ASM and AFM |
You can optionally use the BIG-IP ASM and AFM modules to help protect and secure your SharePoint deployment. To use either module, it must be fully licensed and provisioned on your BIG-IP system. Consult your F5 sales representative for details. |
||
iRules |
In Advanced mode, you have the option of attaching iRules you create to the virtual server created by the iApp. For more information on iRules, see https://devcentral.f5.com/irules. Any iRules you want to attach must be present on the system at the time you are running the iApp. |
Use the following guidance to help configure the BIG-IP system for Microsoft SharePoint using the BIG-IP iApp template.
The first task is to download and import the new SharePoint 2016 iApp template.
If you configured your BIG-IP system using a previous version of the f5.microsoft_sharepoint_2016 iApp template, we strongly recommend you upgrade the iApp template to the most recent version.
When you upgrade to the current template version, the iApp retains all of your settings for use in the new template. In some new versions, you may notice additional questions, or existing questions asked in different ways, but your initial settings are always saved.
To begin the SharePoint iApp Template, use the following procedure.
If you select Advanced from the Template Selection list at the top of the page, you see Device and Traffic Group options for the application. This feature is a part of the Device Management configuration. This functionality extends the existing High Availability infrastructure and allows for clustering, granular control of configuration synchronization and granular control of failover. To use the Device and Traffic Group features, you must have already configured Device and Traffic Groups before running the iApp. For more information on Device Management, see the product documentation.
This section contains general questions about the way you configure the iApp template.
Do you want to see inline help?
Choose whether you want to see informational and help messages inline throughout the template, or if you would rather hide this inline help. If you are unsure, we recommend having the iApp display the inline help.
Important and critical notes are always shown, no matter which selection you make.
Yes, show inline help text
Select this option to see all available inline help text.
No, do not show inline help text
If you are familiar with this iApp template, or with the BIG-IP system in general, select this option to hide the inline help text.
Which configuration mode do you want to use?
Select whether you want to use F5 recommended settings, or have more granular, advanced options presented.
Basic - Use F5’s recommended settings
In basic configuration mode, options like load balancing method and parent profiles are all set automatically. The F5 recommended settings come as a result of extensive testing with web applications, so if you are unsure, choose Basic.
Advanced - Configure advanced options
In advanced configuration mode, you have more control over individual settings and objects, such as server-side optimizations and advanced options like Slow Ramp Time and Priority Group Activation. You can also choose to attach iRules you have previously created to the Application Service. The Advanced option provides more flexibility for experienced users.
As mentioned, advanced options in the template are marked with the Advanced icon: . If you are using Basic/F5 recommended settings, you can skip the questions with the Advanced icon.
Which version of SharePoint are you deploying?
Choose which version of Microsoft SharePoint you are using. Currently there is only an option for 2016. If you are using a different version of SharePoint, see the deployment guide index page: https://f5.com/solutions/deployment-guides.
SharePoint 2016
Leave this option for SharePoint 2016. In SharePoint 2016, the Distributed Cache service maintains authentication information across all SharePoint web application servers. Because of this, SharePoint does not require connections from a single client to persist to the same SharePoint server. So in order to get the maximum benefit from F5’s OneConnect feature, the template removes the default persistence and NTLM profiles from the SharePoint BIG-IP virtual server, and changes the source mask value to 0.0.0.0 for the OneConnect profile.
This section contains questions about your networking configuration.
Do you want to use the latest TCP profiles?
This question only appears if you are using BIG-IP v13.0 or later. If using a previous version, continue with #2.
BIG-IP v13.0 and later contain new, higher performing TCP profiles. If you are using this version, you can choose whether you want to use these new profiles, or continue to use the profiles from previous versions of BIG-IP. For specific details on the new profiles, see the BIG-IP documentation.
Please select one
This option exists to force you to chose one option or the other. This was necessary to maintain backward compatibility.
Yes, use the new profiles (recommended)
Select this option to use the new optimized TCP profiles.
No, use the older profiles
Select this option if you have a reason to continue using the older TCP profiles.
What type of network connects clients to the BIG-IP system?
Choose the type of network that connects your clients to the BIG-IP system. If you choose WAN or LAN, the BIG-IP system uses this information to determine the appropriate TCP optimizations. If you choose WAN through another BIG-IP system, the system uses a secure an optimized tunnel (called an iSession tunnel) for traffic between BIG-IP systems on opposite sides of the WAN.
Only choose this option if you have another BIG-IP system across the WAN that will be a part of this implementation.
Local area network (LAN)
Select this option if most clients are connecting to the BIG-IP system on a LAN. This field is used to determine the appropriate TCP profile which is optimized for LAN clients. In this case, the iApp creates a TCP profile using the tcp-lan-optimized parent with no additional modifications.
Wide area network
Select this option if most clients are connecting to the BIG-IP system over a WAN. This field is used to determine the appropriate TCP profile which is optimized for WAN clients. In this case, the iApp creates a TCP profile using the tcp-wan-optimized parent with no additional modifications.
WAN through another BIG-IP system
Select this option if client traffic is coming to this BIG-IP system from a remote BIG-IP system across a WAN. As mentioned in the introduction to this question, the iApp creates an iSession tunnel between this BIG-IP system and the BIG-IP system you will configure (or already have configured) on the other side of the WAN.
If you select this option, you must have already initially configured the BIG-IP AAM for Symmetric Optimization. See the BIG-IP AAM documentation available on Ask F5 for specific instructions on configuring BIG-IP AAM for Symmetric Optimization.
Do you want to restrict client traffic to specific VLANs? (11.5 and later)
Which VLANs transport client traffic? (11.4.x)
The BIG-IP system allows you to restrict client traffic to specific VLANs that are present on the system. This can provide an additional layer of security, as you can allow or deny traffic from the VLANs you choose. By default, all VLANs configured on the system are enabled. If you select to enable or disable traffic on specific VLANs, you must specify the VLANs in the next question. The VLAN objects must already be configured on this BIG-IP system before you can select them.
In version 11.4.x, you can only allow traffic from specific VLANs using the iApp template; v11.5 and later enables you to allow or deny client traffic from specific VLANs. If using v11.4.x, all allowed VLANs appear in the Selected list. Use the Move buttons (<<) and (>>) to adjust list membership. Only VLANs in the Selected list are allowed. With 11.4.x, you do NOT see the following options.
Enable traffic on all VLANs and Tunnels
Choose this option to allow traffic from all VLANs and Tunnels. If you select this option, the question asking about VLANs disappears. Continue with #3.
Yes, enable traffic only on the VLANs I specify
Choose this option to restrict client traffic to specific VLANs that you choose in the following question. The system will accept client traffic from these VLANs, and deny traffic from all other VLANs on the system.
On which VLANs should traffic be enabled or disabled?
Use this section to specify the VLANs that will accept client traffic. By default, all VLANs on the BIG-IP system appear in the Selected box, so click the VLANs and then use the Move buttons to adjust list membership.
Note: If you choose to allow traffic from certain VLANs, when additional VLANs are added to the BIG-IP system at a later time, this iApp configuration will deny traffic from these VLANs by default. To accept traffic from these VLANs, you must re-enter the template and add the VLAN(s).
Yes, disable traffic only on the VLANs I specify
Choose this option to deny client traffic from the specific VLANs that you choose in the following question. The system will refuse client traffic from these VLANs, and accept traffic from all other VLANs on the system.
On which VLANs should traffic be enabled or disabled?
Use this section to specify the VLANs that should not accept client traffic. By default, all VLANs on the BIG-IP system appear in the Selected box, so it is critical in this case that you click the VLANs and then use the Move button (>>) to adjust list membership.
Warning If you choose to disable certain VLANs, you must move at least one VLAN to the Options list. Otherwise, the system will deny traffic from all VLANs on the box, and the configuration, although valid, will not pass any traffic.
What type of network connects servers to the BIG-IP system?
Choose the type of network that connects your servers to the BIG-IP system. Similar to the question about clients connecting to the BIG-IP system, if you choose WAN or LAN, the system uses this information to determine the appropriate TCP optimizations. If you choose WAN through another BIG-IP system, the system uses a secure an optimized tunnel (called an iSession tunnel) for traffic between BIG-IP systems on opposite sides of the WAN. Only choose this option if you have another BIG-IP system across the WAN that will be a part of this HTTP implementation.
Local area network (LAN)
Select this option if the servers connect to the BIG-IP system on a LAN. This field is used to determine the appropriate TCP profile. In this case, the iApp creates a TCP profile using the tcp-lan-optimized parent with no additional modifications.
Wide area network
Select this option if the servers connect to the BIG-IP system over a WAN. This field is used to determine the appropriate TCP profile. In this case, the iApp creates a TCP profile using the tcp-wan-optimized parent with no additional modifications.
WAN through another BIG-IP system
Select this option if servers are across a WAN behind another BIG-IP system. As mentioned in the introduction to this question, the iApp creates an iSession tunnel between this BIG-IP system and the BIG-IP system you will configure (or already have configured) on the other side of the WAN.
If you select this option, you must have already initially configured the BIG-IP AAM for Symmetric Optimization. See the BIG-IP AAM documentation available on Ask F5 for specific instructions on configuring BIG-IP AAM for Symmetric Optimization.
Where will your BIG-IP virtual servers be in relation to the SharePoint servers?
Select whether your BIG-IP virtual servers are on the same subnet as your SharePoint servers, or on different subnets. This setting is used to determine the secure NAT (SNAT) and routing configuration.
BIG-IP virtual server IP and SharePoint servers are on the same subnet
If the BIG-IP virtual servers and HTTP servers are on the same subnet, SNAT is configured on the BIG-IP virtual server and you must specify the number of concurrent connections.
How many connections to you expect to each SharePoint server?
Select whether you expect more or fewer than 64,000 concurrent connections to each server. This answer is used to determine what type of SNAT that system uses. A SNAT is an object that maps the source client IP address in a request to a translation address defined on the BIG-IP device. The system configures SNAT Auto Map (fewer than 64,000) or a SNAT pool (more than 64,000).
Fewer than 64,000 concurrent connections
Select this option if you expect fewer than 64,000 concurrent connections per SharePoint server. With this option, the system applies SNAT Auto Map, doesn’t require any additional IP addresses, as an existing self IP address is used for translation. Continue with Virtual Server and Pools.
More than 64,000 concurrent connections
Select this option if you have a very large deployment and expect more than 64,000 connections at one time. The iApp creates a SNAT Pool, for which you need one IP address for each 64,000 connections you expect.
Create a new SNAT pool or use an existing one?
If you have already created a SNAT pool on the BIG-IP system, you can select it from the list. Otherwise, the system creates a new SNAT pool with the addresses you specify.
Create a new SNAT pool
Select this option (the default) to enable the system to create a new SNAT pool. You must specify the appropriate number of IP addresses in the next question.
Which IP addresses do you want to use for the SNAT pool?
Specify one otherwise unused IP address for every 64,000 concurrent connections you expect, or fraction thereof. Click Add for additional rows. Do not use any self IP addresses on the BIG-IP system.
Select a SNAT pool
Select the SNAT pool you created for this deployment from the list.
Important If you choose more than 64,000 connections, but do not specify enough SNAT pool address(es), after the maximum connection limit of 64,000 concurrent connections per server is reached, new requests fail.
BIG-IP virtual servers and SharePoint servers are on different subnets
If the BIG-IP virtual servers and servers are on different subnets, the following question appears.
How have you configured routing on your SharePoint servers?
If you chose different subnets, this question appears asking whether the SharePoint servers use this BIG-IP system’s self IP address as their default gateway. Select the appropriate answer.
Servers have a route to clients through the BIG-IP system
Choose this option if the servers use the BIG-IP system as their default gateway. In this case, no configuration is needed to support your environment to ensure correct server response handling. Continue with the next section.
Servers do not have a route to clients through the BIG-IP system
If the SharePoint servers do not use the BIG-IP system as their default gateway, SNAT is configured on the BIG-IP virtual server and you must select the expected number of concurrent connections in the next question.
How many connections to you expect to each SharePoint server?
Select whether you expect more or fewer than 64,000 concurrent connections to each server. This answer is used to determine what type of SNAT that system uses. A SNAT is an object that maps the source client IP address in a request to a translation address defined on the BIG-IP device. The system configures SNAT Auto Map (fewer than 64,000) or a SNAT pool (more than 64,000).
Fewer than 64,000 concurrent connections
Select this option if you expect fewer than 64,000 concurrent connections per SharePoint server. With this option, the system applies SNAT Auto Map, doesn’t require any additional IP addresses, as an existing self IP address is used for translation. Continue with the SSL Encryption section.
More than 64,000 concurrent connections
Select this option if you have a very large deployment and expect more than 64,000 connections at one time. The iApp creates a SNAT Pool, for which you need one IP address for each 64,000 connections you expect.
Create a new SNAT pool or use an existing one?
If you have already created a SNAT pool on the BIG-IP system, you can select it from the list. Otherwise, the system creates a new SNAT pool with the addresses you specify.
Create a new SNAT pool
Select this option (the default) to enable the system to create a new SNAT pool. You must specify the appropriate number of IP addresses in the next question.
Which IP addresses do you want to use for the SNAT pool?
Specify one otherwise unused IP address for every 64,000 concurrent connections you expect, or fraction thereof. Click Add for additional rows. Do not use any self IP addresses on the BIG-IP system.
Select a SNAT pool
Select the SNAT pool you created for this deployment from the list.
Important If you choose more than 64,000 connections, but do not specify enough SNAT pool address(es), after the maximum connection limit of 64,000 concurrent connections per server is reached, new requests fail.
The section in this scenario asks about BIG-IP APM. If you do choose to use BIG-IP APM, it must be fully licensed and provisioned. If you are not deploying APM, continue with the next section. As mentioned in the prerequisites, you must have configured the
BIG-IP system for DNS and NTP if you are deploying APM. See Appendix C: Configuring additional BIG-IP settings .
Note: See page 36 for details about a Microsoft hotfix that corrects issues with opening SharePoint document libraries in Windows Explorer or editing Microsoft Office documents.
Provide secure authentication with BIG-IP Access Policy Manager?
Choose whether you want to deploy APM to provide proxy authentication and secure remote access for Microsoft SharePoint.
No, do not provide secure authentication using BIG-IP APM
Select this option if you do not want to use the BIG-IP APM at this time. You can always reconfigure the iApp template at a later date should you decide to add BIG-IP APM functionality.
Yes, provide secure authentication using BIG-IP APM
Select this option if you want to use the BIG-IP APM to provide proxy authentication and secure remote access for SharePoint.
Which Access Profile do you want to use?
The iApp template can create a new Access Profile for SharePoint deployments, or you can use a custom Access Profile you created for this implementation.
Select an existing Access profile
If you created an APM Access profile for this implementation, select it from the list.
How will clients authenticate to the SharePoint web application?
Select whether your SharePoint clients are using NTLM authentication, or smart card authentication.
Clients use smart card authentication
Select this option if your clients are using smart cards to authenticate to the SharePoint implementation.
Clients use NTLM authentication
Select this option if your SharePoint clients use NTLM to authenticate to the SharePoint implementation.
Because you selected a custom Access profile, there are no further questions in this section. Continue with SSL Encryption .
Use the iApp to create a new Access Profile
Select this option if you want the iApp to create a new Access profile for this deployment.
How will clients authenticate to the SharePoint web application?
Select whether your SharePoint clients are using NTLM authentication, or smart card authentication.
Clients use smart card authentication
Select this option if your clients are using smart cards to authenticate to the SharePoint implementation.
In this scenario, when a client attempts to access SharePoint, the BIG-IP system requests a certificate from the client. Because this certificate is stored on a smart card, the user must enter a PIN to authenticate to the smart card. The certificate must contain the user’s account name in User Principal Name (UPN) format. The BIG-IP APM extracts the UPN from the certificate, extracts the user name and domain name from the UPN, and uses these credentials to obtain a Kerberos ticket from a domain controller in the user’s Active Directory domain. Using this ticket, APM then authenticates to SharePoint on behalf of the client.
What is the Kerberos Key Distribution Center IP or FQDN?
Specify the IP address or FQDN of your Kerberos Key Distribution Center (KDC). The KDC is a network service that supplies session tickets and temporary session keys to users and computers within an AD domain.
If using an FQDN, this BIG-IP system must be able to resolve the IP address of the KDC using DNS.
What is the name of the Kerberos realm?
Specify the Kerberos Realm the used by the smart cards to authenticate. While this should be entered in all capital letters, the iApp automatically capitalizes any lower case letters when you submit the template.
What is the user name for the Active Directory delegation account you created?
Specify the user name for the delegation account you created in your Active Directory implementation.
What is the associated password?
Specify the password for the account you entered in the previous question.There are no further questions in this section. Continue with SSL Encryption .
Clients use NTLM authentication
Select this option if your SharePoint clients use NTLM to authenticate to the SharePoint implementation.
Which AAA Server object do you want to use?
The APM AAA Server contains information on your Active Directory deployment. The iApp template can create a new AAA Server for SharePoint deployments, or you can use a custom AAA Server object you created for this implementation.
Select an existing AAA Server object
If you created an AAA Server for this implementation, select it from the list.
Important The AAA Server object you created must be configured to use a pool of Domain Controllers.
What is the FQDN of your Active Directory domain for your SharePoint users?
Specify the FQDN of the Active Directory deployment for your SharePoint users. This is the FQDN for your domain, such as example.com, rather than the FQDN for any specific host. Continue with SSL Encryption .
Use the iApp to create a new AAA Server
Select this option if you want the iApp template to create a new AAA Server for this implementation.
Which Active Directory server IP address in your domain can this BIG-IP system contact?
Specify both the FQDN and IP address of each Active Directory server you want the BIG-IP APM to use for servicing authentication requests. Click Add to include additional servers.
Does your Active Directory domain allow anonymous binding?
Select whether anonymous binding is allowed in your Active Directory environment.
Yes, anonymous binding is allowed
Select this option if anonymous binding is allowed. No further information is required.
No, credentials are required for binding
If credentials are required for binding, you must specify an Active Directory user name and password for use in the AAA Server.
Which Active Directory user with administrative permissions do you want to use?
Type a user name with administrative permissions.
What is the password associated with that account?
Type the associated password.
How do you want to handle health monitoring for this pool?
Choose whether you want the template to create a new LDAP or ICMP monitor, or if you want to select an existing monitor you created. For more accurate monitoring, we recommend using an LDAP monitor.
Select an existing monitor for the Active Directory pool
Select this option if you have already created a health monitor (only monitors with a Type of LDAP or External can be used) for the Active Directory pool that will be created by the template. If you want to create a health monitor, but have not already done so, you must exit the template and create the object before it becomes available from the list.
The iApp allows you to select monitors that are a part of another iApp Application Service. If you select a monitor that is a part of another Application Service, be aware that any changes you make to the monitor in the other Application Service will apply to this Application Service as well.
Which monitor do you want to use?
From the list, select the LDAP or External monitor you created to perform health checks for the Active Directory pool created by the template. Only monitors that have a Type value of LDAP or External appear in this list.
Use a simple ICMP monitor for the Active Directory pool
Select this option if you only want a simple ICMP monitor for the Active Directory pool. This monitor sends a ping to the servers and marks the server UP if the ping is successful.
Create a new LDAP monitor for the Active Directory pool
Select this option if you want the template to create a new LDAP monitor for the Active Directory pool. You must answer the following questions:
Which Active Directory user name should the monitor use?
Specify an Active Directory user name for the monitor to use when attempting to log on as a part of the health check. This should be a user account created specifically for this health monitor, and must be set to never expire.
What is the associated password?
Specify the password associated with the Active Directory user name.
What is the LDAP tree for this user account?
Specify the LDAP tree for the user account. As noted in the inline help, ADSI editor, an tool for Active Directory LDAP administration, is useful for determining the correct LDAP tree value. For example, if the user name is 'user1' which is in the organizational unit 'F5 Users' and is in the domain 'f5.example.com', the LDAP tree would be: ou=F5 Users, dc=f5, dc=example, dc=com.
Does your Active Directory domain require a secure protocol for communication?
Specify whether your Active Directory implementation requires SSL or TLS for communication, or does not require a secure protocol. This determines the port the health monitor uses.
No, a secure protocol is not required
Select this option if your Active Directory domain does not require a secure protocol.
Yes, SSL communication is required
Select this option if your Active Directory domain requires SSL communication. The health check uses port 636 as the Alias Service Port.
Yes, TLS communication is required
Select this option if your Active Directory domain requires TLS communication. The health check uses port 389 as the Alias Service Port.
How many seconds between Active Directory health checks?
Specify how many seconds the system should use as the health check Interval for the Active Directory servers. We recommend the default of 10 seconds.
Which port is used for Active Directory communication?
Specify the port being used by your Active Directory deployment. The default port displayed here is determined by your answer to the secure protocol question. When using the TLS security protocol, or no security, the default port 389. The default port used when using the SSL security protocol is 636.
What is the FQDN of your Active Directory implementation for your SharePoint users?
Specify the FQDN of the Active Directory deployment for your SharePoint users. This is the FQDN for your domain, such as example.com, rather than the FQDN for any specific host.
Before running the template you should have already imported a certificate and key onto the BIG-IP system. While the BIG-IP system does include a self-signed SSL certificate that can be used internally or for testing, we strongly recommend importing a certificate and key issued from a trusted Certificate Authority for processing client-side SSL.
For information on SSL certificates on the BIG-IP system, see the online help or the Managing SSL Certificates for Local Traffic chapter in the Configuration Guide for BIG-IP Local Traffic Manager available at http://support.f5.com/kb/en-us.html.
How should the BIG-IP system handle SSL traffic?
There are four options for configuring the BIG-IP system for SSL traffic. Select the appropriate mode for your configuration.
Encrypt to clients, plain text to servers (SSL Offload)
Choose this method if you want the BIG-IP system to offload SSL processing from the servers. You need a valid SSL certificate and key for this method.
Which Client SSL profile do you want to use?
Select whether you want the iApp to create a new Client SSL profile, or if you have already created a Client SSL profile which contains the appropriate SSL certificate and key.
Unless you have requirements for configuring specific Client SSL settings, we recommend allowing the iApp to create a new profile. To select a profile from the list, it must already be present on the BIG-IP system. Creating a custom profile is not a part of this template; see Local Traffic > Profiles > SSL > Client to create a Client SSL profile. To select any new profiles you create, you need to restart or reconfigure this template.
Select an existing Client SSL profile
If you created a Client SSL profile for this implementation, select it from the list. If you select an existing Client SSL profile, the rest of the questions in this section disappear. Continue with Virtual Server and Pools.
Create a new Client SSL profile
Select this option for the iApp to create a new Client SSL profile.
Which SSL certificate do you want to use?
Select the SSL certificate you imported for this implementation.
Which SSL private key do you want to use?
Select the associated SSL private key.
Which intermediate certificate do you want to use?
If your deployment requires an intermediate or chain certificate, select the appropriate certificate from the list.
Immediate certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown.
Terminate SSL from clients, re-encrypt to servers (SSL Bridging)
Choose this method if you want the BIG-IP system to terminate SSL to process it, and then re-encrypt the traffic to the servers (SSL Bridging). You need a valid SSL certificate and key for the client-side, and optionally for the server-side (see #b).
Which Client SSL profile do you want to use?
Select whether you want the iApp to create a new Client SSL profile, or if you have already created a Client SSL profile which contains the appropriate SSL certificate and key.
Unless you have requirements for configuring specific Client SSL settings, we recommend allowing the iApp to create a new profile. To select a profile from the list, it must already be present on the BIG-IP system. Creating a custom profile is not a part of this template; see Local Traffic > Profiles > SSL > Client to create a Client SSL profile. To select any new profiles you create, you need to restart or reconfigure this template.
Select an existing Client SSL profile
If you created a Client SSL profile for this implementation select it from the list. If you select an existing Client SSL profile, the rest of the questions in this section disappear. Continue with Virtual Server and Pools.
Create a new Client SSL profile
Select this option for the iApp to create a new Client SSL profile
Which SSL certificate do you want to use?
Select the SSL certificate you imported for this implementation.
Which SSL private key do you want to use?
Select the associated SSL private key.
Which intermediate certificate do you want to use?.
If your implementation requires an intermediate or chain certificate, select the appropriate certificate from the list.
Immediate certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown.
Which Server SSL profile do you want to use?
Select whether you want the iApp to create the F5 recommended Server SSL profile, or if you want to choose a Server SSL profile you already created. In this scenario, the BIG-IP system is acting as an SSL client and by default, we assume the servers do not expect the BIG-IP system to present its client certificate on behalf of clients traversing the virtual server. If your servers expect the BIG-IP system to present a client certificate, you must create a custom Server SSL profile with the appropriate certificate and key.
The default, F5 recommended Server SSL profile uses the serverssl parent profile. For information about the ciphers used in the Server SSL profile, see http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html.
Encrypted traffic is forwarded without decryption (SSL pass-through)
Choose this method if you do not want the BIG-IP system to do anything with encrypted traffic and simply send it to the web servers. This is similar to SSL bridging, although in this case the system does not decrypt then re-encrypt the traffic, it only sends it on to the servers without modification.
If you select this option, the system changes the default persistence option from Cookie to Source Address Persistence.
Plain text to clients, encrypt to servers
Choose this method if you want the BIG-IP system to accept plain text from the clients and then encrypt it before sending it to the servers.
Unless you have requirements for configuring specific Server SSL settings, we recommend allowing the iApp to create a new profile. To select a profile from the list, it must already be present on the BIG-IP system. Creating a custom profile is not a part of this template; see Local Traffic > Profiles > SSL > Server to create a Server SSL profile. To select any new profiles you create, you need to restart or reconfigure this template.
The default, F5 recommended Server SSL profile uses the serverssl parent profile. For information about the ciphers used in the Server SSL profile, see http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html.
Plain text to both clients and servers
Choose this method if the BIG-IP system is not sending or receiving any SSL traffic in this implementation.
This section gathers information about BIG-IP Application Security Manager if you want to use it to help protect your deployment. This section only appears if you have fully licensed and provisioned BIG-IP ASM. Contact your F5 sales representative for details.
Important If you are using an iApp version prior to v1.2.0rc4 only: In order to use BIG-IP ASM, you must have manually created a BIG-IP LTM Policy that includes ASM and applicable Rules. Creating an LTM policy is outside the scope of this guide. For specific information, see the Help tab or BIG-IP documentation.
Do you want to deploy BIG-IP Application Security Manager?
Choose whether you want to use BIG-IP ASM to help secure this HTTP deployment. If you choose to use BIG-IP ASM, you must have a BIG-IP LTM policy with ASM enabled.
No, do not use Application Security Manager
Select this option if you do not want to enable BIG-IP ASM at this time. You can always re-enter the template at a later date to enable BIG-IP ASM. Continue with the next section.
Select an existing LTM policy with ASM enabled from the list
If you already created a BIG-IP ASM policy with ASM enabled for this implementation, select it from the list. Only LTM Policy objects with ASM enabled appear in the list. Continue with substep 'b' following create a new ASM policy.
Yes, use ASM and create a new ASM policy
This option only appears in v1.2.0rc4 and later of the SharePoint iApp.
Select this option if you want to use ASM, and want the iApp to create an ASM policy for you. Note that the enforcement mode for the policy will be set to transparent, which means violations are logged but not blocked.
Which ASM template should be used to build the policy?
Choose the template you want the system to use to create the ASM policy. We recommend using the default, POLICY_TEMPLATE_SHAREPOINT_2010 (recommended).
Important: If you choose to use ASM, the iApp template sets the policy enforcement mode to transparent. In this mode, violations are logged but not blocked. Before changing the mode to blocking, review the log results and adjust the policy for your deployment if necessary.
Which logging profiles would you like to use?
The logging profile enables you to log detailed information about BIG-IP ASM events and store those logs on the BIG-IP system or a remote logging server. If you choose to use a logging profile, we strongly recommend creating a custom profile outside the template and then selecting it from the list.
iApp version 1.0.0rc2 and later enables the ability to select multiple logging profiles. Select the profile(s) you want to enable, and then click the Add ((<<) button to move them to the Selected box.
Important When you store the logs locally, the logging utility may compete for system resources.
If you are using a version prior to 1.0.0rc2, the following options appear.
Do not apply a logging profile
Select this option if you do not want to apply a logging profile at this time. You can always re-enter the template at a later date to add a logging profile. Continue with the next question.
Select an existing logging profile from the list
If you have already created a logging profile for this implementation, select it from the list. You must create a profile before it is available in the list. To create a logging profile, on the Main tab, click Security > Event Logs > Logging Profiles. Specific instructions for creating a logging profile is outside the scope of this iApp and deployment guide. See the online help or the About Local Logging with the Network Firewall chapter of the BIG-IP Network Firewall: Policies and Implementations guide for more information.
Which language encoding is used for ASM?
Choose the language encoding you want ASM to use. If you are unsure, leave the default, Unicode (utf-8).
The option for deploying AFM only appears in BIG-IP version 11.6 and later and if you have AFM licensed and provisioned
This section gathers information about BIG-IP Advanced Firewall Manager if you want to use it to protect your deployment. This section only appears if you have fully licensed and provisioned BIG-IP AFM. Contact your F5 sales representative for details.
For information specific on BIG-IP AFM, see http://support.f5.com/kb/en-us/products/big-ip-afm.html, and then select your version.
Do you want to use BIG-IP AFM to protect your application?
Choose whether you want to use BIG-IP AFM, F5's network firewall, to secure this HTTP deployment. If you choose to use
BIG-IP AFM, you can restrict access to the SharePoint virtual server to a specific network or IP address. See the BIG-IP AFM documentation for specific details on configuring AFM.
No, do not use Application Firewall Manager
Select this option if you do not want to enable BIG-IP AFM at this time. You can always re-enter the template at a later date to enable BIG-IP AFM. Continue with the next section.
Select an existing AFM policy from the list
If you already created a BIG-IP AFM policy for this SharePoint implementation, select it from the list. Continue with c.
Yes, use F5's recommended AFM configuration
Select this option if you want to enable BIG-IP AFM using F5's recommended configuration.
Do you want to forbid access to your application from specific networks or IP addresses?
Choose whether you want to restrict access to the SharePoint implementation via the BIG-IP virtual server.
No, do not forbit client addresses (allow all)
By default, the iApp configures AFM to accept traffic destined for the SharePoint virtual server from all sources. If you do not have a need to restrict access to the virtual server, leave this option selected and then continue with b.
Yes, forbid specific client addresses
Select this option if you want to restrict access to the SharePoint virtual server by IP address or network address.
What IP or network addresses should be allowed to access your application?
Specify the IP address or network access that should be allowed access to the HTTP virtual server. You can specify a single IP address, a list of IP addresses separated by spaces (not commas or other punctuation), a range of IP addresses separated by a dash (for example 192.0.2.10-192.0.2.100), or a single network address, such as 192.0.2.200/24.
How should the system control connections from networks suspected of malicious activity?
The BIG-IP AFM uses an IP intelligence database to categorize IP addresses coming into the system. Choose what you want the system to do for sources that are attempting to access the SharePoint virtual server with a low reputation score. For more information, see the BIG-IP AFM documentation.
Important You must have an active IP Intelligence license for this feature to function. See
https://f5.com/products/modules/ip-intelligence-services for information.
See Troubleshooting for a mandatory modification to the configuration if you are using AFM and the IP Intelligence feature to restrict or log traffic with low reputation scores.
Accept all connections and log nothing
Select this option to allow all sources, without taking into consideration the reputation score.
Reject connections from IP addresses with poor reputatations
Select this option to reject access to the SharePoint virtual server from any source with a low reputation score.
Accept all connections but log those from suspicious networks
Select this option to allow access to the SharePoint virtual server from sources with a low reputation score, but add an entry for it in the logs.
Select an IP intelligence policy
If you created an IP intelligence policy for this implementation, select it from the following question.
Which IP Intelligence policy do you want to use?
If you created an IP Intelligence policy for this SharePoint implementation, select it from the list.
Would you like to stage a policy for testing purposes?
Choose whether you want to stage a firewall policy for testing purposes. A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules. You must already have a policy on the system in order to select it.
Do not apply a staging policy
Select this option if you do not want to apply a logging profile at this time. You can always re-enter the template at a later date to add a logging profile. Continue with the next question.
Select an existing policy from the list
If you have already created a firewall policy for this implementation, select it from the list. Only policies that already exist on the system appear in the list. To create a new policy, on the Main tab, click Security > Network Firewall > Policies. Specific instructions for creating a firewall policy is outside the scope of this iApp and deployment guide.
Which logging profile would you like to use?
Choose whether you or not you want to use a logging profile for this AFM implementation. You can configure the BIG-IP system to log detailed information about BIG-IP system Network Firewall events and store those logs on the BIG-IP system or a remote logging server (supports syslog and Splunk). The list only contains profiles with Network Firewall enabled.
To create a logging profile, on the Main tab, click Security > Event Logs > Logging Profiles. Specific instructions for creating a logging profile is outside the scope of this iApp and deployment guide. See the online help or the About Local Logging with the Network Firewall chapter of the BIG-IP Network Firewall: Policies and Implementations guide for more information.
Do not apply a logging profile
Select this option if you do not want to apply a logging profile at this time. You can always re-enter the template at a later date to add a logging profile. Continue with the next question.
Select an existing logging profile from the list
If you have already created a logging profile for this implementation, select it from the list. You must create a profile before it is available in the list.
Which Denial-of-Service profile do you want to use?
If you created a Denial-of-Service profile for this implementation, select it from the list. The Denial-of-Service (DoS) profile can enable Layer 7 application DoS protection of HTTP traffic and Layer 7 DoS protection for SIP and DNS traffic. The iApp template does not create a DoS profile, if you want to use this functionality, you must create a custom DoS Profile outside the template.
Do not use a DoS profile
Select this option if you do not want use a DoS profile at this time. You can always re-enter the template at a later date to add this profile. Continue with the next question.
Select an existing DoS profile from the list
If you have already created a DoS profile for this implementation, select it from the list. Only policies that already exist on the system appear in the list. Specific instructions for creating a DoS profile is outside the scope of this iApp and deployment guide.
Which HTTP protocol security profile do you want to use?
If you created an HTTP protocol security profile for this implementation, select it from the list. The HTTP protocol security profile consists of many different security checks for the various components of HTTP traffic. The iApp template does not create a HTTP Security profile, if you want to use this functionality, you must create a custom HTTP Security profile outside the template.
Do not use an HTTP protocol security profile
Select this option if you do not want use a HTTP security profile at this time. You can always re-enter the template at a later date to add this profile. Continue with the next question.
Select an existing HTTP protocol security profile from the list
If you have already created a HTTP security profile for this implementation, select it from the list. Only policies that already exist on the system appear in the list. Specific instructions for creating a HTTP security profile is outside the scope of this iApp and deployment guide.
This section gathers information about your SharePoint deployment that is used in the BIG-IP virtual server and load balancing pool.
What IP address do you want to use for the virtual server?
Type the IP address you want to use for the BIG-IP virtual server. This is the address clients use (or a DNS entry resolves to this address) to access the SharePoint deployment via the BIG-IP system.
If necessary for your configuration, this can be a network address to create a network virtual server (you must specify an IP mask in the following question for a network virtual server). A network virtual server is a virtual server whose IP address has no bits set in the host portion of the IP address (that is, the host portion of its IP address is 0), allowing the BIG-IP system to direct client connections that are destined for an entire range of IP addresses, rather than for a single destination IP address. Thus, when any client connection targets a destination IP address that is in the network specified by the virtual server IP address, the system can direct that connection the pool of SharePoint servers.
If using a network virtual address, what is the IP mask?
If you specified a network address for the virtual server (allowing the virtual server to handle multiple IP addresses), you must enter the full network mask representing the address range. If you specified a single address for the virtual server, you may leave this field blank.
What port do you want to use for the virtual server?
Type the port number you want to use for the BIG-IP virtual server. For SharePoint deployments, this is typically 80 (HTTP) or 443 (HTTPS). The default port in the box is based on your answer to the How should the system handle SSL traffic question.
Which FQDNs will clients use to access the servers?
Type each fully qualified domain name clients will use to access the SharePoint deployment. Click the Add button to insert additional rows. If you only have one FQDN, do not click Add.
If you are also deploying the BIG-IP system for SharePoint Apps in SharePoint, or if you have Office Web Apps accessed through the SharePoint virtual server, you must also add those FQDN(s).
Do you want to redirect inbound HTTP traffic to HTTPS?
This question only appears if you selected SSL Offload or SSL Bridging in the SSL question.
Select whether you want the BIG-IP system to automatically redirect HTTP traffic to the HTTPS virtual server. This is useful when users forget to use HTTPS when attempting to connect to the Microsoft SharePoint deployment.
Redirect HTTP to HTTPS
Select this option to redirect HTTP traffic to HTTPS. If you select this option (the default), the BIG-IP system attaches a very small redirect iRule to the virtual server.
From which port should traffic be redirected?
Type the port number for the traffic that you want to redirect to HTTPS. The most common is port 80 (the default).
Do not redirect HTTP to HTTPS
Select this option if you do not want to enable the automatic redirect.
Which HTTP profile do you want to use?
The HTTP profile contains settings for instructing the BIG-IP system how to handle HTTP traffic. Choose whether you want the iApp to create a new HTTP profile or if you have previously created an HTTP profile for this deployment.
Unless you have requirements for configuring specific HTTP settings, we recommend allowing the iApp to create a new profile. To select a profile from the list, it must already be present on the BIG-IP system. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Services : HTTP to create a HTTP profile. To select any new profiles you create, you need to restart or reconfigure this template.
Select an existing HTTP profile from the list
If you already created an HTTP profile for this implementation, select it from the list.
Create a new HTTP profile (recommended)
Select this option for the iApp to create a new HTTP profile.
Should the BIG-IP system insert the X-Forwarded-For header?
Select whether you want the BIG-IP system to insert the X-Forwarded-For header in the HTTP header for logging purposes.
Insert the X-Forwarded-For header
Select this option if you want the system to include the X-Forwarded-For header. You may have to perform additional configuration on your SharePoint servers to log the value of this header. For more information on configuring logging see Appendix D: Using X-Forwarded-For to log the client IP address in IIS 7.0, 7.5, and 8 (optional) .
Do not insert the X-Forwarded-For header
Select this option if you do not want the system to include X-Forwarded-For in the HTTP header.
Which persistence profile do you want to use?
By using persistence, the BIG-IP system tracks and stores session data, such as the specific pool member that serviced a client request, ensuring client requests are directed to the same pool member throughout the life of a session or during subsequent sessions. For SharePoint 2016, the default is Do not use persistence.
Unless you have requirements for configuring specific persistence settings, we recommend allowing the iApp to create a new profile. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Persistence to create a persistence profile. To select any new profiles you create, you need to restart or reconfigure this template. Select one of the following persistence options:
Do not use persistence (recommended)
This is the recommended option if you are using SharePoint 2016.
If your implementation does not require persistent connections, select this option. SharePoint 2016 does not require connections from a single client to persist to the same SharePoint server, as the Distributed Cache service maintains authentication information across all SharePoint web application servers.
Use Cookie Persistence
Select this option to have the BIG-IP system create a new cookie persistence profile (cookie insert mode). With Cookie persistence, the BIG-IP system uses an HTTP cookie stored on the client’s computer to allow the client to reconnect to the same server previously visited.
Source IP Address persistence
This is the recommended option if you are using SharePoint 2010 and selected SSL pass-through.
Select this option if you want to use the Source IP address (also known as simple) persistence. With this mode, the BIG-IP system assigns the built-in Source Address Affinity persistence type, and directs session requests to the same server based only on the source IP address.
Select an existing persistence profile
If you have previously created a persistence profile, you have the option of selecting it instead of allowing the iApp to create a new one. From the list, select an existing persistence profile. We recommend using a persistence profile that uses Cookie persistence, Insert mode.
Do you want to create a new pool or use an existing one?
A load balancing pool is a logical set of servers, grouped together to receive and process traffic. When clients attempt to access the application via the BIG-IP virtual server, the BIG-IP system distributes requests to any of the servers that are members of that pool.
Select an existing pool
If you have already created a pool for your SharePoint servers, you can select it from the list. If you do select an existing pool, all of the rest of the questions in this section disappear.
Do not use a pool
If you are deploying this iApp in such a way that you do not need a pool of SharePoint servers, select this option. If you specified that the servers are connected to the BIG-IP system over the WAN through another BIG-IP system, this is the default option, as the system is sending the traffic across the iSession tunnel to the other BIG-IP system to be distributed to the servers.
Create a new pool
Leave this default option to create a new load balancing pool and configure specific options.
Which load balancing method do you want to use?
Specify the load balancing method you want to use for this SharePoint server pool. We recommend the default, Least Connections (member).
If you select Ratio (member) additional options appear after the you add your SharePoint servers in question c.
Do you want to give priority to specific groups of servers?
Select whether you want to use Priority Group Activation. Priority Group Activation allows you to segment your servers into priority groups. With Priority Group Activation, the BIG-IP system load balances traffic according to the priority number you assign to the pool members. A higher number indicates higher priority. Traffic is only sent to the servers with the highest priority, unless the number of available servers in that priority group falls below the value you specify as the minimum. The BIG-IP then sends traffic to the group of servers with the next highest priority, and so on. See the BIG-IP documentation for more details.
Do not use Priority Group Activation (recommended)
Select this option if you do not want to enable Priority Group Activation.
Use Priority Group Activation
Select this option if you want to enable Priority Group Activation. You must add a priority to each server in the Priority box described in #c.
What is the minimum number of active members for each priority group?
Specify the minimum number of servers that must be active to continue sending traffic to the priority group. If the number of active servers falls below this minimum, traffic will be sent to the group of servers with the next highest priority group number.
Which SharePoint servers should be included in this pool?
Specify the IP address(es) of your SharePoint servers. If you have existing nodes on this BIG-IP system, you can select them from the list, otherwise type the addresses. You can optionally add a Connection Limit. If you enabled Priority Group Activation, you must also specify a Priority for each device. Click Add to include additional servers.
Do you want to automatically update pool member ratio using the SharePoint Health Score header?
This question only appears if you selected the Ratio (member) load balancing method
If you selected the dynamic load balancing method Ratio (member), you can choose whether or not you want to enable dynamic modification of the ratio of the SharePoint pool member based on the X-SharePointHealthScore header in the SharePoint servers response.
Important To use this dynamic modification of pool member ratio feature, the X-SharePointHealthScore header returned from the SharePoint server(s) must not require authentication. The URL query parameters you enter in the following questions must allow for anonymous authentication to ensure the header is included in the response.
No, do not update pool member ratio(s)
Select this option if you do not want to update the ratio of the BIG-IP pool members based on the SharePointHealthScore header returned by the SharePoint servers. Continue with Delivery Optimization .
Yes, update pool member ratio(s)
Select this option if you want to update the ratio of the BIG-IP pool members based on the SharePointHealthScore header returned by the SharePoint servers. You must answer the following questions.
Is HTTPS encryption required for the URL request?
Choose whether or not your URL request requires encryption.
No, HTTPS encryption is not required
Select this option you do not need the BIG-IP system to encrypt the URL request.
Yes, HTTPS encryption is required
Select this option if the URL request the BIG-IP sends must be encrypted.
Do you want to use reverse DNS lookup on each pool member as the query FQDN?
Choose whether or not you want to use reverse DNS look up as the query FQDN for each pool member. If you do not use reverse DNS lookup, the query uses the pool member IP address as the FQDN.
No, do not use Reverse DNS Lookup
Select this option if you do not want to use reverse DNS lookup. The URL query simply uses the IP address of the pool member as the FQDN.
Yes, use Reverse DNS Lookup
Select this option if you want the system to use the reverse DNS lookup of the pool member IP address and use it as the FQDN in the URL query.
What URI should be queried for the X-SharePointHealthScore header?
Type the URI that should be queried for the health score header. The URI in this field is used to query each SharePoint pool member for a response that includes the X-SharePointHealthScore. The default value is
/SitePages/Home.aspx.
Do you want to use the pool member port or a custom port for the URL query?
Choose whether you want to use the same port that you specified for the SharePoint pool members, or if you want to use a different, custom port for the URL query. You may need to use a custom port depending on how the SharePoint servers are configured to allow for the X-SharePointHealthScore to be available in the HTTP response. A common design would be to have a specific SharePoint site with a unique port configured that allows for anonymous authentication specifically for this feature.
Use Pool member port
Select this option to use the same port you specified for the SharePoint servers earlier in this section.
Use custom port
Select this option if you need to use a custom port. You must specify the port in the next question.
Which custom port would you like to use?
Type the port number you want to use for the URL query.
How often (in seconds) should the script run?
Type a number of second you want the script, which checks for update ratio status, is run. You can change the default interval of 60 seconds based on your needs, however, keep in mind that if you shorten the interval excessively and have a high number of pool members you may see performance issues as a result of constant script execution.
Note: The standard successful log messages, including any errors are logged to /var/tmp/scriptd.out. This provides insight if something does not appear right or if ratios are not being changed as expected. Ensure the scriptd service is started if the scriptd.out file does not exist or to remove all existing log messages from the scriptd.out file.
In this section, you answer questions about how you want the BIG-IP system to optimize the delivery of your SharePoint traffic.
Use the BIG-IP Application Acceleration Manager?
This question only appears if you have licensed and provisioned BIG-IP AAM.
Choose whether you want to use the BIG-IP Application Acceleration Manager (formerly known as WebAccelerator). BIG-IP Application Acceleration Manager helps accelerate your SharePoint traffic.
Yes, use BIG-IP AAM (recommended)
Select this option to enable BIG-IP AAM.
No, do not use BIG-IP AAM
Select this option if you do not want to enable BIG-IP AAM at this time.
Which Web Acceleration profile do you want to use for caching?
Select whether you want the system to create a new Web Acceleration profile, or if you have already created a Web Acceleration profile for use in this deployment. The Web Acceleration profile contains the caching settings for this implementation.
Unless you have requirements for configuring specific acceleration settings (such as specific allowing/denying specific URIs), we recommend allowing the iApp to create a new profile. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles > Services > Web Acceleration to create an acceleration profile. To select any new profiles you create, you need to restart or reconfigure this template.
Note if using BIG-IP AAM:
If you are using BIG-IP AAM, and want to select a custom Web Acceleration profile for caching you have already created, it must have an AAM application enabled, otherwise it does not appear in the list of caching profiles. If you want access to all Web Acceleration profiles on the box, then you must choose No to the use BIG-IP AAM question. Use a custom Web Acceleration profile only if you need to define specific URIs that should or should not be cached.
Note if not using BIG-IP AAM:
If you are not using BIG-IP AAM, we recommend you only use a custom Web Acceleration profile if you need to define specific URIs which should or should not be cached.
Create a profile based on optimized-caching (recommended)
Leave this default option to create a new Web Acceleration profile for caching.
Do not use caching
This question does not appear if you chose to enable BIG-IP AAM
Select this option if you do not want to enable caching on the BIG-IP system for this implementation.
Select an existing Web Acceleration profile
If you have already created a Web Acceleration profile for your SharePoint servers, you can select it from the list.
Do you want to insert the X-WA-Info header?
This question only appears if you chose to enable BIG-IP AAM
The BIG-IP system can optionally insert an X-WA-Info response header that includes specific codes describing the properties and history of the object. The X-WA-Info response header is for informational and debugging purposes only and provides a way for you to assess the effectiveness of your acceleration policy rules.
By default, the AAM X-WA-info header is not included in the response from the BIG-IP system. If you choose to enable this header, you have two options, Standard and Debug. In Standard mode, the BIG-IP system inserts an HTTP header that includes numeric codes which indicate if and how each object was cached. In Debug mode, the BIG-IP system includes additional information which may help for extended troubleshooting.
Do not insert the header (recommended)
Select this option if you do not want to insert the X-WA-Info header. Typically F5 recommends not inserting the header unless instructed to do so by an F5 Technical Support Engineer.
Insert the Standard header
Select this option if you want to insert the Standard header. For detailed information on the numeric codes used by the header, see http://support.f5.com/kb/en-us/solutions/public/13000/700/sol13798.html
Insert the Debug header
Select this option if you want to insert the Debug header for extended troubleshooting.
Do you want to use the legacy AAM performance monitor?
This question only appears if you chose to enable BIG-IP AAM
Enabling the legacy AAM performance monitor can adversely affect system performance. This monitor is primarily used for legacy AAM performance monitoring and debugging purposes, and can adversely affect system performance. The BIG-IP Dashboard provides performance graphs and statistics related to AAM.
Do not enable the legacy performance monitor (recommended)
Select this option if you do not want to enable the legacy monitor.
Enable the legacy performance monitor
Select this option if you want to enable the legacy performance monitor. Remember enabling this legacy monitor can impact overall system performance.
For how many days should the BIG-IP system retain the data?
Specify the number of days the BIG-IP system should retain the legacy performance data.
Which acceleration policy do you want to use?
This question only appears if you chose to enable BIG-IP AAM
Unless you have created a custom BIG-IP AAM policy for this deployment, select the default policy (Microsoft SharePoint 2010).This predefined acceleration policy was created for Microsoft SharePoint servers.
Which compression profile do you want to use?
Compression improves performance and end user experience for Web applications that suffer from WAN latency and throughput bottlenecks. Compression reduces the amount of traffic sent to the client to complete a transaction.
Unless you have requirements for configuring specific compression settings, we recommend allowing the iApp to create a new profile. F5 recommends the default profile which is optimized for SharePoint servers. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Services : HTTP Compression to create a compression profile. To select any new profiles you create, you need to restart or reconfigure this template.
How do you want to optimize client-side connections?
The client-side TCP profile optimizes the communication between the BIG-IP system and the client by controlling the behavior of the traffic which results in higher transfer rates, improved connection reliability and increased bandwidth efficiency.
Unless you have requirements for configuring specific TCP optimization settings, we recommend allowing the iApp to create a new profile. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Protocol : TCP to create a TCP profile. To select any new profiles you create, you need to restart or reconfigure this template.
Create the appropriate tcp-optimized profile (recommended)
Select this option to have the system create the recommended TCP profile. The parent profile (either WAN or LAN optimized) is determined by your selection to the “What type of network connects clients to the BIG-IP system” question.
Select the TCP profile you created from the list
If you created a custom TCP profile for the SharePoint servers, select it from the list.
In this section, you configure the options for offloading tasks from the SharePoint servers. This entire section only appears if you selected mode.
Which OneConnect profile do you want to use?
OneConnect (connection pooling or multiplexing) improves server scalability by reducing load associated with concurrent connections and connection rate to SharePoint servers. When enabled, the BIG-IP system maintains one connection to each SharePoint server which is used to send requests from multiple clients.
Unless you have requirements for configuring specific settings, we recommend allowing the iApp to create a new profile. F5 recommends the default profile which is optimized for SharePoint servers. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Other : OneConnect to create a OneConnect profile. To select any new profiles you create, you need to restart or reconfigure this template.
If you are deploying SharePoint 2016, and want to select a custom OneConnect profile, be sure it has a 0.0.0.0 source mask.
Create a profile based on the oneconnect parent (recommended)
Select this option to have the system create the recommended OneConnect profile. The system uses the oneconnect parent profile with a Source Mask setting of 255.255.255.255.
Do not use a OneConnect profile
Select this option if you do not require the BIG-IP system to perform connection pooling using a OneConnect profile.
Select the OneConnect profile you created from the list
If you created a custom OneConnect profile for the SharePoint servers, select it from the list.
Which NTLM profile do you want to use?
The NTLM profile optimizes network performance when the system is processing NTLM traffic. When both an NTLM profile and a OneConnect profile are enabled, the system can take advantage of server-side connection pooling for NTLM connections.
If you are creating this template in a BIG-IP partition other than /Common, you must create a custom NTLM profile and select it from this list. See Troubleshooting for detailed information.
If your environment uses NTLM, we recommend allowing the iApp to create a new profile unless you have requirements for configuring specific settings. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Other : NTLM to create a NTLM profile. To select any new profiles you create, you need to restart or reconfigure this template.
If you are deploying SharePoint 2016, select Do not use NTLM (recommended).
Use F5’s recommended NTLM profile
Select this option to have the system create the recommended NTLM profile. The system uses the ntlm parent profile.
Do not use NTLM (recommended)
Select this option if you do not use NTLM authentication in your SharePoint implementation.
Select the NTLM profile you created from the list
If you created a custom NTLM profile for the SharePoint servers, select it from the list.
How do you want to optimize server-side connections?
The server-side TCP profile optimizes the communication between the BIG-IP system and the server by controlling the behavior of the traffic which results in higher transfer rates, improved connection reliability and increased bandwidth efficiency.
Unless you have requirements for configuring specific TCP optimization settings, we recommend allowing the iApp to create a new profile. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Protocol : TCP to create a TCP profile. To select any new profiles you create, you need to restart or reconfigure this template.
Create the appropriate tcp-optimized profile (recommended)
Select this option to have the system create the recommended TCP profile. The parent profile (either WAN or LAN optimized) is determined by your selection to the “What type of network connects servers to the BIG-IP system” question.
Select the TCP profile you created from the list
If you created a custom TCP profile for the SharePoint servers, select it from the list.
Do you want the BIG-IP system to queue TCP requests?
Select whether you want the BIG-IP system to queue TCP requests. TCP request queuing provides the ability to queue connection requests that exceed the capacity of connections for a pool, as determined by the connection limit. Consequently, instead of dropping connection requests that exceed the capacity of a pool, TCP request queuing enables those connection requests to reside within a queue according to defined conditions until capacity becomes available. For more information on TCP Request Queuing, see the Preventing TCP Connection Requests From Being Dropped chapter in the BIG-IP Local Traffic Manager: Implementations guide, available on AskF5.
Important TCP Request Queuing is an advanced feature and should be used only if you understand how it will affect your deployment, including application behavior and BIG-IP performance.
If you enable TCP Request Queuing, you must have a Connection Limit set on at least one of the nodes when configuring the Address/Port for the nodes.
No, do not enable TCP request queuing (recommended)
Select this option if you do not want the BIG-IP system to queue TCP requests.
Yes, enable TCP request queuing
Select this option if you want to enable TCP request queuing on the BIG-IP system.
What is the maximum number of TCP requests for the queue?
Type the maximum number of requests you want to queue. We do not recommend using 0, which means unlimited and is only constrained by available memory.
How many milliseconds should requests remain in the queue?
Type a number of milliseconds for the TCP request timeout value.
Use a Slow Ramp time for newly added servers?
With Slow Ramp, the BIG-IP system gradually adds connections to a newly-enabled or newly-added SharePoint server over a time period you specify, rather than sending a full proportion of the traffic immediately. Slow Ramp is essential when using the Least Connections load balancing method (our recommended method for SharePoint servers), as the BIG-IP system would otherwise send all new connections to a new server immediately, potentially overwhelming that server.
Select whether you want to use a Slow Ramp time.
Use Slow Ramp
Select this option for the system to implement Slow Ramp time for this pool.
How many seconds should Slow Ramp time last?
Specify a duration in seconds, for Slow Ramp. The time period you select for Slow Ramp is highly dependent on the speed of your server hardware and the behavior of your web services. The default setting of 300 seconds (5 minutes) is very conservative in most cases.
Do not use Slow Ramp
Select this option if you do not want to use Slow Ramp. If you select this option, we recommend you do not use the Least Connections load balancing method.
In this section, you answer questions about how you want to implement application health monitoring on the BIG-IP system.
Create a new health monitor or use an existing one?
Application health monitors are used to verify the content that is returned by an HTTP request. The system uses these monitors to ensure traffic is only sent to available SharePoint servers.
Unless you have requirements for configuring other options not in the following list of questions, we recommend allowing the iApp to create a new monitor. Creating a custom health monitor is not a part of this template; see Local Traffic >> Monitors. To select any new monitors you create, you need to restart or reconfigure this template.
If you configured your SharePoint web application to use AD FS as a Trusted Identity authentication provider, see Optional: Monitoring SharePoint Web Applications Configured for AD FS as a Trusted Identity Provider .
Select the monitor you created from the list
If you manually created the health monitor, select it from the list. Continue with iRules .
Create a new health monitor
If you want the iApp to create a new monitor, continue with the following.
How many seconds should pass between health checks?
Specify how long the system should wait between each health check. This is used as the Interval setting for the monitor. We recommend the default of 30 seconds.
What type of HTTP request should be sent to the servers?
Select whether you want the system to send an HTTP GET or POST request. The GET method requests data from the server, the POST submits data to be processed by the server.
GET
Select this option if you want the system to use a GET request. The system uses the URI you specify in the next question to request content from the SharePoint server.
POST
Select this option if you want the system to use a POST request. The system uses the URI you specify in the next question, along with the HTTP POST body you will specify to form the request.
What HTTP URI should be sent to the servers?
The HTTP URI is used to specify the resource on the SharePoint server for a given request. This parameter can be customized to request a specific part of your application, which can indicate the application-health on a granular level.
What HTTP version do your servers expect clients to use?
Choose the HTTP version which you expect most of your clients to be using. This allows the system to detect failures more accurately.
HTTP/1.0
Choose this option if you expect your clients to use HTTP/1.0.
HTTP/1.1
Choose this option if you expect your clients to use HTTP/1.1.
What HTTP POST body do you want to use for this monitor?
This question only appears if you selected a POST request.
If you selected a POST request, you must specify the message body for the POST.
What is the expected response to the HTTP request?
Specify the response you expect returned from the request. The system checks the response from the server against the response you enter here to determine server health.
By default, the expected response is X-SharePointHealthScore: [0-5]. If the health score header information received back from the SharePoint server is higher than 5, the system marks the pool member down. By default authenticating to the SharePoint server will be required for the X-SharePointHealthScore header to be returned, the exception is if anonymous authentication is enabled.
Should the health monitor require credentials?
Choose whether you want the system to attempt to authenticate to the SharePoint servers as a part of the health check.
No, allow anonymous access
Select this option if you do not want the monitor to attempt authentication.
Yes, require credentials for Basic authentication
Select this option if you want to attempt Basic authentication as a part of the health monitor. To require credentials, you should have a user account specifically for this health monitor which has no other privileges, and has a password set to never expire.
What user name should the monitor use?
Type the domain and user name for the account you created for the health monitor. You must include the domain in front of the user, such as EXAMPLE\USER.
What is the associated password?
Type the password for the account.
Yes, require credentials for NTLM authentication
Select this option if you want to attempt NTLM authentication as a part of the health monitor. To require credentials, you should have a user account specifically for this health monitor which has no other privileges, and has a password set to never expire.
What user name should the monitor use?
Type the domain and user name for the account you created for the health monitor.
Important If you have a complex Active Directory environment where the username is not in the same domain as the Domain Controller being queried, you should prepend the domain name in uppercase letters (DOMAIN\) to the username in this field.
What is the associated password?
Type the password for the account.
This section is available only if you selected Advanced mode.
In this section, you can add custom Local Traffic Policies to the SharePoint deployment. BIG-IP local traffic policies comprise a prioritized list of rules that match conditions you define and run specific actions which direct traffic accordingly. For example, you might create a policy that determines whether a client is using a mobile device, and then redirects its requests to the applicable mobile web site's URL. This template does not create any local traffic policies, you can only select policies you have already created outside the iApp template. For more information, see BIG-IP Local Traffic Management: Getting Started with Policies available on AskF5.
This section is available only if you selected Advanced mode.
In this section, you can add custom iRules to the SharePoint deployment. iRules are a scripting language that allows an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. An iRule contains the set of instructions the system uses to process data flowing through it, either in the header or payload of a packet.
In this section, you answer questions about logging and statistics.
This entire section is available only if you selected mode.
Do you want to enable Analytics for application statistics?
You must have AVR licensed and provisioned for this option to appear
The Application Visibility Reporting (AVR) module for analytics allows you to view statistics specific to your application implementation. AVR is included and available on all BIG-IP systems v11 and later, however you must have the AVR provisioned for this option to appear. Note that this provisioning requirement is only for AVR, you can view object-level statistics from the BIG-IP system without provisioning AVR.
Important Enabling Analytics may adversely affect overall system performance. If you choose to enable Analytics, we recommend gathering statistics for a set time period, such as one week, and then re-entering this template and disabling Analytics while you process the data.
If you plan on using AVR for analytics, we recommend creating a custom Analytics profile. To create a new profile, from the Main tab, select Profiles and then click Analytics. Click New and then configure the profile as applicable for your configuration. See the online help or product documentation for specific instructions.
Do not enable Application Visibility Reporting
If you do not want to enable Analytics, leave this list set to No, and continue with the next section.
Select the Analytics profile you created from the list
If you choose to enable Analytics, select the Analytics profile you want to use for this implementation from the list.
Which HTTP request logging profile do you want to use?
HTTP request logging enables customizable log messages to be sent to a syslog server for each HTTP request processed by your application. You can choose to enable HTTP request logging by selecting a logging profile you already created from the list.
We strongly recommend you thoroughly test the performance impact of using this feature in a staging environment prior to enabling on a production deployment.
Creating a request logging profile is not a part of this template. See Local Traffic>>Profiles: Other: Request Logging. To select any new profiles you create, you need to restart or reconfigure this template.
Do not enable HTTP request logging
If you do not want to enable HTTP request logging, leave this list set to No, and continue with the next section.
Select the HTTP request logging profile you created from the list
If you choose to enable HTTP request logging, select the profile you want to use for this implementation from the list.
Review the Additional Steps section. There may be tasks you need to complete after submitting the template.
Review the answers to your questions. When you are satisfied, click the Finished button. The BIG-IP system creates the relevant objects for the SharePoint application.
If you have configured your SharePoint web application to use AD FS as a Trusted Identity authentication provider, you must use a monitor that determines availability of SharePoint services without authenticating. You can create a new monitor with the iApp using the values indicated below for expected response and credentials, or you can manually create a custom monitor and assign it to the deployment using the iApp.
If you want to configure the monitor while running through the iApp template, use the following guidance:
If you want to configure the monitor manually, use the guidance for the HTTP health monitor found in Appendix B: Manual configuration tables , making sure to use X-MSDAVEXT as the Receive String. Then use the Reconfigure feature on the application service to re-enter the template, and then from the Create a new health monitor or use an existing one? question, select the monitor you created.
This section contains modifications to the iApp template that are mandatory in certain situations. Review the entries to see if these changes apply to your configuration.
SSL offload is not currently supported for SharePoint Apps. You must use the following procedures to support SharePoint Apps if you configured the BIG-IP system for offloading SSL. This allows you to offload SSL from the main SharePoint deployment, but still support SharePoint Apps with the BIG-IP system.
Use the following table for guidance on configuring the BIG-IP LTM for unencrypted connections to the SharePoint servers. For specific instructions on configuring these objects, see the online help or the BIG-IP documentation.
Health Monitors (Local Traffic > Monitors) |
|
Name |
Type a unique name |
Type |
http |
Interval |
30 (recommended) |
Timeout |
91 (recommended) |
Pools (Local Traffic > Pools) |
|
Name |
Type a unique name. |
Health Monitor |
Select the monitor you created above |
Slow Ramp Time |
300 |
Load Balancing Method |
Least Connections (Member) |
Address |
Type the IP Address of a SharePoint |
Service Port |
80 Click Add to repeat Address and Service Port for all nodes |
The next task is to create the iRule. This iRule disables server side SSL (re-encryption) for all connections except SharePoint Apps. In the iRule, apps.example.com corresponds to the new base domain for SharePoint Apps that you configured in SharePoint Central Administration. For instructions on configuring SharePoint Central Administration, see the Microsoft documentation.
To create the iRule
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
when HTTP_REQUEST { |
In this procedure, we modify the iApp configuration for SSL Bridging and to include the iRule you created.
To configure the BIG-IP system for SSL Bridging
This completes the Apps for SharePoint configuration.
Microsoft SharePoint Server 2016 support the deployment of multiple, host name-based site collections on a single web application. If you are using multiple, host name-based collections on a single application, and configured (or are configuring) the iApp template for SSL offload, you must use the following guidance to create a new HTTP profile and health monitor and attach them to the implementation using the iApp.
Use the following table to create the new objects. Settings not mentioned in the table can be configured as appropriate for your implementation.
HTTP Profile (Local Traffic > Profiles > Services > HTTP) |
|
Name |
Type a unique name |
Request Header Insert |
FRONT-END-HTTPS: ON |
Redirect Rewrite |
Matching |
Insert X-Forwarded-For |
Enabled (optional) |
Health Monitor (Local Traffic > Monitors) |
|
Name |
Type a unique name |
Type |
HTTP |
Interval |
30 (recommended) |
Timeout |
91 (recommended) |
Send String |
If using NTLM Authentication: |
The next task is to re-enter the template and configure the iApp to use the profile and health monitor you just created.
You should not configure Alternate Access Mappings for the SharePoint web application as detailed in Appendix A of this guide, because it is applicable to path-based site collections only. Instead, you must configure each SharePoint site collection URL to use https://. This must be done using the SharePoint Management Shell. For more information, consult the Microsoft documentation:
http://technet.microsoft.com/en-us/library/cc424952.aspx.
F5’s APM and AAM modules also support the deployment of host-named site collections. When deploying the SharePoint iApp, you must enter each site collection FQDN in the "What FQDNs will clients use to access the servers?" question of the template. When accessing the web application via BIG-IP APM, the client will be redirected to the primary authentication URI, which is the first host entered in the FQDNs table. After authentication, BIG-IP APM redirects the client to the original request URI.
If you have configured your Microsoft Windows domain to support only NTLMv2 authentication and refuse LM/NTLM requests, you must either modify the configuration produced by the template by disabling the Strict Updates feature and add/modify the required objects for NTLMv2 authentication.
First you must disable the strict updates feature.
Next, you create a new NTLM SSO Configuration object on the BIG-IP APM.
The final task is to update the Access Profile created by the iApp template to use the NTLM SSO Configuration object you just created.
After completing the iApp Template, the BIG-IP Application Services page opens for the Microsoft SharePoint service you just created. To see the list of all the configuration objects created to support the SharePoint application, on the Menu bar, click Components. The complete list of all related objects opens. You can click individual objects to see the settings.
Once the objects have been created, you are ready to use the new deployment.
Before sending traffic to the BIG-IP system, your DNS administrator may need to modify any DNS entries for the SharePoint implementation to point to the BIG-IP system’s virtual server address.
The iApp Application Service you just created can be quickly and easily modified if you find it necessary to make changes to the configuration. The Strict Updates feature of the iApp prevents users from manually modifying the iApp configuration (Strict Updates can be turned off, but use extreme caution). iApp allows you to re-enter the template, make changes, and then update the template. The modifications are automatically made to any of the associated objects.
To modify the configuration
You can easily view a number of different statistics on the BIG-IP system related to the configuration objects created by the iApp template. You can get statistics specific to the Application Service if you have provisioned AVR. Otherwise, you can always get object-level statistics.
If you have provisioned AVR, you can get application-level statistics for your SharePoint Application Service.
To view AVR statistics
If you haven’t provisioned AVR, or want to view object-level statistics, use the following procedure.
To view object-level statics
For more information on viewing statistics on the BIG-IP system, see the online help or product documentation.
Use this section for common troubleshooting steps and workarounds for known issues.
Q: Why isn't the BIG-IP APM session terminated when a user clicks Sign Out from a SharePoint site collection?
A: When a user clicks Sign Out from a SharePoint Site Collection, the APM session is not terminated. This occurs when the SharePoint site the user is browsing does not begin at the root ( / ) of the SharePoint Web Application, and the APM Access Profile is using the default Logout URI.
For example, sign out requests for https://sharepoint.example.com/_layouts/15/SignOut.aspx correctly terminate the APM session, but sign out requests for https://sharepoint.example.com/mysite/_layouts/15/SignOut.aspx do not.
If you are using BIG-IP APM, create and attach the following iRule to ensure that APM sessions are terminated for all logout events:
1. On the Main tab, expand Local Traffic and then click iRules.
2. Click Create.
3. In the Name box, type a unique name for this iRule.
4. In the Definition section, copy and paste the following iRule, omitting the line numbers.
1 2 3 4 5 |
when ACCESS_ACL_ALLOWED { |
5. Click the Finished button.
6. Re-enter the iApp template (on the Main tab, click iApp > Application Services > [name of your SharePoint application service] and then from the Menu bar, click Reconfigure).
7. From the Which configuration mode do you want to use? question, select Advanced - configure advanced options.
8. In the iRules section, from the Do you want to add any custom iRules to this configuration? question, select the iRule you just created and then click the Add (<<) button to move it to the Selected box.
9. Click the Update button.
Q: Why am I unable to sync local files to SharePoint using the SkyDrive client and Office 2013/2016 Upload Center?
A: If you have secured SharePoint with F5 Access Policy Manager, you must apply the following iRule to the SharePoint BIG-IP virtual server to allow file synchronization between the SharePoint site and SkyDrive/Office Upload Center clients.
From the Main tab, expand Local Traffic and then click iRules. Click the Create button. Use the following code in the Definition section, omitting the line numbers:
1 2 3 4 5 |
|
Use the procedure Adding the iRule to the virtual server above to add the iRule to the virtual server.
Q: After deploying the iApp, why are users receiving an error when trying to modify the view of a SharePoint list, or the Connect to Outlook button is greyed out?
A: This is typically a result of using SharePoint's Minimal Download Strategy feature with the default BIG-IP configuration. SharePoint sites configured with the Minimal Download Strategy feature return incorrect HTTP responses when the BIG-IP HTTP compression profile removes the Accept-Encoding header from the request.
To solve this issue, we recommend deactivating Minimal Download Strategy from the SharePoint Site Settings > Manage Site Features page. See the Microsoft documentation for specific instructions.
Alternatively, you can create a custom compression profile on the BIG-IP system with Keep Accept-Encoding enabled, and then select it within the iApp template.
To create a new HTTP Compression profile, go to Local Traffic > Profiles > Services > HTTP Compression and then click Create. In the Keep Accept Encoding row, click the Custom box, and then click the Keep Accept Encoding box to ensure the system does not remove this header. Click Finished.
Q: Why are users unable to open SharePoint document libraries in Windows Explorer or edit SharePoint documents in Microsoft Office applications after deploying the BIG-IP APM?
A: When accessing SharePoint Server through BIG-IP APM, you may encounter errors when attempting to open document libraries with Windows Explorer. Additionally, you may be unable to open or save Microsoft Office documents located in a SharePoint document library. This behavior can occur when the Microsoft WebDAV client fails to send the persistent APM session cookie with every request.
To correct this behavior, download and install the following hotfix from Microsoft on client computers exhibiting the issue:
http://support.microsoft.com/kb/2936341. A system restart may be necessary after installation. If this does not solve your problem, please contact F5 technical support via your typical method.
Q: Why are client connections unresponsive or seem to hang when using the OneConnect feature?
A: If you have configured your deployment to use OneConnect (part of F5's recommended configuration), and users are experiencing slow performance or the need to refresh pages, Microsoft IIS may be failing to reset the TCP connection after the default timeout period of 120 seconds.
To work around this issue, create a custom server-side TCP profile with an Idle Timeout value of less that 120 seconds, and then apply the profile to the virtual server. If you used the iApp template to configure the BIG-IP system, you can attach the new profile using the template. If you manually configured the BIG-IP system, you manually add the profile.
To create the new TCP profile, click Local Traffic > Profiles > Protocol > TCP and then click Create. From the Parent Profile list, select tcp-lan-optimized. Check the Custom box for Idle Timeout, and then in the Seconds box, type a number less than 120, such as 110. Click Finished to create the profile.
To add the profile to the SharePoint virtual server
If you configured the BIG-IP system manually, simply replace the existing Protocol Profile (Server) profile with the profile you just created.
Q: I entered multiple FQDNs in the Virtual Server and Pools section of the iApp, so why does APM Single Sign-On only work for the first FQDN?
A: If you are running BIG-IP version 11.5.x, deployed BIG-IP APM, and entered more than one application FQDN, the BIG-IP APM sends a TCP reset in response to requests for the additional authentication domains.
This is a known issue in BIG-IP version 11.5 and 11.5.1, and has been fixed in BIG-IP v11.5.0 HF 5 and BIG-IP 11.5.1 HF 5. You must upgrade the BIG-IP system to one of these hotfixes (or later version).
See https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13123 for instructions on downloading and installing BIG-IP system hotfixes.
Q: When APM is enabled, why does uploading files to SharePoint using drag and drop and/or the file uploader give me an error? In some cases it displays an error but still uploads the file, as seen when refreshing SharePoint.
A: This is a known issue and typically has to do with the Keep Accept Encoding setting on the HTTP Compression profile. The workaround depends on whether you configured the BIG-IP system using the iApp template or configured the system manually.
If you configured the system manually, simply edit the HTTP Compression profile you created and then check the Keep Accept Encoding box. If you are still experiencing the upload issue this, remove the HTTP Compression profile.
iApp Configuration
If you used the iApp template to configure the system, we recommend you create a new, custom HTTP profile that includes the Keep Accept Encoding setting, and then select it from the iApp.
After creating the profile, use the procedure To add the profile to the SharePoint virtual server , but in Step 5, from the Which compression profile do you want to use? question, select the HTTP Compression profile you just created. If you are still experiencing the upload issue this, from the same question, select Do not compress HTTP responses.
Q: How can I troubleshoot the scriptd service?
A: Use the following commands to check the scriptd service and to restart it if necessary. These commands are performed from the BIG-IP command line interface (CLI).
To check service status: bigstart list scriptd
To restart the service: bigstart restart scriptd.
For detailed information about scriptd, see the BIG-IP documentation.
When using the BIG-IP LTM system for SSL offload, for each SharePoint Web Application that will be deployed behind LTM, you must configure your SharePoint Alternate Access Mappings and Zones allow users to access non-SSL sites through the BIG-IP LTM SSL virtual server and ensure correct rewriting of SharePoint site links. For SSL offload, the Alternate Access Mapping entries must have URLs defined as https://, where FQDN is the name associated in DNS with the appropriate Virtual Server, and assigned to the SSL certificate within the Client SSL profile.
For each public URL to be deployed behind LTM, you must first modify the URL protocol of the internal URL associated with that URL and zone from http:// to https://: and then recreate the http:// URL. If you only try to add a new URL for HTTPS, it will not function properly.
For more information, see http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?pID=804.
After configuring Alternate Access Mappings in SharePoint 2010 to support SSL offloading, you must perform the following procedure to ensure that search results are properly displayed for https:// queries. The examples below depict modifying the Content Search Service Application; however, you must also perform these steps on your Query Search Service Application.
To ensure HTTPS search results are displayed
When the crawl is complete, users should receive https:// addresses in their search query results.
We strongly recommend using the iApp template to configure the BIG-IP system for Microsoft SharePoint. Users familiar with the BIG-IP system can use the following table to manually configure the BIG-IP system. The table contains a list of configuration objects along with any non-default settings you should configure as a part of this deployment. Settings not mentioned can be configured as applicable for your configuration. For specific instructions on configuring individual objects, see the online help or product manuals.
TIP: If you are manually configuring the BIG-IP system, you may want to use the PDF version of this guide for easier reading.
Health Monitors (Local Traffic > Monitors) |
||
Name |
Type a unique name |
|
Type |
HTTP (HTTPS if you are deploying SSL Bridging) |
|
Interval |
30 (recommended) |
|
Timeout |
91 (recommended) |
|
Send String |
Optional. We use GET / HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n |
|
Receive String |
200 OK If you configured your SharePoint web application to use AD FS as a Trusted Identity authentication provider, see Optional: Monitoring SharePoint Web Applications Configured for AD FS as a Trusted Identity Provider |
|
User Name1 |
If necessary, type a user name with access to your application. We recommend creating an account for use in this monitor. If you are using NTLM authentication and have a complex Active Directory environment where the username is not in the same domain as the Domain Controller being queried, you must prepend the domain name in uppercase letters (DOMAIN\) to the username in this field. |
|
Password1 |
Type the associated password |
|
Pools (Local Traffic > Pools) |
||
Name |
Type a unique name |
|
Health Monitor |
Select the monitor you created above |
|
Slow Ramp Time2 |
300 (recommended) |
|
Load Balancing Method |
Choose a load balancing method. We recommend Least Connections (Member) |
|
Address |
Type the IP Address of the nodes |
|
Service Port |
80 (443 if configuring SSL Bridging). Click Add to repeat Address and Service Port for all nodes) |
|
AAM Application (Acceleration > Web Application) |
||
Optional: (Acceleration > Web Application) |
Application Name |
Type a unique name |
Policy |
Microsoft SharePoint 2010 |
|
Requested Host |
Type the FQDN of your application. Click Add Host to include more hosts. If you are also deploying the system for SharePoint Apps, or have Office Web Apps accessed through the virtual server you must add those FQDNs. |
|
Optional: APM3 See Manually configuring the BIG-IP APM for SharePoint for the BIG-IP APM configuration objects |
||
Profiles (Local Traffic > Profiles) |
||
HTTP (Profiles > Services) |
Name |
Type a unique name |
Parent Profile |
http |
|
Rewrite Redirect3 |
Matching |
|
TCP WAN (Profiles > Protocol) |
Name |
Type a unique name |
Parent Profile |
tcp-wan-optimized |
|
TCP LAN (Profiles > Protocol) |
Name |
Type a unique name |
Parent Profile |
tcp-lan-optimized |
|
OneConnect (Profiles > Other) |
Name |
Type a unique name |
Parent Profile |
oneconnect |
|
Source Mask |
0.0.0.0 |
|
Client SSL4 (Profiles > SSL) |
Name |
Type a unique name |
Parent Profile |
clientssl |
|
Certificate and Key |
Select the Certificate and Key you imported from the associated list |
|
Server SSL5 (Profiles > Other) |
Name |
Type a unique name |
Parent Profile |
serverssl |
|
1 User name and password are optional and only required if the health monitor should require credentials. 2 You must select Advanced from the Configuration list for these options to appear 4 Only required if using the BIG-IP system for SSL Offload or SSL Bridging 5 Only necessary if using the BIG-IP system for SSL Bridging or server-side encryption |
||
Profiles Continued (Local Traffic > Profiles) |
||
Web Acceleration (Profiles > Services) |
Name |
Type a unique name |
Parent Profile |
optimized-caching |
|
WA Applications2 |
Enable the AAM Application you created |
|
iSession5 (Profiles > Services) |
Name |
Type a unique name |
Parent Profile |
isession |
|
HTTP Compression (Profiles > Services) |
Name |
Type a unique name |
Parent Profile |
wan-optimized-compression |
|
Content List--> |
See the HTTP Compression profile table on page 37 for the Content include list entries. |
|
Virtual Servers (Local Traffic > Virtual Servers) |
||
HTTP |
||
Name |
Type a unique name. |
|
Address |
Type the IP Address for the virtual server |
|
Service Port |
80 |
|
Protocol Profile (client)1,2 |
Select the WAN optimized TCP profile you created above |
|
Protocol Profile (server)1,2 |
Select the LAN optimized TCP profile you created above |
|
HTTP Profile2 |
Select the HTTP profile you created above |
|
Web Acceleration profile2 |
Select the Web Acceleration profile you created above |
|
HTTP Compression profile2 |
Select the HTTP Compression profile you created above |
|
OneConnect2 |
Select the OneConnect profile you created above |
|
Source Address Translation 3 |
Auto Map (optional; see footnote 3) |
|
Access Policy2 |
If you deployed BIG-IP APM only: Select the Access Policy you created. See the next page for details. |
|
iSession profile5 |
If using BIG-IP AAM for symmetric optimization between systems, select the iSession profile you created. |
|
Default Pool2 |
Select the pool you created above |
|
Persistence Profile2 |
Select the Persistence profile you created |
|
iRule |
If offloading SSL only: Enable the built-in _sys_https_redirect irule |
|
HTTPS4 |
||
Name |
Type a unique name. |
|
Address |
Type the IP Address for the virtual server |
|
Service Port |
443 |
|
Protocol Profile (client)1 |
Select the WAN optimized TCP profile you created above |
|
Protocol Profile (server)1 |
Select the LAN optimized TCP profile you created above |
|
HTTP Profile |
Select the HTTP profile you created above |
|
Web Acceleration profile |
Select the Web Acceleration profile you created above |
|
HTTP Compression profile |
Select the HTTP Compression profile you created above |
|
OneConnect |
Select the OneConnect profile you created above |
|
SSL Profile (Client) |
Select the Client SSL profile you created above |
|
SSL Profile (Server)6 |
If you created a Server SSL profile, select it from the list |
|
Source Address Translation 3 |
Auto Map (optional; see footnote 3) |
|
Access Policy |
If you deployed BIG-IP APM only: Select the Access Policy you created. See the next page for details. |
|
iSession profile5 |
If using BIG-IP AAM for symmetric optimization between systems, select the iSession profile you created. |
|
Default Pool |
Select the pool you created above |
|
Persistence Profile |
Select the Persistence profile you created |
|
1 You must select Advanced from the Configuration list for these options to appear 2 Do not enable these objects on the HTTP virtual server if offloading SSL. The HTTP virtual server is only used for redirecting users to the HTTPS virtual server. 3 If expecting more than 64,000 simultaneous connections per server, you must configure a SNAT Pool. See the BIG-IP documentation on configuring SNAT Pools. 4 This virtual server is only necessary if offloading SSL or SSL Bridging 5 Only necessary if using AAM to provide symmetric optimization. Do not create/use this profile if you are deploying the BIG-IP system on the server side of the WAN 6 Only necessary if using the BIG-IP system for SSL Bridging or server-side encryption |
Use the following table to manually configure the BIG-IP APM for SharePoint. This table contains a list of BIG-IP configuration objects along with any non-default settings you should configure as a part of this deployment. Unless otherwise specified, settings not mentioned in the table can be configured as applicable for your configuration. For specific instructions on configuring individual objects, see the online help or product manuals.
If you have already configured the BIG-IP LTM virtual server, after configuring APM, you must modify the virtual server and add the Access profile you create in this section.
DNS and NTP |
|
See Appendix C: Configuring additional BIG-IP settings for instructions on configuring DNS and NTP on the BIG-IP system. |
|
Health Monitors1 (Local Traffic > Monitors) |
|
Configuration |
Select Advanced from the Configuration list (if necessary). |
Name |
Type a unique name, such as AD_LDAP_monitor. |
Type |
LDAP |
Interval |
10 (recommended) |
Timeout |
31 (recommended) |
User Name |
Type a user name with administrative permissions |
Password |
Type the associated password |
Base |
Specify your LDAP base tree. For example, CN=SharePoint Users,DC=example,DC=com |
Filter |
Specify the filter. We type cn=user1, using the example above: user1 in OU group “SharePoint Users” and domain “example.com” |
Security |
Select a Security option (either None, SSL, or TLS) |
Chase Referrals |
Yes |
Alias Address |
*All Addresses |
Alias Address Port |
389 (for None or TLS) or 686 (for SSL) |
AAA Servers (Access Policy-->AAA Servers) |
|
If you are using a single Active Directory Server |
|
Name |
Type a unique name. We use sharepoint-aaa-server. |
Type |
Active Directory |
Domain Controller |
Type the IP address or FQDN name of an Active Directory Domain Controller |
Domain Name |
Type the Active Directory domain name |
Admin Name1 |
Type the AD user name with administrative permissions (optional) |
Admin Password1 |
Type the associated password (optional). Type it again in the Verify Password box |
If you are using a pool of Active Directory Servers |
|
Name |
Type a unique name. We use sharepoint-aaa-server. |
Type |
Active Directory |
Domain Name |
Type the FQDN of the Windows Domain name |
Server Connection |
Click Use Pool if necessary. |
Domain Controller Pool Name |
Type a unique name |
Domain Controllers |
IP Address: Type the IP address of the first domain controller |
Server Pool Monitor |
Select the monitor you created above. |
Admin Name2 |
Type the Administrator name |
Admin Password2 |
Type the associated password |
SSO Configurations (Access Policy-->SSO Configurations) |
|
NTLM SSO Configuration (use this if you are deploying BIG-IP APM for NTLM authentication) |
|
Name |
Type a unique name. We use sharepoint-ntlm-sso. |
SSO Method |
NTLMv1 |
NTLM Domain |
The NTLM domain name where the user accounts are located |
1 Only necessary if using a pool of Active Directory servers 2 Optional; Admin Name and Password are only required if anonymous binding to Active Directory is not allowed in your environment |
|
Smart Card SSO Configuration (use this if you are deploying BIG-IP APM for Smart Card authentication) |
|
Name |
Type a unique name. We use smart-card-SSO. |
SSO Method |
Kerberos |
Username Source |
session.logon.last.username |
User Realm Source |
session.logon.last.domain |
Kerberos Realm |
Type your SharePoint Kerberos Realm in all caps |
KDC |
Type the IP address or FQDN of Active Directory domain controller |
Account Name |
Type the Active Directory account user name for APM delegation in SPN format |
Account Password |
Type the associated password |
Confirm Account Password |
Confirm the password |
Send Authorization |
Always |
Access Profile (Access Policy-->Access Profiles) |
|
Name |
Type a unique name. |
Restrict to Single Client IP1 |
Enable this feature for additional security when using the Persistent cookie setting. |
Logout URI Include |
/_layouts/15/SignOut.aspx |
Cookie Options |
Click a check in the Persistent Cookie box |
SSO Configuration |
Select the appropriate SSO Configuration you created. |
Languages |
Move the appropriate language(s) to the Accepted box. |
Access Policy |
|
Edit |
Edit the Access Profile you just created using the Visual Policy Editor |
1 Optional. Checking this box restricts each APM session to a single source IP address. When a client’s source IP address changes, it will be required to reauthenticate to APM. Because persistent cookies are more easily compromised than browser session cookies, F5 recommends enabling this setting when using persistent APM cookies. |
The next step is to edit the Access Policy on the APM using the Visual Policy Editor (VPE). The VPE is a powerful visual scripting language that offers virtually unlimited options in configuring an Access Policy. This policy is just an example, you can use it or create one of your own.
The Access Policy is different depending on which SSO Configuration (NTLM or Smart Card) you configured.
This completes the configuration for NTLM authentication.
session.logon.last.domain = set upn [mcget {session.logon.last.upn}]; if {[string first "@" $upn] >= 0} { return [string range $upn [expr { [string first "@" $upn] + 1 } ] end ]; } else { return ""; }
set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"]; foreach qq $e_fields { if {[string first "othername:UPN" $qq] >= 0} { return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ]; } } return ""
This section describes how to manually configure BIG-IP AFM, F5's Network Firewall module, to secure your SharePoint deployment.
BIG-IP AFM is particularly useful if you want to only allow access from specific clients or networks. Because this configuration can be complex, we recommend using the iApp template in version 11.6 and later to configure BIG-IP AFM.
When configuring the BIG-IP Advanced Firewall Manager, you may want to configure your BIG-IP system to drop all traffic that you have not specifically allowed with firewall rules. This in known as firewall mode. By default, your BIG-IP system is set to default-accept, or ADC mode. Instructions for configuring your BIG-IP system, and the implications to consider, can be found on AskF5. For example, for BIG-IP v11.5: http://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-5-0/1.html.
If you have licensed IP Intelligence on the BIG-IP system, you can prohibit connections from sources with low reputation scores.
The following instructions cover a basic firewall configuration that is effective for the most common scenario of wanting to allow connections from a single trusted network. If you have complex requirements, such as the need to schedule different policies for different times of the day, or you want to create complicated rule or address lists, consult the BIG-IP AFM documentation. The basic steps for Policy and Rule creation apply to all scenarios.
To configure the BIG-IP AFM to allow connections from a single trusted network
If you want to restrict access to your SharePoint virtual server based on the reputation of the remote sender, you can enable and assign an IP Intelligence policy. This requires an IP intelligence license; contact your F5 Sales representative for more information.
It is outside the scope of this document to provide instructions on configuring an IP Intelligence Policy. Full documentation on enabling and configuring the IP Intelligence feature can be found on AskF5. For example, the manual for BIG-IP AFM v11.5 is:
https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-5-0/5.html
After you have enabled and configured an IP Intelligence policy, use the following steps to assign the policy to your virtual server:
If you are using BIG-IP AFM, you have the option of logging network firewall events to one or more remote syslog servers (recommended) or to log events locally. You can either use an iApp template to create the logging profile, or create the logging profile manually.
For specific information on logging on the BIG-IP system, see the appropriate guide for your version. For example, for 11.5.0:
Use this section to create the logging profile using the logging profile iApp template. If you have not already downloaded the iApp template, see https://devcentral.f5.com/wiki/iApp.F5-Remote-Logging-iApp.ashx.
Question |
Your selection |
Do you want to create a new pool of remote logging servers, or use an existing one? |
Unless you have already created a pool on the BIG-IP system for your remote logging servers, select Create a new pool. |
Which servers should be included in this pool? |
Specify the IP addresses of your logging servers. Click Add to include more servers. |
What port do the pool members use? |
Specify the port used by your logging servers, typically 514. |
Do the pool members expect UDP or TCP connections? |
TCP |
Do you want to create a new monitor for this pool, or use an existing one? |
Unless you have already created a health monitor for your pool of logging servers, select Use a simple ICMP (ping) monitor. |
Do your log pool members require a specific log format? |
If your logging servers require a specific format, select the appropriate format from the list. |
Note The iApp template creates a log publisher and attaches it to the logging profile. If the publisher does not appear in the BIG-IP Configuration utility (GUI), you can verify the configuration by running the following command from the Traffic Management shell (tmsh): list security log profile .
If you do not want to use the iApp template to create a logging profile, use this section for guidance on configuring the logging profile manually. You must have access to the tmsh command line to use this method.
To manually configure a logging profile
BIG-IP LTM Object | Non-default settings/Notes | ||
Health Monitor (Local Traffic -->Monitors) |
Name |
Type a unique name |
|
Type |
ICMP |
||
Interval |
30 (recommended) |
||
Timeout |
91 (recommended) |
||
Pool (Local Traffic -->Pools) |
Name |
Type a unique name |
|
Health Monitor |
Select the appropriate monitor you created |
||
Slow Ramp Time |
300 |
||
Load Balancing Method |
Choose a load balancing method. We recommend Least Connections (Member) |
||
Address |
Type the IP Address of a server. |
||
Service Port |
Type the appropriate port, such as UDP port 514, the port on which logging typically occurs. Click Add, and then repeat Address and Port for all nodes |
(tmos)# create / sys log-config destination remote-high-speed-log [name] pool-name [specified pool] protocol [udp or tcp]
(tmos)# create / sys log-config destination [splunk|arcsight|remote-high-speed-log] [name] forward-to [HSL name]
(tmos)# create / sys log-config publisher [name] destinations add { [logdestination name] }
(tmos)# create / security log profile [name] network add { [name] { filter { log-acl-match-accept enabled.log-acl-match-drop enabled log-acl-match-reject enabled } format { field-list { date_time action drop_reason protocol src_ip src_port dest_ip dest_port } type field-list } publisher [logpublisher name] } } ip-intelligence { log-publisher [logpublisher name] }
The final task is to assign the logging profile to the virtual server.
This completes the BIG-IP AFM configuration.
This section contains information on configuring the BIG-IP system for objects or settings that are required, but not part of the template.
If you are configuring the iApp to use BIG-IP APM, you must configure DNS and NTP settings on the BIG-IP system before beginning the iApp.
In this section, you configure the DNS settings on the BIG-IP system to point to a DNS server that can resolve your Active Directory server or servers. In many cases, this IP address will be that of your Active Directory servers themselves.
Note: DNS lookups go out over one of the interfaces configured on the BIG-IP system, not the management interface. The management interface has its own, separate DNS settings.
Important The BIG-IP system must have a self IP address in the same local subnet and VLAN as the DNS server, or a route to the DNS server if located on a different subnet. The route configuration is found on the Main tab by expanding Network and then clicking Routes. For specific instructions on configuring a route on the BIG-IP system, see the online help or the product documentation.
The next task is to configure the NTP settings on the BIG-IP system for authentication to work properly.
To verify the NTP setting configuration, you can use the ntpq utility. From the command line, run ntpq -np.
When you configure BIG-IP LTM to use SNAT, the BIG-IP system replaces the source IP address of an incoming connection with its local self IP address (in the case of SNAT Auto Map), or an address you have configured in a SNAT pool. As a result, Microsoft IIS logs each connection with its assigned SNAT address, rather than the address of the client. The iApp produces an HTTP profile on the BIG-IP system which inserts an X-Forwarded-For header, so the original client IP address is sent as well; however, in default IIS configuration, this information is not logged.
Beginning with IIS 7, Microsoft provides an optional Advanced Logging Feature for IIS that allows you to define custom log definitions that can capture additional information such as the client IP address included in the X-Forwarded-For header.
First, you must make sure you have enabled the iApp to insert the X-Forwarded-For header. To change or verify the value of this setting, use the following procedure.
The first task is to deploy the Custom Logging role service. If you do not deploy this role service, you may receive a “Feature not supported” error when trying to edit the log definition in the next section. If you receive this error, ensure that you are editing the log definition at the server level in IIS Manager.
The configuration is slightly different depending on which version of IIS you are running. Use the procedure applicable to your version of IIS.
Before beginning the following procedure, you must have installed IIS Advanced Logging. For installation instructions, see
http://www.iis.net/community/files/media/advancedlogging_readme.htm
If you are using IIS version 6, F5 has a downloadable ISAPI filter that performs a similar function to the Advanced Logging Feature discussed here. For information on that solution, see the DevCentral post at http://devcentral.f5.com/weblogs/Joe/archive/2009/08/19/x_forwarded_for_log_filter_for_windows_servers.aspx
The following procedure is the same for IIS versions 7.0, 7.5, and 8.0.
Version |
Description |
Date |
1.0 |
New Deployment Guide for the f5.microsoft_sharepoint_2016.v1.0.0rc1 version of the iApp template |
06-16-2016 |
1.1 |
Added a new entry to the beginning of Troubleshooting concerning the BIG-IP APM Access Profile not supporting wildcard Logout URIs. |
09-06-2016 |
1.2 |
Updated this guide for the new f5.microsoft_sharepoint_2016.v1.0.0rc2 version of the iApp template. This iApp contains the following changes: - Added the ability to select and apply any LTM policy present on BIG-IP to the virtual server(s) created by the iApp. This new section only appears in Advanced mode. - Fixed an issue that would result in an error state when trying to deploy the iApp for ASM in BIG-IP versions 12.1 and later. |
12-15-2016 |
1.3 |
Added support for BIG-IP version 13.0. |
02-22-2017 |
Download link here ›