By Jason Rahm If you didn’t know, the DevCentral platform runs on DotNetNuke, the leading open source ASP.Net CMS. It’s a great development platform for turning out rich sites, and we’re excited to be hosting the next Seattle DNN User Group meeting next Wednesday, February 8th, beginning at 6pm at 4... Feb. 2, 2012 03:07 AM EST Reads: 398 |
By Jason Rahm It’s a crazy world out there. I ran (well, by “ran” I mean jogged slowly enough to pass the old ladies on the track) this morning at the YMCA, lifted weights for a little while, and then hit the elliptical for 20 minutes before heading home. My gym’s ellipticals have the Nike+ package ... Jan. 31, 2012 03:22 AM EST Reads: 164 |
By Jason Rahm
A DevCentral user posted a question in the forums asking for verification of an attribute on the RamCacheKey structure. The maximum_responses attribute should be a long integer. With his C# code, the maximum_responses returned from his iControl call is always double the setting. I fir... Jan. 10, 2012 10:30 AM EST Reads: 122 |
By Jason Rahm
Back in October, I attended a Security B-Sides event in Jefferson City (review here). One of the presenters (@bethayoung) talked about poisoning the internal DNS intentionally for known purveyors of all things bad. I indicated in my write-up that I’d be detailing an F5-based solution,... Dec. 28, 2011 09:06 AM EST Reads: 254 |
By Jason Rahm
iApps, introduced in v11, have a primary function in controlling the object creation and management for an application delivered by BIG-IP. As discussed previously, however, anything that can be accomplished in TMSH can be done in an iApp, so what better way to quickly generate checks... Dec. 19, 2011 10:06 AM EST Reads: 150 |
By Jason Rahm
F5 has been in the DNS business for quite some time, beginning with the 3-DNS GSLB product introduced in 1998. While steadily growing the GSLB market through product advances, the platform is incredibly feature rich now, offering far more than GSLB services. Some of the other services... Dec. 16, 2011 12:59 AM EST Reads: 131 |
By Jason Rahm
New in BIG-IP version 11.1 are iFiles, a feature that allows users to load files through tmsh or the GUI onto the BIG-IP which can be referenced from iRules. This has an immediate use case of supplanting several of our codeshare entries for sorry and/or maintenance pages delivered dir... Dec. 9, 2011 07:46 AM EST Reads: 404 |
By Jason Rahm George posted an excellent blog on hostname nomenclature a while back, but something we haven’t discussed much in this space is a naming convention for the BIG-IP configuration objects. Last week, DevCentral community user Deon posted a question on exactly that. Sometimes there are sta... Nov. 28, 2011 10:19 AM EST Reads: 138 |
By Jason Rahm No, not “us” F5, the F5 key on the keyboard. You know, the one you hit relentlessly to refresh the page (well, the one I hit relentlessly during NFL games to update my fantasy football stats). Anyway, I was perusing the forums today, trying to catch up from a week attending our very ex... Nov. 16, 2011 09:08 AM EST Reads: 155 |
By Jason Rahm Several months ago I wrote up the v10 formatting for internal and external datagroups: iRules Data Group Formatting Rules. In v11, however, there is a change to the format of the internal data group and the data group reference to external class files (the formatting in the external cl... Nov. 15, 2011 07:32 AM EST Reads: 277 |
By Jason Rahm F5er and DevCentral member natty76 wrote a few iRules a while back on interactive TLS session starting on the SMTP, IMAP, and POP3 protocols. A lot of the iRules can be understood from a flow perspective by reading the iRule top to bottom. This is not the case for these iRules. In this... Oct. 26, 2011 09:49 AM EDT Reads: 229 |
By Jason Rahm Last Friday I attended my first BSides event in Missouri’s capitol (literally in the capitol building!) Jefferson City. The BSides community exists to bring fellow security practitioners together to present and participate in a small-scale environment that encourages collaboration. I’m... Oct. 25, 2011 03:41 AM EDT Reads: 135 |
By Jason Rahm In Part 1, I configured a full Webtop in APM with a static RDP host. In Part 2 ,I modified that configuration to allow users to specify their RDP destination. In this article, I’ll make a couple changes to the final configuration in Part 2 to have the last hostname “remembered” across ... Oct. 4, 2011 05:24 AM EDT Reads: 163 |
By Jason Rahm In the first article in this series, I configured a full Webtop in APM with a static RDP host. In this article, I’ll make some changes to the original configuration to allow users to specify an RDP host destination.
Modify the Access Policy
Immediately after the active directory ... Sep. 15, 2011 06:00 AM EDT Reads: 173 |
By Jason Rahm
I wrote an article several months back on auto-launching Remote Desktop sessions with APM. With the introduction of BIG-IP APM v11, there is a new built-in capability to support a full webtop. This means that server, desktop, or other resources can be placed on the webtop ... Sep. 12, 2011 03:00 PM EDT Reads: 280 |
By Jason Rahm
This article will cover a simple access policy that when completed will lock out a user using BIG-IP Access Policy Manager. Start by making an access policy with the Device Wizard. Since I just want to make a quick and easy example, I’ll be using the fourth radio option, Web App... Aug. 26, 2011 03:08 AM EDT Reads: 148 |
By Jason Rahm
F5er and DevCentral community member ystephie is back with another great solution (check out her first solution here: BIG-IP APM Customized Logon Page), this time tackling brute force attacks utilizing customizations with the BIG-IP Access Policy Manager. This solution requires ... Aug. 19, 2011 05:36 AM EDT Reads: 152 |
By Jason Rahm Beginning with BIG-IP version 11, the idea of templates has not only changed in amazing and powerful ways, it has been extended to be far more than just templates. The replacement for templates is called iAppTM. But to call the iAppTM just a template would be woefully inacc... Aug. 16, 2011 10:45 AM EDT Reads: 309 |
By Jason Rahm
F5er and DevCentral community member ystephie is back with another great solution (check out her first solution here: BIG-IP APM Customized Logon Page), this time tackling brute force attacks utilizing customizations with the BIG-IP Access Policy Manager. This solution requires ... Aug. 11, 2011 12:00 AM EDT Reads: 197 |
By Jason Rahm
I covered the Tcl scan command back in the iRules 101 – #16 – Parsing Strings with the TCL Scan Command, but this example (by Hoolio, who else?) was too good not to share with the community. The request involved parsing a log entry as efficiently as possible. The log entry is as... Aug. 9, 2011 12:00 AM EDT Reads: 317 |
By Jason Rahm
F5er and DevCentral community member ystephie is back with another great solution (check out her first solution here: BIG-IP APM Customized Logon Page), this time tackling brute force attacks utilizing customizations with the BIG-IP Access Policy Manager. This solution requires ... Aug. 5, 2011 09:15 AM EDT Reads: 140 |
By Jason Rahm
F5er and DevCentral community member ystephie is back with another great solution (check out her first solution here: BIG-IP APM Customized Logon Page), this time tackling brute force attacks utilizing customizations with the BIG-IP Access Policy Manager. This solution requires ... Aug. 4, 2011 04:39 AM EDT Reads: 157 |
By Jason Rahm July was a busy month. I took the first three weeks off and drove much of what’s left of the “mother road” on Historic Route 66.with the family, our Ford Expedition, and way too many nights in our 31’ travel trailer. Great memories and stories for a lifetime out of that trip. I was ... Aug. 1, 2011 03:34 AM EDT Reads: 144 |
By Jason Rahm Don’t get me wrong, regex is awesome, and entirely useful—sometimes it’s the only option, it’s just not the best tool of choice for wire speed applications. Often the sys-admin and network type converts to BIG-IP will find the regexp tcl command and go that route because it’s familiar... Jun. 22, 2011 10:12 AM EDT Reads: 173 |
By Jason Rahm
The default logon page for the Access Policy Manager module is pretty basic, particularly so if only the minimal username and password is configured. However, APM is wildly flexible. In this tech tip, I’ll cover customizing the logon page by adding a dropdown box of servic... Jun. 21, 2011 05:30 AM EDT Reads: 493 |
By Jason Rahm DevCentral community member geffr had a problem. The BIG-IP Application Security Manager module logs to the local3 facility but he needs to send them to the local7 facility on a remote server. Before giving up entirely, he posted to this thread in the Monitoring & Management group ... Jun. 20, 2011 04:44 AM EDT Reads: 465 |
By Jason Rahm I’ve posted on this before (Host that Sorry Page on your BIG-IP!) but it’s been a while and there have been a few updates. Besides, narrowing the application to only sorry pages is a bit myopic—I’m sure my BIG-IP is offended that I treated it so callously. Anyway, I got an inquiry a ... Jun. 14, 2011 02:04 PM EDT Reads: 379 |
By Jason Rahm User Ralph Hoflich dropped an interesting problem off in the forums for his first post evah…he had a wireshark capture with a highly unusual header name: Yes, the header name was “:”. This is interesting as it is also the separator in headers between the field name/value pair as de... May. 31, 2011 09:24 AM EDT Reads: 520 |
By Jason Rahm One of our stellar sales engineers, Rob Eberhardt, whipped up a fun iRule after one of his customers showed him some HTTP 404 errors returning haiku in BeOS. The class, and iRule, followed by the result. Enjoy! The Class Stored as an external class in /var/class/haiku_int.class (in... Apr. 27, 2011 09:41 AM EDT Reads: 188 |
By Jason Rahm
A while back I wrote an article on remote authorization via tacacs+. I got a question in the comments yesterday about the same functionality with active directory. I hadn’t done anything with active directory outside of APM, so I wasn’t sure I could help. However, after re... Apr. 27, 2011 05:05 AM EDT Reads: 536 |
By Jason Rahm
Pete Silva & Lori MacVittie both had blog posts last week featuring the F5 Application for Splunk, so I thought I’d take the opportunity to get Splunk installed and check it out. In this first part, I’ll cover the installation process. This is one of the easiest instal... Apr. 26, 2011 10:09 AM EDT Reads: 502 |
By Jason Rahm Being the incredible horrible planner I am, I started to order invitations early last week for a party I’m throwing for my wife’s graduation and it turns out they wanted double the cost of the invitations in overnight shipping! So…I sent evites. It took a day, however, to actually ge... Apr. 25, 2011 04:08 AM EDT Reads: 165 |
By Jason Rahm
In my spare time, I do volunteer IT work and for quite some time my users have used the SSL-Explorer fork AditoVPN to get remote access to their work machines remotely. Adito does the job, but it requires a server (albeit virtual, but still) that must be maintained, seems to hav... Apr. 19, 2011 11:53 PM EDT Reads: 439 |
By Jason Rahm Anyone utilizing IP network comparisons in iRules is probably familiar with this syntax:
1: if { [IP::addr ]IP::client_addr[/24 equals 10.10.20.0] } {
2: ##Do this
3: }
In fact, there are several methods for doing a comparison. Here are three functional equival... Mar. 31, 2011 09:00 PM EDT Reads: 822 |
By Jason Rahm BIG-IP LTM supports internal and external classes (called Data Groups in the GUI) of address, string, and integer types. An internal class is stored in the bigip.conf file, whereas external classes are split between the bigip.conf and the file system (the class itself is defined ... Mar. 29, 2011 10:50 AM EDT Reads: 548 |
By Jason Rahm Two of our biggest internal contributors, Kirk Bauer and John Alam, are at it again with a handful of perl scripts aimed at easing your migration from some of the “other guys” to BIG-IP. While they aren’t going to map every nook and cranny of the configurations to a BIG-IP feature, th... Mar. 28, 2011 05:06 AM EDT Reads: 290 |
By Jason Rahm
I’ve written several articles on the TCP profile (click here) and enjoy digging into TCP. It’s a beast, and I am constantly re-learning the inner workings. Still etched in my visual memory map, however, is the TCP header format, shown in Figure 1 below.
Since 9.0 was rele... Mar. 25, 2011 10:15 AM EDT Reads: 1,469 |
By Jason Rahm I love ingenuity. DevCentral community member wassim asked a question a little more than a month ago that has been asked several times before: How do you build a class in GTM so you don’t have to use a hoard of if statements to account for your addresses? Well, classes (datagroups) a... Mar. 23, 2011 10:47 AM EDT Reads: 255 |
By Jason Rahm Did you know that all address internal to tmm are kept in IPv6 format? If you’ve written external monitors, I’m guessing you knew this. In the external monitors, for IPv4 networks the IPv6 “header” is removed with the line: IP=`echo $1 | sed 's/::ffff://'`
IPv4 address are stor... Mar. 23, 2011 04:26 AM EDT Reads: 353 |
By Jason Rahm F5’s own John Alam sent over his latest Visio creation to share with the DevCentral community. This diagram details the workflow of the comprehensive exchange services iRule described in the Microsoft Exchange 2010 Deployment Guide. Enjoy. For visio, pdf, png, & svg versions of... Mar. 15, 2011 05:04 AM EDT Reads: 847 |
Experienced predominantly in the networking realm over the last dozen or so years, Jason is expanding his horizons towards systems management and even trying his hand at python.
Ulitzer content is offered under Creative Commons "Attribution Non-Commercial No Derivatives" License.
For any reuse or distribution, you must make clear to others the license terms of this work.
The best way to do this is with a link to this web page.
Any of the above conditions can be waived if you get written permission from Ulitzer, Inc., the copyright holder.
Nothing in this license impairs or restricts the author's moral rights.