Geeks With Blogs
Nicholas Zurfluh blog September 2004 Entries
enable SNMP queries in Big-IP ver. 4.5.9

If you put a 32 bit host mask ( in your SNMP client allow list (hosts.allow) Big-IP will not respond.  You must remove the host mask and leave an empty value unless your client is a network address


Posted On Wednesday, September 29, 2004 3:13 PM

Changing time in Big-IP 4.5.9 and BSD
Normally with BSD you are required to go into single user mode prior to changing the time.  I have discovered that you can use ntpdate to correct the time in multi-user mode (A.K.A. init level 2).

Posted On Wednesday, September 29, 2004 2:39 PM

Poor man's Telecine
I found an excelent site that details various attempts at telecine. It is quite remarkable to see the result of the images produce by using a microscope and camera combination. I have used several of the devices that are featured from the site, so, I can relate to some of the authors challanges. One thing that has always troubled my film scanning endeavors are the moving parts. Either the device moves the film or the scanner moves a CCD. The quality of the image is limited, in part, to the accuracy ......

Posted On Monday, September 13, 2004 11:44 AM

How Windows Media Services Works
Here are the details of the protocols. Protocol rollover: How the server discovers the best protocol to initiate the stream.Windows 2000 explaination of MMS with client side firewall ......

Posted On Thursday, September 9, 2004 6:24 PM

The origins of the Web
As it turns out Vannevar Bush didn't coin the phrase hypertext although he lays out the concepts of the web in his collumn “As We May Think“ for the Atlantic Monthly. Clearly a brilliant visionary, he even considers the problems we now face with i/o devices and logical abstraction. Of note, it seems that Vannevar was a logical positivist, it is intersting to see the dillema that has resulted in a now post modern world that, in large part, is sceptical in regards to truth. The pressuppositions ......

Posted On Thursday, September 9, 2004 6:16 PM

iRule that limits portal console access
Here are the requirements: Exclude access, to either HTTP requests that contain /portal/console in the URI or from among deemed suspicious variables, from all client requests other than those who's source address is from internal address space. ***UNTESTED*** rule server_lock_down { if (http_uri matches_regex "/portal/console" and not one of internal_network_class) { redirect to "http://%h" } else if (http_content contains one of bad_variable_class and not one of internal_network_class) { redirect ......

Posted On Thursday, September 9, 2004 6:11 PM

Using F5 iRules to augment server security
The traditional aproach to site security. Allow all traffic then identify an unauthorized requests and stop them This would be a deductive method. The deductive method would compare http requests against a class of unauthorized values. A negative result would consider the request safe and use pool X. A positive match would identify an unauthorized request and be discarded. Since we cannot exhaustively anticipate all future vulnerabilities this method will never be comprehensive. A comprehensive solution ......

Posted On Thursday, September 9, 2004 6:00 PM

Server configuration for n-Path routing, DSR, Switch Back
Proceedure for Windows 2000/3: Install Loopback Adapter: Start/Settings/Control Panel/Add Remove Hardware Add Troubleshoot a device/ Next No, from list/ Next Network adapters/ Next from manufacturers box select Microsoft. from network adapters box select Microsoft Loopback adapter/ Next Finish Configuration for the Loopback interface: ip address: VIP Subnet mask: *host mask is not allowed in Windows* gateway: no value click “Advanced” add to the “Interface ......

Posted On Thursday, September 9, 2004 5:55 PM

Big-IP ver. 4.5.9 ECV of Siteminder protected sites
What are the criteria that constitutes meaningful ECV. Would this be a page match for an authenticated user session? If a simple content match on the home page is our goal it would require that we authenticate through Siteminder or thwart it. Given, my understanding of Siteminder a script that authenticates a user would require an extended application verification script. This aproach would exceed our ECV requirements. An alternative would be unprotect a page (if there is such an ability) have Big-IP ......

Posted On Thursday, September 9, 2004 5:53 PM

Big-IP ver. 4.5.9 iRule: Port 80 redirect to https
The purpose of the iRule is to identify the destination port of an incoming HTTP request and respond to the client with: HTTP/1.0 302 FoundLocation: https://www.sitename.comCon... close Here is the rule: rule https_only { if (server_port equals 80) { redirect to “https://%h/%u” } else { discard } ......

Posted On Thursday, September 9, 2004 5:49 PM

iRule that identifies LDAP v.2 read and write requests with Big-IP version 4.5.9
So far my testing has only substantiated the RFCs that define LDAP communications. Since the client first authenticates then subsequently makes its request operations, it would be impossible for Big-IP to identify the request without some theoretical LDAP proxy capability. An LDAP proxy would need to authenticate a user locally and then identify the nature of a request, upon which Big-IP would then authenticate against the actual LDAP servers themselves and subsequently forward on the client request ......

Posted On Thursday, September 9, 2004 5:08 PM

iRule that identifies LDAP v.2 read and write requests Contd...
Bad news, the LDAP browser opens a connection to the the server prior to sending commands. This nails up a TCP connection, at this point all load balancing decisions are over. Any intervention by Big-IP will break the IP session. If the Vingette servers work similarly, then a rule will not work. Also as a side note the LDAP browser reveals a potential security exploit, given that there is an apparent long-lived TCP connection. I must consult RFCs 1777 and 2251 ......

Posted On Thursday, September 9, 2004 5:05 PM

iRule that identifies LDAP v.2 read and write requests
The issue is Vignette makes LDAP v.2 requests that are load balanced to a Master and Consumer, Sun Java System Directory Server 5.2. I must parse the transactions to identify “read“ and “write“ requests. Read requests may be sent to either servers, while the write requests must be sent only to the Master LDAP server. Read request redirected to Master or Consumer LDAP server: SearchRequest CompareRequest Write requests forwarded to Master LDAP server: ModifyRequest AddRequest ......

Posted On Thursday, September 9, 2004 4:58 PM

Big-IP version 9
The capabilities of this new release are impressive. The flash demo is a bit cheesey... Selective Content Encryption/Compression XML gateway: parser, encryption, authentication and authorization Resource cloaking: “BIG-IP device can remove sensitive information about servers contained in Error codes, Source code comments on Web pages, and Server Headers that contain important information about servers and applications” (Wow!) This is all ......

Posted On Thursday, September 9, 2004 5:01 AM

Copyright © Nicholas Zurfluh | Powered by: