Manual Chapter : Configuring OFBA for Sharepoint documents

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Configuring OFBA for Sharepoint documents

Overview: Microsoft OFBA in APM

You can open a SharePoint document from a native Office application, such as Microsoft Word. When you click the link in the document, the correct document type opens with authentication using the Microsoft Office Forms Based Authentication (OFBA) protocol. OBFA allows the client to produce a mini web browser control to handle the authentication rather than using an internal authentication implementation. This browser then handles the APM logon page.

Configuring OFBA in APM

Access Policy Manager supports the OFBA feature by providing a built-in iRule,
_sys_APM_MS_Office_OFBA_Support
, in the iRules List in Local Traffic Manager (LTM). The OFBA protocol authenticates Microsoft Office applications to On-Premises SharePoint.
The sample access policy below shows the following items configured to support Microsoft OFBA:
  • A Client Type item with branch rule set to MS-OFBA Compliant if you want a different authentication option for MS-OFBA supported Office applications.
    For more information about the Visual Policy editor, refer to the BIG-IP Access Policy Manager: Visual Policy Editor guide.
  • A Variable Assign item with assigned session.logon.last.username, session.logon.last.password, and session.logon.last.domain.
  • An SSO Credential Mapping item.
Sample access policy
Sample access policy for OFBA

Creating a virtual server for MS OFBA support

BIG-IP APM includes an OFBA iRule that allow users to open a SharePoint document from a native Office application. To accomplish this, as the administrator, you must configure the APM virtual server with the irule
_
sys_
APM_MS_Office_OFBA_Support
.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Virtual Servers
    .
    The screen displays the list of virtual servers defined on this device.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type in a name for the virtual server you are creating.
  4. From the
    Device
    list, select the device on which to create the virtual server.
  5. For the
    Destination Address
    , type the IP address of the destination that you want this virtual server to send its traffic to.
  6. In the
    Service Port
    field, type a service port number, or select a type from the list.
    When you select a type from the list, the value in the
    Service Port
    field changes to reflect the associated default, which you can change.
  7. From the
    Access Policy
    list, select the access policy with the MS OFBA VPE object.
  8. In the
    iRules
    section, from the
    Available
    list, select
    _sys_APM_MS_Office_OFBA_Support
    and move it to the
    Enabled
    list..
  9. Specify the additional settings needed to suit the requirements for this virtual server.
    The remaining parameters on this screen are optional and perform the same function as they do when you configure a virtual server on a BIG-IP device.
  10. Click
    Save & Close
    .
    The system creates the new virtual server with the settings you specified.
    On configuring this, the supported MS Office apps are met with an APM logon page rather than an error page when no persistent web session cookie is available.
    The shared session cookie is not available if a browser besides Internet Explorer is used and/or if cookie persistence is not configured for the access policy.
    iRules that modify ACCESS::restrict_irule_events property for the connection flow will cause the OFBA iRule to fail. This includes the system default VDI profile. Do not use VDI together with OFBA.

Including MRHSession cookies in Office applications

Perform the following steps to ensure the Office applications include the MRHSession cookies in the requests to be granted access to the document.
  1. Add virtual server URI to the trusted sites in
    Internet Options
    Security
    .
  2. Make sure that the Virtual Server SSL certificate is signed by a Trusted Certificate Authoritity.
  3. Add virtual server to the Trusted locations list of Microsoft Office programs.
    Run a target Microsoft Office Program, for example, Excel. Navigate to
    File
    Options
    Trust Center
    Trust Center Settings
    Trusted Locations
    , and select the
    Allow Trusted Locations on my network
    option. Click the
    Add new location
    button and then add the virtual server URI. Select the
    Subfolders of this location are also trusted
    option. Click
    OK
    .
    For additional information, refer to the Deploying the BIG-IP System with Microsoft SharePoint 2016 guide.

Microsoft OFBA protocol parameters supported in APM

BIG-IP Access Policy Manager (APM) has a built-in iRule,
_sys_APM_MS_Office_OFBA_Support
, which alters how APM processes connections from Microsoft Office browsers. An LTM object called
_sys_APM_MS_Office_OFBA_DG
handles the configuration of the iRule. This object has the following parameters.
Name
Description
Mandatory
ofba_auth_dialog_size
The OFBA dialog browser resolution size in width x height. The default value is 800x600.
No
ie_sp_session_sharing_enabled
A parameter to specify whether to enable or disable the IE session sharing using a persistent cookie named "MRHSOffice." The default value is
Disabled
. Possible values are:
  • 0
    - Disabled.
  • 1
    - Enabled.
No
ie_sp_session_sharing_inactivity_timeout
The inactivity timeout value for the persistent cookie value "MRHSOffice" every time the SharePoint site refreshes or gets any response from SharePoint Server. The default value is 60 seconds.
No
useragent
Useragent strings are configured for OFBA clients to be identified. All the user-agent strings should start with "useragent" and a number, such as useragent1 or useragent2.
All the useragent values should be provided. The data group already has a predefined set of user agents for MS Office applications.
Yes