Applies To:Show Versions
- 13.1.1, 13.1.0
About Microsoft OFBA in BIG-IP APM
You can open an On-Premises SharePoint document from a native Microsoft Office application, such as Microsoft Word, click the link in the document, and the correct document type opens with authentication using the Microsoft OFBA protocol. Access Policy Manager® (APM®) supports this feature by providing a built-in iRule, _sys_APM_MS_Office_OFBA_Support, in the iRules List in Local Traffic Manager® (LTM®). The OFBA protocol authenticates Microsoft Office applications to On-Premises SharePoint.
To configure APM to support Microsoft OFBA, create an access policy with a Client Type branch set to MS-OFBA compliant. For more information about the Visual Policy editor, refer to the BIG-IP Access Policy Manager: Visual Policy Editor guide.
Sample access policy
Creating a virtual server for MS OFBA support
- At the top of the screen, click Configuration, then, on the left, click .The screen displays the list of virtual servers defined on this device.
- Click Create.The New Virtual Server screen opens.
- In the Name field, type in a name for the virtual server you are creating.
- From the Device list, select the device on which to create the virtual server.
- For the Destination Address, type the IP address of the destination that you want this virtual server to send its traffic to.
- In the Service Port field, type a service port number, or select a type from the list.When you select a type from the list, the value in the Service Port field changes to reflect the associated default, which you can change.
- From the Access Policy list, select the access policy with the MS OFBA compliant branch.
- In the iRules section, from the Available list, select _sys_APM_MS_Office_OFBA_Support and move it to the Enabled list.
- Specify the additional settings needed to suit the requirements for this virtual server.The remaining parameters on this screen are optional and perform the same function as they do when you configure a virtual server on a BIG-IP device.Note: For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on support.f5.com.
- Click Save & Close.The system creates the new virtual server with the settings you specified.
Including MRHSession cookies in Office applications
Perform the following steps to ensure the Office applications include the MRHSession cookies in the requests to be granted access to the document.
- Add virtual server URI to the trusted sites in .
- Make sure that the Virtual Server SSL certificate is signed by a Trusted Certificate Authority.
- Add virtual server to the Trusted locations list of Microsoft Office programs.Run a target Microsoft Office Program, for example, Excel. Navigate to Allow Trusted Locations on my network option. Click the Add new location button and then add the virtual server URI. Select the Subfolders of this location are also trusted option. Click OK., and select theFor additional information, refer to the Deploying the BIG-IP System with Microsoft SharePoint 2016 guide.
Microsoft OFBA protocol parameters supported in APM
BIG-IP Access Policy Manager (APM) has a built-in iRule, _sys_APM_MS_Office_OFBA_Support, which alters how APM processes connections from Microsoft Office browsers. An LTM object called _sys_APM_MS_Office_OFBA_DG handles the configuration of the iRule. This object has the following parameters.
|Parameter name||Description||Mandatory||Default Value||Possible values|
|ofba_auth_dialog_size||The OFBA dialog browser resolution size in width x height.||No||800x600||400x300|
|ie_sp_session_sharing_enabled||A parameter to specify whether to enable or disable the IE session sharing using a persistent cookie named "MRHSOffice".||No||Disabled||
|ie_sp_session_sharing_inactivity_timeout||The inactivity timeout value for the persistent cookie value "MRHSOffice" every time the SharePoint site refreshes or gets any response from SharePoint Server.||No||60 seconds||Any positive values in seconds. Preferably greater than or equal to 60 seconds.|
|useragent||Useragent strings are configured for OFBA clients to be identified. All the user-agent strings should start with "useragent" and a number, such as useragent1 or useragent2.||Yes||None||All the useragent values should be provided. The data-group already has a predefined set of user-agents for MS Office applications.|