Manual Chapter : Configuring MS OFBA for Sharepoint in APM

Applies To:

Show Versions Show Versions


  • 13.1.1, 13.1.0
Manual Chapter

About Microsoft OFBA in BIG-IP APM


You can open an On-Premises SharePoint document from a native Microsoft Office application, such as Microsoft Word, click the link in the document, and the correct document type opens with authentication using the Microsoft OFBA protocol. Access Policy Manager® (APM®) supports this feature by providing a built-in iRule, _sys_APM_MS_Office_OFBA_Support, in the iRules List in Local Traffic Manager® (LTM®). The OFBA protocol authenticates Microsoft Office applications to On-Premises SharePoint.

To configure APM to support Microsoft OFBA, create an access policy with a Client Type branch set to MS-OFBA compliant. For more information about the Visual Policy editor, refer to the BIG-IP Access Policy Manager: Visual Policy Editor guide.

Sample MS OFBA access policy

Sample access policy

Creating a virtual server for MS OFBA support

BIG-IP APM includes an OFBA iRule that allows users to open, use, and authenticate Microsoft Office applications directly to BIG-IP APM. To accomplish this, as the administrator, create a virtual server with the OFBA iRule.
  1. At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Virtual Servers.
    The screen displays the list of virtual servers defined on this device.
  2. Click Create.
    The New Virtual Server screen opens.
  3. In the Name field, type in a name for the virtual server you are creating.
  4. From the Device list, select the device on which to create the virtual server.
  5. For the Destination Address, type the IP address of the destination that you want this virtual server to send its traffic to.
  6. In the Service Port field, type a service port number, or select a type from the list.
    When you select a type from the list, the value in the Service Port field changes to reflect the associated default, which you can change.
  7. From the Access Policy list, select the access policy with the MS OFBA compliant branch.
  8. In the iRules section, from the Available list, select _sys_APM_MS_Office_OFBA_Support and move it to the Enabled list.
  9. Specify the additional settings needed to suit the requirements for this virtual server.
    The remaining parameters on this screen are optional and perform the same function as they do when you configure a virtual server on a BIG-IP device.
    Note: For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on
  10. Click Save & Close.
    The system creates the new virtual server with the settings you specified.

Including MRHSession cookies in Office applications

Perform the following steps to ensure the Office applications include the MRHSession cookies in the requests to be granted access to the document.

  1. Add virtual server URI to the trusted sites in Internet Options > Security.
  2. Make sure that the Virtual Server SSL certificate is signed by a Trusted Certificate Authority.
  3. Add virtual server to the Trusted locations list of Microsoft Office programs.
    Run a target Microsoft Office Program, for example, Excel. Navigate to File > Options> Trust Center> Trust Center Settings> Trusted Locations, and select the Allow Trusted Locations on my network option. Click the Add new location button and then add the virtual server URI. Select the Subfolders of this location are also trusted option. Click OK.
    For additional information, refer to the Deploying the BIG-IP System with Microsoft SharePoint 2016 guide.

Microsoft OFBA protocol parameters supported in APM

BIG-IP Access Policy Manager (APM) has a built-in iRule, _sys_APM_MS_Office_OFBA_Support, which alters how APM processes connections from Microsoft Office browsers. An LTM object called _sys_APM_MS_Office_OFBA_DG handles the configuration of the iRule. This object has the following parameters.

Parameter name Description Mandatory Default Value Possible values
ofba_auth_dialog_size The OFBA dialog browser resolution size in width x height. No 800x600 400x300
ie_sp_session_sharing_enabled A parameter to specify whether to enable or disable the IE session sharing using a persistent cookie named "MRHSOffice". No Disabled
  • 1 | 0
  • 1 - enabled
  • 0 - disabled
ie_sp_session_sharing_inactivity_timeout The inactivity timeout value for the persistent cookie value "MRHSOffice" every time the SharePoint site refreshes or gets any response from SharePoint Server. No 60 seconds Any positive values in seconds. Preferably greater than or equal to 60 seconds.
useragent Useragent strings are configured for OFBA clients to be identified. All the user-agent strings should start with "useragent" and a number, such as useragent1 or useragent2. Yes None All the useragent values should be provided. The data-group already has a predefined set of user-agents for MS Office applications.