Block url in f5

Question

Block url in f5

Karen Arul 1

I am working on sharepoint 2019 farm for internet site

2 wfe with dc
2 app with search
2 database

Which sharepoint urls should be blocked in f5 without affecting sharepoint to work properly, the reason is to avoid any attack or login access to site over internet, I just need annonmys user to browse my site with blocking any way to request username or password.

2 answers

Your answer

Answer 1

Matteo Zamori 91

Hi @Karen Arul ,

I would go for a Web Application extension's approach.

You create your internal Web Application accepting NTLM and later on you extend the Web Application for Anonymous access only.
You will then expose only the extended url to be accessible through the F5 appliance.

The reason is that critical SP services like Search for example requires NTLM authentication to work. If you kill completely NTLM you may have unexpected behavior and indeed some SP services won't work anymore.

On the counter part if you expose one single Web Application having both NTLM + Anonymous enabled, then you may have security breaches as anyone could try to enforce NTLM requests to the site by using the following:

/_windows/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F

Concerning the F5, I imagine you have an appliance with the WAF module installed. Based on my experience you may expect TONS of "strange" requests coming through the F5. Try to enable the learning policy so you can deep dive later and decide which Url you may want to exclude (if any)

Karen Arul 1 Reputation point

2022-02-21T03:28:42.613+00:00

I upvoted this answer because I think this the correct way, but I don't understand what should I do now, extend my web application and that also not allow me to get search work for annoymes, or should I exclude the urls monitored by waf, please help me!
Karen Arul 1 Reputation point

2022-02-21T03:35:26.56+00:00

Please help me out with this issue
Matteo Zamori 91 Reputation points

2022-02-28T09:05:13.17+00:00
Hi @Karen Arul ,

I would investigate the following:

Take your existing Web Application and url (example: xyz.contoso.com)

Extend the selected Web Application, the idea is that you will point to the same content database but with a different url (example: xyz**-ntlm**.contoso.com)

Now that you have extended the web application, ensure that you can properly access both sites

Enable only anonymous on xyz.contoso.com and keep only NTLM (default) for xyz**-ntlm**.contoso.com

Modify the Search Content Source to crawl only the NTLM site (xyz**-ntlm**.contoso.com)

In this way the search will continue to work properly by crawling the content of the site (xyz.contoso.com and xyz**-ntlm**.contoso.com are sharing the same content database so the contents is equal for both)

Tips: You may also use hostfile entries in the server hosting your Search components for xyz**-ntlm**.contoso.com. From a networking perspective, Search service don't need to generate additional traffic by calling your WFE servers. You basically reduce the load and stress on the WFEs

As next step once you have validated the above approach then you move your attention on the F5 appliance and you can monitor the call and adjust the WAF

Answer 2

Hi @Karen Arul ,

Normally anonymous users don't need to log in when you enabled anonymous access in SharePoint 2019.

Please follow these steps to troubleshooting if anonymous users still need to log in:

1.Make sure you enabled Anonymous access both at the Web Application level and at the SharePoint site level.

2.If you enabled Anonymous access at list/library level: Delete unique permissions once, stop inheriting permissions and then grant anonymous access again.

3.In IIS, Expand your web application, Click on “Authentications”, Make sure “Anonymous Authentication” is enabled.

4.Navigate to the IIS Virtual directory on the File system using Windows Explorer, Go to the Security tab, make sure that “Everyone” has Read privileges.

5.Make sure the default home page is published and approved.

For Reference: Getting Login Prompt on Anonymous Access Enabled SharePoint Sites?
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

Block url in f5

2 answers

Your answer