Office 365 Tenant Restrictions as a service SSL Orchestrator 10.1 now offers Office 365 Tenant Restrictions within the SSL Orchestrator interface, specifically in the F5 tab as part of the Solutions Catalog. This update enables organizations to control their users' access only to the company Office 365 resources while blocking access to personal/non-company Office 365 resources. The SSL Orchestrator inserts Microsoft "Tenant-Restriction" HTTP headers into outbound HTTP flows and provides a mechanism to allow or deny access to O365 resources based on organizational requirements.
Access to '{tenant}' tenant is denied. AADSTS500021 indicates that the tenant restriction feature is configured and that the user is trying to access a tenant that isn't in the list of allowed tenants specified in the header Restrict-Access-To-Tenant. For more information, see Use tenant restrictions to manage access to SaaS cloud applications.
An Internal virtual server enables usage of Internet Content Adaptation Protocol (ICAP) servers to modify HTTP requests and responses by creating and applying an ICAP profile and adding Request Adapt or Response Adapt profiles to the virtual server. For information about the Internal virtual server, refer to K15819: Overview of the internal virtual server.
About Service Connect
This agent, used primarily by SSLO, allows you to connect to SSLO services that were previously configured. Service Connect provides the option to attach a Connector profile to the virtual server to enable service chaining in a per-request policy.
A connector profile is associated with a virtual server for a service and defines the type of external service and the virtual servers that talk to the external service. This profile lets you specify the entry virtual server, which is a virtual server of type Internal, for each external service. This can be used for service chaining, for example in F5 SSL Orchestrator. Connector Profile: Local Traffic > Profiles > Other > Connector.
Introduced in BIG-IP 14.0.0
情報源
公式ドキュメントの Setup ページ配下には、Features and Terminologies に新機能として Office 365 Tenant Restrictions as a service の説明はあるものの設定方法に関する記載はありませんでした。(2023年01月頃)
SSO Control Plane re-architecture SSL Orchestrator 9.0 includes the following significant improvements to the control plane:
* The source-of-truth for the SSL Orchestrator configuration is now stored in the iFile objects. This allows the SSL Orchestrator to utilize native MCP/CMI HA sync functions and support automatic and incremental sync.
* The iApp strictness lock icon has been removed from several objects, excluding network and access objects allowing you to make out-of-band changes freely.
* The SSLO architecture now no longer uses the Gossip sync function to sync SSLO REST configuration.
The synchronization of SSLO has taken place outside of TMM using the REST mechanism.
SSLO created TMM objects from a json file stored in SSLO. That has changed and they are now stored in iFiles within TMM.
So when only using clear-rest-storage command that may not clear the iFiles and the objects created from there.
Synchronization issues with HA pairs
The synchronization of SSL Orchestrator uses two different technologies. It uses both the underlying BIG-IP synchronization for syncing BIG-IP objects, and the iAppLX synchronization process for the SSL Orchestrator configuration and objects.
SSL Orchestrator uses REST framework "gossip" mechanisms to replicate configuration. REST framework gossip basically re-plays REST requests on the peer device(s) to keep configs in sync. It supports the "eventual consistency" model.
About SSLO HA
SSLO can operate in a stand-alone or HA mode. HA relies upon BIG-IP MCP synchronization to ensure failover and configuration consistency. Prior to version 9.0 the GOSSIP protocol was used to synchronize the REST block configuration in real-time, but latterly an MCP iFile is instead synchronized via standard BIG-IP CMI and has become the configuration source of truth.
List update interval
This setting determines how often the MX should check for updates to security lists. You can specify an Hourly, Daily, or Weekly update interval. To specify different intervals depending on which uplink is being used to download lists, click "details". This can be useful if you want to control bandwidth usage due to security list downloads on a low-bandwidth WAN link or cellular uplink.
Features affected by this setting include IDS/IPS, Top Sites Content Filtering, and Malware Scanning.
Features affected by this setting include IDS/IPS, Top Sites Content Filtering, and Malware Scanning. の記述があるように、List update interval はIDS/IPSのルール更新のためだけの機能ではない点に留意してください。