Forum Discussion
Hugo_Frauches_2
Cirrus
CirrusAccess internal DMZ virtual server in SSL VPN
Hello,
I have setup an LAB for learning prupose and i was wondering if its possible to access an internal Virtual Server in the DMZ (Load balance for internal users), i could not achieved this directly via VPN, its is possible via Webtop reverse proxy and adding the VPN vlan to the DMZ Virtual server. Here is my topology:
1) Connected to the VPN Virtual server at 10.128.10.14
2) I dont have any ACL so i can connect to all off the DMZ servers in Pool LTM (10.128.20.151, 10.128.20.152,10.128.20.153)
3) When i try to connect to the internal virtual server in DMZ its not possible.
I have both Virtual servers configured with Auto Map, as i said before i can connect to this virtual server adding the ssl vpn vlan to the dmz virtual server, but doing this its an L2 i guess and i cant control the access via ACL in my APM policy.
Here is the topology from my LAB.
Hi,
If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.
Then, you can define an LDAP query to filter who can access the VS or not.
Or you can use an irule to control who can access the Virtual Server.
Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.
Hope it helps
Yann
boneyardMVP
so i don't quite yet it, you can connect if you add the sslvpn vlan to the listen on VLAN list, but you don't want to?
Hugo_Frauches_2Adding the sslvpn vlan to the Virtual Server allow me to connect, but i cant retrict access to it, example:
APM Policy
1) User from group A can access this virtual server.
2) User from other groups cant access.
This type of control does not work because when i add the vLan the connection isnt retricted at all.
- boneyard
never tested that, but you are sure the APM access list don't work then?
have you done a packet capture to see if traffic leaves the big-ip from the lease pool and with which address?
- Hugo_Frauches_2
I have tested the access control with the APM module and doesnt worked. I will make more tests and post the result.
Yann_DesmarestHi,
If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.
Then, you can define an LDAP query to filter who can access the VS or not.
Or you can use an irule to control who can access the Virtual Server.
Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.
Hope it helps
Yann
- Hugo_Frauches_2
Dear Yann,
The virtual server im trying to access is configured with HTTP, i really dont want to create any access restrictions, im testing without an ACL in APM. I need to understand why i can access the nodes in DMZ (Red, Green, Blue, Hackit) but i cant access the internal Virtual Server 10.128.20.10 of this nodes.
Its this a problem related to routes? Or maybe its works like that because of F5 design, since im connecting to and Virtual Server (VPN SSL) and im trying to coonnect to another Virtual Server (Internal DMZ).
- Yann_Desmarest
I think the main problem is related to the vlans selected for your internal VS. You must add the Connectivity profile to the list of vlans allowed in your internal VS configuration to allow vpn users to access this VS
hope it helps
Yann
- Stanislas_Piro2
Cumulonimbus
I agree with Yann, I had a customer with same issue... Connectivity profile was forgotten in VS VLAN allowed.
Yann_Desmarest_Nacreous
Hi,
If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.
Then, you can define an LDAP query to filter who can access the VS or not.
Or you can use an irule to control who can access the Virtual Server.
Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.
Hope it helps
Yann
- Hugo_Frauches_2
Dear Yann,
The virtual server im trying to access is configured with HTTP, i really dont want to create any access restrictions, im testing without an ACL in APM. I need to understand why i can access the nodes in DMZ (Red, Green, Blue, Hackit) but i cant access the internal Virtual Server 10.128.20.10 of this nodes.
Its this a problem related to routes? Or maybe its works like that because of F5 design, since im connecting to and Virtual Server (VPN SSL) and im trying to coonnect to another Virtual Server (Internal DMZ).
- Yann_Desmarest_
I think the main problem is related to the vlans selected for your internal VS. You must add the Connectivity profile to the list of vlans allowed in your internal VS configuration to allow vpn users to access this VS
hope it helps
Yann
- Stanislas_Piro2
I agree with Yann, I had a customer with same issue... Connectivity profile was forgotten in VS VLAN allowed.