Forum Discussion
Hugo_Frauches_2
Cirrus
CirrusAccess internal DMZ virtual server in SSL VPN
Hello,
I have setup an LAB for learning prupose and i was wondering if its possible to access an internal Virtual Server in the DMZ (Load balance for internal users), i could not achieved this d...
Hi,
If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.
Then, you can define an LDAP query to filter who can access the VS or not.
Or you can use an irule to control who can access the Virtual Server.
Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.
Hope it helps
Yann
Yann_DesmarestCirrus
CirrusHi,
If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.
Then, you can define an LDAP query to filter who can access the VS or not.
Or you can use an irule to control who can access the Virtual Server.
Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.
Hope it helps
Yann
Hugo_Frauches_2Dear Yann,
The virtual server im trying to access is configured with HTTP, i really dont want to create any access restrictions, im testing without an ACL in APM. I need to understand why i can access the nodes in DMZ (Red, Green, Blue, Hackit) but i cant access the internal Virtual Server 10.128.20.10 of this nodes.
Its this a problem related to routes? Or maybe its works like that because of F5 design, since im connecting to and Virtual Server (VPN SSL) and im trying to coonnect to another Virtual Server (Internal DMZ).
- Yann_Desmarest
I think the main problem is related to the vlans selected for your internal VS. You must add the Connectivity profile to the list of vlans allowed in your internal VS configuration to allow vpn users to access this VS
hope it helps
Yann
Stanislas_Piro2Cumulonimbus
I agree with Yann, I had a customer with same issue... Connectivity profile was forgotten in VS VLAN allowed.
- Hugo_Frauches_2
I didnt understand yet, i need to configure the connectivity to with Virtual server? I have this done:
1) SSL VS -> Configured with All vLans options and with a APM Policy, Rewrite, Connectivity Profile.
2) DMZ VS -> Configured with only the DMZ vLan.
Do i need to set an APm policy in the DMZ VS and a connectivity profile?
- Stanislas_Piro2
No,
VPN clients are are decrypted in connectivity profile tunnel, so to hit vs dmz, you must allow it to listen on this tunnel.
- Hugo_Frauches_2
Dear Stanislas,
Sorry my ignorance, but how can i allow it to listen on the tunnel? Do i need to add the VPN Vlan to the DMZ Internal Virtual Server?
- Stanislas_Piro2
Hi,
in the APM VS, look the connectivity profile selected. This is a tunnel interface.
In the DMZ VS, add this Tunnel interface in the "VLAN and Tunnel traffic"
- Hugo_Frauches_2
Thanks for the reply!