F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

pekka_kovesjar2's avatar
pekka_kovesjar2
Icon for Nimbostratus rankNimbostratus
Apr 11, 2016

Access local resource in BIG-IP connected network through APM portal access resource

Hi

 

Accessing web-app with APM portal access resource app server response SAML POST to URI https://newaddress.company.com. DNS entry newaddress.company.com resolves IP to same public subnet (of course different IP than APM) as I made logon to APM and clicked that portal access resource on webtop. There are public IP-addresses on outside interface and private IP-addresses on internal interface. Normally all IP-addresses are SNATted in vs configuration when accessing internal network to BIG-IP internal interface. How do I configure BIG-IP + APM itself connecting to that public IP https://newaddress.company.com on connected subnet to get authentication for application https://someapp.company.com.

 

-Pekka-

 

application delivery
BIG-IP Access Policy Manager (APM)

3 Replies

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Apr 11, 2016

    You just need a route. If you want the route on a tmm interface (which I assume you mean when you say connected subnet), just go to Network -> Routes and add your gateway with public IP access on that subnet as a route to the relevant /32's that newaddress.company.com resolves as.

     

    • pekka_kovesjar2's avatar
      pekka_kovesjar2
      Icon for Nimbostratus rankNimbostratus
      Apr 11, 2016
      Hi Josiah f5 connected networks = f5 device own interfaces > IP-addresses are on those networks, tmm or mgmt. In this case I'm talking about that public facing network. For example mask is /24, default gateway is .1.1.1.1/24, f5 self-IP is .1.1.1.2/24, APM VIP is 1.1.1.3/24. and newaddress.company.com is 1.1.1.5/24. For that reason I do have route to 1.1.1.5. Address 1.1.1.5 is ADFS proxy made with Microsoft techniques. Because f5 is configured to use only internal DNS-servers (split DNS => internals answer private addresses) I did static host entry to f5 for newaddress.company.com. Tested fron CLI that f5 resolves right IP. I can also see on decodec (hex-to-text) APM URI that hostname on URI is that .newaddress.company.com. TCPDUMP -nni 0.0 host 1.1.1.5 don't show any traffic when f5 try to connect newaddress.company.com. -Pekka-
    • Seth_Cooper's avatar
      Seth_Cooper
      Icon for Employee rankEmployee
      Apr 11, 2016
      Hi Pekka, APM Portal Access isn't able to use the BigIP hosts file for name resolution. You will have to configure the external DNS server (configured in the system settings) to resolve the name of newaddress.company.com. -Seth