Forum Discussion
NimbostratusAccess Policy for webtop + other VIPs
Hi all, I currently use an access policy for all of our VIPS for our sharepoint sites, OWA, and others. We are looking to start utilizing the F5 Webtop as well and I'd like to use a single access policy for this.
I have tried using the landing URI in the VPE, but it does not seem to detect based on what the users are entering.
how can i detect what URL was entered, for example webtop.domain.com and display the webtop, or if they entered any other URL, proceed to that as normal. Will the Access Policy logic happen every time a user enters a new URL? Or is it only when the session is established.
For example - if the user first goes to sharepoint.domain.com, they should be able to use the site as needed, but then if they go to webtop.domain.com they should just get the webtop. The reverse should also be true.
Right now - using two different access policies(one for webtops, and one for everything else) we get errors because a session already exists.
3 Replies
Andrew_HuskingCirrus
I'm not certain about doing this as a single APM policy, we did it as several.
What we did was set the APM domain cookie to be .company.com on all of the policies, and then had a separate VIP for each.
So for example mail.company.com citrix.company.com webtop.company.com
On the webtop we had links to mail and citrix and when the user clicked on the links, APM took the credentials from webtop, or vice versa.
Matt_Mella_1081Are you saying you have a separate access policy for every single VIP? That seems like a lot to maintain; we have a custom logon page and about 20 VIPs; meaning i'd need to maintain the logon page for every one.
That does give me an idea though, perhaps i can set the domain cookie for webtop.domain.com for the webtop access policy and use domain.com for the one the rest of the VIPs use.
I made some progress today by using an iRule on the webtop VIP to rewrite the URI to /wt/. In the APM i then did a landing URI check, if it was /wt/ I did the advanced resource assign; otherwise I did nothing after logging the user in. The only problem I'm having with this now is that I can only seem to access the webtop one time. if I close the webtop and reopen (the tab) then I get a page cannot be displayed. So now I'm trying to detect the MRH Session cookie and delete it to restart APM. This behavior would be acceptable to me as if a user closes the webtop; they should be treated as closing their session.
- Andrew_HuskingThey need to match or APM doesn't pass authentication between them. If you want everything in one VIP, then you need to do some really fancy iRule coding to make it work. It's really easy to have one VIP that points to multiple back end servers and changes based on hostname/URI, but the only issue i can see is opening the webtop when it's not the first page.
