Forum Discussion

Matt_Mella_1081's avatar
Matt_Mella_1081
Icon for Nimbostratus rankNimbostratus
Dec 17, 2013

Access Policy for webtop + other VIPs

Hi all, I currently use an access policy for all of our VIPS for our sharepoint sites, OWA, and others. We are looking to start utilizing the F5 Webtop as well and I'd like to use a single access po...
BIG-IP Access Policy Manager (APM)
devops
iApps
security
Matt_Mella_1081's avatar
Matt_Mella_1081
Icon for Nimbostratus rankNimbostratus
Dec 17, 2013

Are you saying you have a separate access policy for every single VIP? That seems like a lot to maintain; we have a custom logon page and about 20 VIPs; meaning i'd need to maintain the logon page for every one.

 

That does give me an idea though, perhaps i can set the domain cookie for webtop.domain.com for the webtop access policy and use domain.com for the one the rest of the VIPs use.

 

I made some progress today by using an iRule on the webtop VIP to rewrite the URI to /wt/. In the APM i then did a landing URI check, if it was /wt/ I did the advanced resource assign; otherwise I did nothing after logging the user in. The only problem I'm having with this now is that I can only seem to access the webtop one time. if I close the webtop and reopen (the tab) then I get a page cannot be displayed. So now I'm trying to detect the MRH Session cookie and delete it to restart APM. This behavior would be acceptable to me as if a user closes the webtop; they should be treated as closing their session.

 

  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Dec 17, 2013
    They need to match or APM doesn't pass authentication between them. If you want everything in one VIP, then you need to do some really fancy iRule coding to make it work. It's really easy to have one VIP that points to multiple back end servers and changes based on hostname/URI, but the only issue i can see is opening the webtop when it's not the first page.
Related Content