Forum Discussion
CirrusAccess Policy Not evaluating when using a VPN tunnel
The inside VPN tunnel traffic is automatically considered to be part of the user's already authenticated session. You can't run an APM VPN, then get another separate session to the same APM through the same tunnel.
You'll have to think of another way to accomplish your use case. If you can describe it more fully, maybe we can come up with some suggestions.
The session scope basically depends on the cookie. It's fine for users to have multiple sessions. APM is very flexible here. You can define a wider cookie domain, like "example.com", then the same session will be used because the browser will transmit the cookie to any *.example.com domain. If you don't define any cookie scope, the browser infers it from the FQDN and will only transmit it to that domain.
APM also supports "multidomain" mode, where it will 302 the user to any number of different domains to set the cookie. This way you can have one session for vpn.example.com and apps.example.com, but then a separate session for apps1.example.com.
The only real limitation is as you discovered: VPN traffic is always considered to be part of the access policy which started it.
Maybe you can have a Full Webtop for the remote people and provide a menu of links, for apps, vpn, etc. You could also make a decision based on the source IP address of the traffic, and choose to do more authentication on external users, like maybe only doing certificate validation for those guys.
amolariCirrostratus
hi Lucas I'm falling in the same case and we have the requirement to provide access (authorization) to the internal VSs(with AP), depending on user's group. I was thinking (as a workaround) to create ACLs to backend resources depending on user's group membership. Is there any other "workaround" we could think of. Force policy re-evaluation is AFAIK not possible. A webtop, as you suggested seems also not a viable way, as some of those internal apps are using AJAX... Thanks Alex
