AltostratusHi. Trying to check for AD group membership to allow access to URL based on a string in the URI.
In the Look for Login box, I'm using the branch rule expr {[mcget {session.server.landinguri}] contains "/login.html". I've tried several others, but it doesn't restrict based on AD group. Any ideas? Thanks
MVPThe variable "session.server.landinguri" will contain the first URI that triggered the access policy, and will not change each time you visit a new URI, so if you requested /home then /login, the first one will be your landing URI, the one that caused the creation of an APM session.
You shoud use another method to apply rules selectively depending on the requested URI, for example per request policy: Adding a URL branching rule (f5.com)
MVPYou can attach layer 7 acl so after the access policy evaluation is done then the users that do not have ad group will be blocked for some url.
https://my.f5.com/manage/s/article/K08200035
You can also see the link below as if you do not decrypt the traffic FQDN domains or SSL SNI with irule/local traffic policy can be used or Per request policy that will check each request:
https://community.f5.com/t5/technical-forum/l7-https-acl-with-apm-ssl-vpn-not-working/td-p/207920
Edit:
You can also use the per-request policy to trigger an irule that will get the session group membership and if the users do not have the group but are trying to reach the destination fqdn/sni or url if you are decrypting the traffic and this not a VPN APM implementation (for VPN /Portal you will need layered VS https://my.f5.com/manage/s/article/K03113285 ) and to block users if they do not have the group.
https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/apm/apm_policy_agent_irule-event.html
CirrostratusHi dcarterjr,
So i think the first step please try to login and then you go to overview session and click session variable to see about expression that match landinguri
have you looked at ACL's?
You can create one and set it on authorisation.
