Admin API?

First of all, no, there is not a secondary API that would allow for this kind of management. iControl will eventually fill that need as well, it just hasn't been built out to that level with FirePass yet.

 

 

Second, it sounds like you're in a bit of a "chicken vs. egg" scenario. There's no good way to give a Master Group access to an IP address (via apptunnel or any other means) if you don't know what that IP address is going to be.

 

 

What you may be able to do is configure network access to allow connections on the desired ports and filter out all other traffic. This will make the network access connection behave much like an App Tunnel.

 

 

Combine that with a restriction on the same network access connection to allow access to only the given list of IP addresses where your servers are going to be provisioned (assuming there's a list), and you'll be able to preemptively give your users access to the entire range of possible Server IPs on only the desired ports.

 

 

This way they'll already have access via the FirePass once the server is provisioned and they attempt to connect to the IP in question.

 

 

Hope this helps,

 

Colin