Forum Discussion
awan_m
Cirrostratus
Cirrostratusallow *.microsoft.com to connect to a virtual server
Hi, i have a VIP that should only be accessable by domain *.microsoft.com - i have AFM provisioned and a DNS resolver . but the Rule cannot take *.microsoft.com as source . is there a way to achie...
Paulius
MVP
MVPawan_m I don't believe this is possible because the AFM would perform a DNS lookup for the literal DNS record of *.microsoft.com instead of what you most likely want which is any sub-domain of .microsoft.com. I don't know if I would allow that through either if you could because that is a significant amount of sources that could potentially be allowed through depending on DNS resolution. What is the purpose of the VIP that you need to allow any sub-domain of .microsoft.com through?
awan_mCirrostratus
Cirrostratusthanks for the reply - its a specific domain IPs to be able to connect to a VIP that presents an API . the problem with an ip address list is that i will change all the time . i need to resolve the requestors IP to a domain and if its *.XYZ.com the allow it to connect .
Michael__Nimbostratus
Hi,
you could try that with an irule, something that way:
when CLIENT_ACCEPTED { set CLIENTIP [IP::client_addr] set PTR "[lindex [RESOLV::lookup @1.1.1.1 -ptr $CLIENTIP] 0]" set PTRreverse "[lindex [RESOLV::lookup @1.1.1.1 -a $PTR] 0]" if {($CLIENTIP eq $PTRreverse) && ($PTR ends_with ".microsoft.com")}{ log local0. "OK - $CLIENTIP - $PTR - $PTRreverse -" } else { log local0. "FAIL - $CLIENTIP - $PTR - $PTRreverse -" reject } }