Forum Discussion
NimbostratusAllowing access to Google Play store
Long story short ... We use a pair of LTMs to redirect our campus users to a captive portal.
Now we'd like to provide outbound connectivity to the Google Play store. We can open up IP addresses, but all of Google's services are so tightly wound together, we end up opening all of Google's address space. And since everything is over HTTPS, we don't have visibility into the HTTP headers.
We do know the DNS names associated with the play store (https://community.arubanetworks.com/t5/Security/2017-Google-Play-Store-URL-whitelist/m-p/284664M29598). Is it possible to write an iRule (or iRuleLX) that allows traffic to a particular IP address only if that IP address was learned as a result of a particular DNS request?
That is ... the client requests android.clients.google.com, the server responds 1.2.3.4, we dynamically allow that client to talk to 1.2.3.4. But nothing else.
This would require some DNS intelligence, and the ability to track state between the DNS request and the SSL connection.
I don't need someone to write the entire iRule, but a few pointers would be good.
Thoughts?
Thanks
Norman
Stanislas_Piro2Cumulonimbus
Hi,
Look at this question
Philip decodes the first tls packet to get the servername extension... if it is in datagroup, bypass tls...
You can use same code to route directly for google play store urls