For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Peter_Baumann's avatar
Peter_Baumann
Icon for Cirrostratus rankCirrostratus
Jul 05, 2013

APM: Portal Access to Configuration Utility

Hi,

 

I APM I tried to add a Full Webtop with a Portal Access to the Configuration Utility of the F5 APM. This Portal Access will be used for Admins to do F5 BigIP Administration.

 

I couldn't get this to work.

 

I tried a Portal Access to the Management IP and to the SelfIP with Port Lockdown set to Allow Default, die opens https also.

 

 

Anyone who got this to work?

 

 

Many thanks for your answer!

 

Best regards,

 

Peter

 

config
design

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 06, 2013
    Here's how I have it configured:

    1. Create an internal HTTPS/443 VIP (ex. 10.10.10.10:443) for access to the management GUI. A very simple VIP with client and server SSL profiles, SNAT Automap, and the following iRule: 

    
when CLIENT_ACCEPTED {
node 127.0.0.1 443
}

    2. Create an APM portal access list object that points to the above URL (ex. https://10.10.10.10).

    3. Create your access policy and assign the above resource to a full resource assign agent, plus webtop and other resources as required.

    4. Create your portal VIP and assign the above access policy. Now here's where it gets tricky and dependent on your configuration. The portal will rewrite the complete internal URL and the management GUI requires an HTTPS:// front end, so you need the internal VIP to be listening on port 443 and a server SSL profile on the external portal VIP. If you have other portal resources that don't require a server SSL profile it may cause problems with those. I'm certain this can be addressed with an iRule (dynamically turning the server SSL profile on and off), but it may be easier to set up all of the internal portal resources as HTTPS.

  • Peter_Baumann's avatar
    Peter_Baumann
    Icon for Cirrostratus rankCirrostratus
    Jul 07, 2013

    Hi Kevin,

     

    Many thanks for your hint, I can now connect to the Configuration Interface over the APM.

     

    I also could use a Layer 4 VIP to connect to the Admin GUI.

     

    So, I'm now connected, but after a login I get immediately a logout. I cannot see any problems in the Audit Logs or anything else, I just cannot login.

     

    I have the same behavior when I try to login directly connected to the VIP not over the APM.

     

     

    Any ideas how to solve this?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 08, 2013
    You're connecting with https://? You should also have a client and server SSL profile applied to the VIP, SNAT automap enabled, and the pool. Nothing else is required.
  • Peter_Baumann's avatar
    Peter_Baumann
    Icon for Cirrostratus rankCirrostratus
    Sep 10, 2013

    Hi Kevin, I switched back to a standard VIP with a clientssl and a serverssl profile. I also do SNAT automap. Please see the screenshot what I get. When I do there a refresh I just get again the login screen.

     

    ![Image Text](/Portals/0/Users/157/89/5789/Bildschirmfoto 2013-09-10 um 11.33.42.png)

     

    Any ideas howto get this to work?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 10, 2013

    You need a 443 VIP with client and server SSL profiles, and the above iRule. No pool and the SNAT is optional.