Forum Discussion
NimbostratusAPM Resource assignment through CLI
Hello all
I am deploying a huge APM configuration, in the VPE I am using AD Auth and AD Query. The thing is that there are lots of users, and I need to assign particular resources for each user separately... of course this is quite time-consuming, so I would like to know how to do this perhaps through CLI so I can prepare a script and trigger it, in order to avoiding so many clicks that will only make this deployment slower and slower. Below you will find a screenshot showing only a small part of the users. Any help will be very useful. Thanks in advance!
2 Replies
Hi,
You can use the following commands to speed up the process of working with a BIG-IP APM policy:
To create Portal Access resources:
create apm resource portal-access pa_example application-uri http://pa_example/index items add { item { host pa_example paths /index } }To create Remote Desktop resources:
create apm resource remote-desktop rdp ip_example color-depth 24-bit ip ip_example port 3389 window-size full-screenTo create your policy:
tmsh create cli transaction create apm policy agent ending-allow /Common/vpnexample_end_allow_ag { } create apm policy agent ending-deny /Common/vpnexample_end_deny_ag { } create apm policy agent ending-deny /Common/vpnexample_end_deny2_ag { } create apm policy policy-item /Common/vpnexample_end_allow { agents add { /Common/vpnexample_end_allow_ag { type ending-allow } } caption Allow color 1 item-type ending } create apm policy policy-item /Common/vpnexample_end_deny { agents add { /Common/vpnexample_end_deny_ag { type ending-deny } } caption Deny color 2 item-type ending } create apm policy policy-item /Common/vpnexample_end_deny2 { agents add { /Common/vpnexample_end_deny2_ag { type ending-deny } } caption Deny2 color 4 item-type ending } create apm policy policy-item /Common/vpnexample_ent { caption Start color 1 rules { { caption fallback next-item /Common/vpnexample_end_deny } } } create apm policy access-policy /Common/vpnexample { default-ending /Common/vpnexample_end_deny items add { vpnexample_end_allow { } vpnexample_end_deny { } vpnexample_end_deny2 { } vpnexample_ent { } } start-item vpnexample_ent } create apm profile access /Common/vpnexample { accept-languages add { es } access-policy /Common/vpnexample} submit cli transactionTo review, search and filter your APM policy:
list apm | grep -A 15 -B 15 vpnexample_end_allowTo modify/change your APM policy resources
modify apm policy policy-item vpnexample_act_full_resource_assign_10 caption Remote_Access_10 rules { { caption fallback next-item /Common/vpnexample_end_allow } }I hope it helps.
Stanislas_Piro2Cumulonimbus
Hi,
I think you are trying to do complicated configuration for something quite simple.
you can :
- use Advanced ressource assign to assign resources based on the username
- use generic RDP with host value RDP_%{session.logon.last.username} if user E72074 have to connect to hostname is RDP_E72074 (you can also create a DNS CNAME in internal AD to do that)
- use an irule to assign resources
This irule uses a Data Group named user_resources_DG with value format: (with curly brakets) {{resources Portal Access} {resources Application Tunnel} {resources Network Access} {resources RDP}} when ACCESS_POLICY_COMPLETED { if {[ACCESS::policy result] equals "allow" && [class match [string tolower [ACCESS::session data get session.logon.last.username]] equals user_resources_DG]} { set resources [class match -value [string tolower [ACCESS::session data get session.logon.last.username]] equals user_resources_DG] ACCESS::session data set session.assigned.resources.pa [lindex $resources 0] ACCESS::session data set session.assigned.resources.at [lindex $resources 1] ACCESS::session data set session.assigned.resources.na [lindex $resources 2] ACCESS::session data set session.assigned.resources.rd [lindex $resources 3] } }
