Forum Discussion

samo's avatar
samo
Icon for Nimbostratus rankNimbostratus
Jan 08, 2017

APM Specific Network Access per user

Hello,

 

I faced a case where the customer wants to use F5 APM as VPN to server internal employees and also partners.

 

For internal employees it is easy because they exist on Active Directory and we could assign resources after successful AD query.

 

But for partners (he has more than 100 users), we needed to configure them in local F5 APM DB as customer doesn't accept to add them to AD, however the problem is:

 

I need to assign specific Network Access (IPs/Subnet) for each user, as each partner has access to certain servers/IPs only.

 

Can someone please advise me how to achieve such access granularity.

 

Thank you in advance

 

application delivery
BIG-IP Access Policy Manager (APM)
network access
vpn
  • Stewart_88212's avatar
    Stewart_88212
    Icon for Nimbostratus rankNimbostratus
    Jan 12, 2017

    Hi Samer,

    First you'd need to separate out your internal and partner users. Perhaps give the partners a different URI to use when logging in 

    ie, https://FQDN-for-site/partners

    You can then check on the URI and send them to local DB authentication rather than AD.

    Once they've authenticated to the local DB, you can use an expression in Resource Assign to check their username session variable in order to assign them the appropriate resources.

    This is a pretty good reference when using the local user database. [https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-4-0/4.html]

    S

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Aug 01, 2017

    Hi,

     

    Why not deploying an ADLDS service, thus you can have your external users within this LDAP server and internal users can be defined as user_proxy to the Active Directory.

     

    All of this using a single namespace for both kind of users.

     

    Bye

     

    Yann