Forum Discussion

raydakis's avatar
Icon for Altocumulus rankAltocumulus
May 27, 2024

APM to Forward requests for one public URL for remote clients

Hello Guys,


I want to configure APM as to forward proxy for one internet URL for remote clients (which are also located on internet). Because of ip source restrictions these clients cannot access this public URL from their locations.

Is vpn ssl web mode is best way to achieve this config ?


Thanks in advance,



1 Reply

  • BIG-IP APM can operate essentially as a "security gate" to allow access in "Web Access Management" aka "LTM+APM" deployment mode. The security concerns are different if the target server is on the internet or local, of course. The "best" way to do this depends on your view of security vs convenience. Here are some thoughts on AAA to get you started on gathering requirements:

    • The end users need to trust that they are accessing an authentic service
      • Trusted HTTPS Server Certificate
      • Providing users trusted links / bookmarks
    • The end users' computers should be validated somehow to ensure they're the right ones and not hosting malware or have been replaced by bots
      • Client Certificates / Mutual TLS
      • Machine Certificates
      • Client security / MDM such as Microsoft InTune or JAMF
      • Entra / AzureAD User Risk
    • The end users' should authenticate themselves with a combination of two or more:
      • remembered password
      • hardware security token
      • SMS call or other OTP implementation
      • Federated identity such as SAML or oAuth
    • The APM should validate the password / security token with some kind of trusted service
      • Checking assertions (internally with SAML certs/JWKs or externally)
      • Checking passwords
      • Checking device IDs
    • The APM should provide an audit trail of user activity
      • What requirements does your org have for this?
      • How are you gathering this data and providing reports?
      • What format do you want the reports in?
    • Think about the data-path between your BIG-IP device and the target server. How can this channel be protected?
      • TLS?
      • mTLS?
      • VPN?
    • Think about the data-path between your BIG-IP and your users. How can this channel be protected?