AltostratusAPM VPN - how to change external SSL VPN port to different than one set on Virtual Server?
I have F5 SSL VPN configured behind forward proxy. So that external ports don't match ones configured on F5 Virtual Server that handles Connectivity Profile. My path goes as follow:
world -> portal.mydomain.com:443 -> 192.168.2.4:44043
I configured WebTop according to this tutorial: https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146
Despite fact that WebTop itself works just fine, VPN client that gets downloaded from it tries to reach portal.mydomain.com:44043 which obviously fails. The same happens in case of local Virtual Server forwarding (LTM Policy action Forward To Virtual Server) instead of actual, physical forward proxy. Basically client will always try to reach port that is configured on VS with Connectivity profile and APM policy assigned, ignoring whole path before.
---
Also since I'm not entirely sure if I understand relation between Connectivity profile and APM policy that grants access to it - what would happen if I'd configure Connectivity profile on VS that is "earlier" in VS hierarchy? I mean lets say I have front-facing VS that performs SSL offload and I'd attach Connectivity profile here, while APM policy would be attached to other, "post-processing" VS. Would clients be able to access this Connectivity profile only if APM allows for that, or always since it's assigned "before" APM in chain? Path like this:
world -> vs_ssl_offload:443 (Connectivity profile goes here) -> vs_portal:80 (APM policy goes here)
Because I tried this scenario and it "works" as in is operational but somehow I'm a bit skeptical whether it actually works correctly from security standpoiint.