For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mike_drennen_16's avatar
mike_drennen_16
Icon for Cirrus rankCirrus
Jul 22, 2016

Bypassing the Webtop to directly access a Portal Access resource via URI

I am having an issue with accessing a Portal Access resource using a URI. I have set this up for other SAML resources before and it works flawlessly, however, when attempting it with a Portal Access resource, it only works if i do not have an open session. If I close the window and attempt to go back in, I get a connection error and have to wait for my current session to time out (or manually kill it). I need to be able to access the Portal Access resource anytime, whether I have a current session or not.

Here is the iRule i am using:

 

when ACCESS_POLICY_COMPLETED {
if {[ACCESS::session data get "session.server.landinguri"] eq "/mydefineduri"}{
    log local0. "Policy Completed"
        switch -glob [ACCESS::session data get session.server.network.name] {
                        "myproductionAPMPolicy.com"
                                        {
                                        ACCESS::respond 302 Location "/f5-w-687474703a2f2f31302e312e332e36$$"
                                        }
                        }
                }
                    }

 

application delivery
BIG-IP Access Policy Manager (APM)
iRules

4 Replies

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Jul 22, 2016

    Are you basically trying to always force a redirect when the host is myproductionAPMPolicy.com and uri is /mydefineduri?

    One thing to note is that the ACCESS_POLICY_COMPLETED event is only executed at the end of the access policy, which happens once during a session. This would explain why you only see the redirect initially and not on any subsequent requests.

    If you want to always check for that pre-defined uri (and/or host), you can also use the HTTP_REQUEST event. Something like this:

     

    when HTTP_REQUEST {
    switch -glob [string tolower "[HTTP::host][HTTP::uri]"] {
        "myproductionapmpolicy.com/mydefineduri*" {
            HTTP::respond 302 Location "/f5-w-687474703a2f2f31302e312e332e36$$"
             You could use this instead too: HTTP::redirect "/f5-w-687474703a2f2f31302e312e332e36$$"

             If you have other iRules on this VIP the use HTTP::respond or HTTP::redirect, you may need a couple additional commands to mitigate a multiple redirects error.
            return
        }
    }
}

     

    If you only want to perform the redirect after a session has been successfully completed, you might add an conditional before the switch to check for that. Something like this:

     

    if {[ACCESS::policy result] -eq 'allow'} {
     Processing code here
}

     

    Hope this helps.

  • mike_drennen_16's avatar
    mike_drennen_16
    Icon for Cirrus rankCirrus
    Jul 28, 2016

    One bug I have run into this solution is that if there not currently a session for the user, this rule will stop at the webtop. If there is a session (or once a session is created) it works every time.

     

    • Michael_Jenkins's avatar
      Michael_Jenkins
      Icon for Cirrostratus rankCirrostratus
      Jul 28, 2016

      Yea, I've noticed that in the past. An encoded URL doesn't seem to work properly without an APM session. the way I get around that is by decoding the url (see Kevin's answer to this question for an example), saving it to a session variable and then redirecting the user after they log in (sounds a lot easier than it is :/)

       

  • Antish_293579's avatar
    Antish_293579
    Icon for Nimbostratus rankNimbostratus
    Dec 13, 2017

    Mike..i am trying to bypass webtop for a SAML Resource. You mentioned you have done that many times...Can you please help me for that?