For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Anthony's avatar
Anthony
Icon for Nimbostratus rankNimbostratus
Jun 26, 2014

Can I use Active Directory to restrict access to a VS/Pool/Node?

I am in the process of setting up a new internal test environment which needs to have a strict access policy. This has primarily been identified as being controlled by a group in Active Directory.

 

Does anyone know the best way of using AD to restrict access to this environment? Is it done at VS, Pool or Node level?

 

Many thanks, Anthony

 

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 26, 2014

    I suppose the answer depends on the granularity of said control. Using APM you can block access to the application at the VIP, or you could block access to specific pools or nodes.

     

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jun 26, 2014

    You've probably thought of this, but assuming that you're running windows servers you could use IIS and file permissions to grant access to the application.

    IIS -> Site -> Authentication:
Anonymous Authentication disabled
Windows authentication enabled, Response type HTTP 401 Challenge.

    /Patrik

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 26, 2014

    In the absence of the ability to identify AD group membership at the proxy layer (with something like APM), you're likely best option is securing resources at the application and/or IIS layer as Patrik relates. You could technically use some form of signaling mechanism between the application and an LTM iRule, but that wouldn't prevent initial access to the application and would probably be a reasonably complex iRule. APM will do all of this out-of-the-box.