Change Server SSL Profile within APM Policy based on Users group membership

Question

Hi,&nbsp;We have a situation where we need to present a specific client certificate to a server on the Internet depending on a users group membership in the AD. We are using SWG for outbound Internet traffic. Is there any way I can switch between different SSL profiles "on the fly" within the APM policy, e.g. withing the per-request policy? Or do I need to write a custom irule for this?&nbsp;Anyone done anything similar?&nbsp;BR

iaine · Answer

HiHave you tried something like thiswhen SERVER_CONNECTED {
	if {[ACCESS::session data get "session.ad.last.attr.memberOf"] contains "some_group_name" }{
		SSL::profile "/Common/different_ssl_profile"
	}
	
}I'm not aware of being able to do this within the APM policy but you can look up the Variable afterwards to make a profile decision

antec42 · Answer

Yes, I've tried excactly this and it seems to work. However I suspect that if doing this I will cause all connections made from this point to always choose this SSL profile unless I change it back? I can solve this by using a separate "catch" VS for this particular server. It's still a little bit messy solving it this way and I will try to use a data group where key=group and value=new ssl profile...

Forum Discussion

Change Server SSL Profile within APM Policy based on Users group membership

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

iControl REST / Change a setting in ASM logging profile

F5 BIG-IP Advanced WAF – DOS profile configuration options.

iRules variables in BIG-IP Next: behavior change

iControl REST Cookbook - Virtual Server Profile (LTM Virtual Profiles)

Update your DevCentral user profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS