For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

antec42's avatar
antec42
Icon for Altostratus rankAltostratus
Jul 17, 2019

Change Server SSL Profile within APM Policy based on Users group membership

Hi,

 

We have a situation where we need to present a specific client certificate to a server on the Internet depending on a users group membership in the AD. We are using SWG for outbound Internet traffic. Is there any way I can switch between different SSL profiles "on the fly" within the APM policy, e.g. withing the per-request policy? Or do I need to write a custom irule for this?

 

Anyone done anything similar?

 

BR

application delivery
BIG-IP Access Policy Manager (APM)
Secure Web Gateway

2 Replies

  • iaine's avatar
    iaine
    Icon for Nacreous rankNacreous
    Jul 19, 2019

    Hi

    Have you tried something like this

    when SERVER_CONNECTED {
	if {[ACCESS::session data get "session.ad.last.attr.memberOf"] contains "some_group_name" }{
		SSL::profile "/Common/different_ssl_profile"
	}
	
}

    I'm not aware of being able to do this within the APM policy but you can look up the Variable afterwards to make a profile decision

  • antec42's avatar
    antec42
    Icon for Altostratus rankAltostratus
    Jul 19, 2019

    Yes, I've tried excactly this and it seems to work. However I suspect that if doing this I will cause all connections made from this point to always choose this SSL profile unless I change it back? I can solve this by using a separate "catch" VS for this particular server. It's still a little bit messy solving it this way and I will try to use a data group where key=group and value=new ssl profile...