Forum Discussion
Brian_Mayer_841
Nimbostratus
NimbostratusClient authentication bypass for internal IPs
Hi,
We are getting ready to implement the LTM Advanced Client Authentication module to authenticate some test users that will access our new sites behind the F5 LTMs. That should be pretty straightforward. However, during a design meeting today, it was noted that there will be some intersystem communication between servers within our network.
For example, one of the server will call another URL through the F5 to retrieve a web page, but we don't want the Advanced Client Authentication to occur for these hosts. Is there any way using iRules (or any other method) to bypass the LTM ACA on certain virtual servers?
Thanks!
B
3 Replies
Brian_Mayer_841Yeah I see what you mean.
Even Support says the ACA module is pretty basic in nature. I'm working with them to see if I can find a creative way to do this.
I like your suggestion...I may just give it a shot and see what turns up. I guess I just pop in the iRule and bind it to a VS and test...is that it?
Thanks again for the help. You seem to be the guru on these forums!
_B- Brian_Mayer_841Another thing I just thought of...any way to use the iRule for cookie-based authentication on this page:
http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHttpCookie.html
...maybe combining it with the source IP check to put the necessary cookie in users' browsers if the IP connection is coming from the right nets? Of course for this to work like we hope, the cookie would need to be automatically given to authorized browsers so users are authenticated behind-the-scenes.
What do you think? - Brian_Mayer_841Do you think the cookie route is cleaner? The method setting the TMM_AUTH variable to 0 seemed okay too...just want to know which would have the least chance of impacting the users. Is injecting cookies for authentication potentially problematic?
