Configuring VS to access LTM

Okay, I just booted into 11.6HF5 and can confirm that it works it you point the node command at the management port IP (not a VLAN self IP).

Correct, 10.1 is the management port. 20.1 is the self IP. I noticed you used brackets [] for the IP...if I used them, I get "undefined procedure" message.

I'm using brackets to indicate "put some data here".

when ACCESS_ACL_ALLOWED {
    node 192.168.1.245 443
}

okay, still scratching my head on why it works for you and not me. I'll noodle on it. Just to correct my earlier post, the irule in place is:

when ACCESS_ACL_ALLOWED { node x.x.10.1 443 }

Yes, but to be absolutely clear:

1. This is the management port IP, not a VLAN self-IP

2. Serverssl must be applied to the APM VIP

Try this. Just create a very simple access policy with a logon page and test your config with that:

start -> logon page -> allow

Yes, it's the management ip...from bigip_base.conf: edition "Engineering Hotfix HF5" hostname XXXXXXXX key /Common/dtdi.key management-ip x.x.10.1 marketing-name "BIG-IP 10200"

"serverssl must be applied to the APM VIP"? I'm not sure what you mean with this statement. My VS uses a clientssl. It doesn't work when a server ssl profile is used. How would apply a serverssl profile to APM VIP?

I tried the simple access policy and it has the same results: 2015-10-01 12:57:54 Following rule 'fallback' from item 'Logon Page(1)' to ending 'Allow'

"serverssl must be applied to the APM VIP"? I'm not sure what you mean with this statement. My VS uses a clientssl. It doesn't work when a server ssl profile is used. How would apply a serverssl profile to APM VIP?

The management GUI is only listening on port 443 HTTPS, so you absolutely have to have a server SSL profile applied to the VIP.

Okay, I've never applied a server SSL profile to a management VIP. How would you go about it? I'm on system, platform, config and I don't see anywhere I can apply one.

No. In order to use APM in front of the BIG-IP management GUI, to achieve 2FA, you're going to have to create a standard LTM virtual server with an access policy. In that LTM virtual server you're going to have to apply an HTTP profile, the access profile, a client AND server SSL profile, and the aforementioned iRule. I'm not quite sure what you mean by "management VIP". You can't use the BIG-IP VLAN self-IPs here.

client -> standard HTTPS APM VIP -> iRule -> BIG-IP management port IP:443

Instead of a load balanced pool, you're using an iRule with the node command to send the traffic to a specific IP: the management port IP. And because the management port is only listening on HTTPS 443, you need a server SSL profile on the LTM/APM VIP.

I get what you are saying. I think we had a misunderstanding. Yes, I created a VS applied the AP and the client and server profiles along with the irule.

ltm virtual /Common/vs_CAC_test { description "Testing CAC and AD authn" destination /Common/x.x.20.254:443 ip-protocol tcp mask 255.255.255.255 profiles { /Common/ap_simpleLogon { } /Common/apm-default-serverssl { context serverside } /Common/clientssl-eis2-lbtest { context clientside } /Common/http { } /Common/rba { } /Common/tcp { } /Common/websso { } } rules { /Common/irule_LTM_access } source 0.0.0.0/0 translate-address enabled translate-port enabled }