Create an Irule for allow traffic only from redirection

For clarity, is a full redirect or a "portalized" (rewritten) resource on the webtop? When you click the link, does it redirect to a different URL, or the same URL with the /f5-w-something URI?

If it's a full and direct URL, you're telling the remote client to make a new request to a different URL on a different VIP. You can't apply any sort of ACL to prevent access if this is the only way to access it. Now if it's a portal rewrite resource, then the user never leaves the APM VIP and you can absolutely control access to the resource that way.

I might add that you could potentially control access if you used a domain cookie in the APM webtop policy and then checked for and validated that cookie when clients accessed the other VIP. If the client comes to the other VIP and doesn't have a valid APM (domain) session cookie, then don't allow access.