Forum Discussion
CirrusEnable APM on Specific URI only and Force OTP
Hi All,
I am trying to selctively enable APM policy processing on a SharePoint subsite. Basically what I want to do is authentication and OTP enforcement on a subsite of SharePoint. I created the follwing Irule, which seems to work for the initial spawning of the F5 Logon page. After log on I get a page can not be displayed. After removing the Irule I am able to logon and get the OTP working but....
I only want the OTP and authentication offload for a specific subsite. Removing the Irule makes all traffic go via APM. I created a Landing URI selection in the policy in which I only route traffic for the specific URI through a macro that does the authentication and OTP part. All other traffic not destined for the specific URI is allowed to go throug directly via an Allow ending.
The problem is that users can go to the Top Level site first and do a direct logon to SharePoint there. APM treats this traffic as allowed because of my allowed ending and sets the APM cookies. When users go to the specific subsite in the same browser session they will not be asked to enter their credentials and OTP because APM detects the cookie that was set when the user browsed the top level site. I can't block or ask OTP access to the toplevel site and all other subsites because of the nature of the sites running on that farm. I tried the follwing Irule;
when HTTP_REQUEST {
Check the requested HTTP path
switch -glob [string tolower [HTTP::path]] {
"/myuri*" {
Enable APM for this path
ACCESS::enable
}
default {
Disable APM all others
ACCESS::disable
}
}
}
Hopefully you all have a better and functioning way to get this right...
Kind regards,
Martijn
6 Replies
Michael_Koyfma1Martjin,
There is a much better and cleaner way to do this, as playing with ACCESS::enable and ACCESS:disable on the same flow is not ideal.
I suggest the following. Leave your setup as is in terms of LTM flow. Remove ACCESS profile from it. Create new internal only(like 192.168.10.10) virtual server that would look identical to your existing one and put ACCESS profile on it. Also add OneCOnnect profile with 255.255.255.255 mask to your main existing virtual where you will remove ACCESS profile from.
Then modify your irule, and instead of ACCESS::enable command have this one: virtual virtual_name. Substitute the name of your internal virtual server where italicized, of course.
This way, any traffic that needs ot be protected will be sent to the patht that is always protected.
Give it a shot and let us know how it works out. Good luck
Martijn_65080Hi Michael, I tried but the use of virtual virtualname is not allowed under when HTTP_REQUEST. I finally solved it a little bit differennt and dirty. See details here; https://devcentral.f5.com/questions/enable-apm-on-sharepoint-subsite-onlyanswer77972
Michael_KoyfmanCirrocumulus
Martjin,
There is a much better and cleaner way to do this, as playing with ACCESS::enable and ACCESS:disable on the same flow is not ideal.
I suggest the following. Leave your setup as is in terms of LTM flow. Remove ACCESS profile from it. Create new internal only(like 192.168.10.10) virtual server that would look identical to your existing one and put ACCESS profile on it. Also add OneCOnnect profile with 255.255.255.255 mask to your main existing virtual where you will remove ACCESS profile from.
Then modify your irule, and instead of ACCESS::enable command have this one: virtual virtual_name. Substitute the name of your internal virtual server where italicized, of course.
This way, any traffic that needs ot be protected will be sent to the patht that is always protected.
Give it a shot and let us know how it works out. Good luck
- Martijn_65080Hi Michael, I tried but the use of virtual virtualname is not allowed under when HTTP_REQUEST. I finally solved it a little bit differennt and dirty. See details here; https://devcentral.f5.com/s/feed/0D51T00006i7LyoSAE
- Martijn_65080
Hi Michael, Thanks, on holiday now but I will give it a go when I get back in the office.
Thanks !
Martijn- Michael_Koyfma1Any update on this, Martijn?
