Forum Discussion
NimbostratusForce Access Policy Depending on User
I currently have a Vs for SharePoint with no Access Policy as it only deals with trusted domain joined clients. It does have a couple of iRules; one regarding NTLM (I think to facilitate single sign-on although I didn't build this) and the second assigns a pool based on the requested URL.
Our organisation has partner organisations and whilst their username UPN suffix is different we're all members of the same AD. For example I am me@org1.com and the partner organisation is them@org2.com.
A requirement has arisen now whereby the partner organisation wish to put 2FA in front of the SharePoint application but I don't want to do this for everyone in the AD.
Is it possible then to force some kind of policy/rule/profile that only kicks in when a user e.g. "ORG2\them" attempts to access SharePoint without forcing everyone to go through a log on process?
1 Reply
Jad_Tabbara__J1Cirrostratus
Hi Veato,
If I assume that you can read the "UPN" from your irule, I think there is many ways to manage this.
First solution : with less changes on your BIG-IP (but never tested)
1) Add an APM profile to your existing VS that will handle the 2 FA
2) Add the command "Access::disable" to your irule to disable APM by default
3) Add a condition to check if your users have to make 2 FA, if the condition is verified then do an "Access::enable"
For more info check this https://devcentral.f5.com/wiki/iRules.ACCESS__enable.ashx
Second solution : requires more changes (already implemented)
You will need three VSs :
- VS_PARENT_PORT_443 // this VS will have only an irule (no pool) with a condition to check the UPN, based on this variable it will redirect traffic to sub-VS
- VS_CHILD_2FA_PORT_4443 // this VS will have an APM policy that will make the 2 FA + pool_sharepoint
- VS_CHILD_PORT_4444 // this VS will process the traffic for other users that don't need the 2 FA + pool_sharepoint
Hope it helps
Regards
