Forum Discussion
veato
Nimbostratus
NimbostratusForce Access Policy Depending on User
I currently have a Vs for SharePoint with no Access Policy as it only deals with trusted domain joined clients. It does have a couple of iRules; one regarding NTLM (I think to facilitate single sign-...
Jad_Tabbara__J1
Cirrostratus
CirrostratusHi Veato,
If I assume that you can read the "UPN" from your irule, I think there is many ways to manage this.
First solution : with less changes on your BIG-IP (but never tested)
1) Add an APM profile to your existing VS that will handle the 2 FA
2) Add the command "Access::disable" to your irule to disable APM by default
3) Add a condition to check if your users have to make 2 FA, if the condition is verified then do an "Access::enable"
For more info check this https://devcentral.f5.com/wiki/iRules.ACCESS__enable.ashx
Second solution : requires more changes (already implemented)
You will need three VSs :
- VS_PARENT_PORT_443 // this VS will have only an irule (no pool) with a condition to check the UPN, based on this variable it will redirect traffic to sub-VS
- VS_CHILD_2FA_PORT_4443 // this VS will have an APM policy that will make the 2 FA + pool_sharepoint
- VS_CHILD_PORT_4444 // this VS will process the traffic for other users that don't need the 2 FA + pool_sharepoint
Hope it helps
Regards