For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dan_Ezell's avatar
Dan_Ezell
Icon for Nimbostratus rankNimbostratus
Sep 29, 2015

How to control access to multiple webapps behind a single virtual server using AD groups

I have a number of webapps behind a single virtual server. Access to each webapp should be granted based on group membership in an AD group.

Example:

VirtualServer1(Extranet.example.test)  
    Webapp1(Extranet.example.test\webapp1)  
        members of AD\Webapp1-access group should only have access to this webapp
    Webapp2(Extranet.example.test\webapp2)  
        members of AD\Webapp2-access group should only have access to this webapp
    Webapp3(Extranet.example.test\webapp3)  
        members of AD\Webapp3-access group should only have access to this webapp

What is the best way to accomplish this?

Currently, I use iRules to direct traffic based on the path\uri to the correct application pool. When I assign an Access Policy to VirtualServer1, I can control authentication based on the Landing URI variable, but once authenticated a user is able to gain access to any one of the 3 apps. It seems Access Policies are not able to be assigned dynamically via iRules. I started to test using a separate 'Internal Virtual Server' for each app but am unable to assign an HTTP profile and Access Policy to this type of Virtual Server either. What am I missing, is there a better way to accomplish this?

Thanks,

Dan
application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
security

3 Replies

  • Dan_Ezell's avatar
    Dan_Ezell
    Icon for Nimbostratus rankNimbostratus
    Sep 29, 2015

    Any insight on how to apply this procedure to resources/webapps assigned via iRules in a VirtualServer(vs. resources assigned via Portal Access like the article is written for)?

     

    Thank you,

     

    Dan

     

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Sep 29, 2015

    You could try something like this:

    when HTTP_REQUEST {
    if {[string tolower [HTTP::uri]] starts_with "/webapp1"}{
        if {not ([ACCESS::session data get session.ad.last.attr.memberOf] contains "CN=Webapp1-access")}{
            HTTP::respond 403
        }
    }
    elseif {[string tolower [HTTP::uri]] starts_with "/webapp2"}{
        if {not ([ACCESS::session data get session.ad.last.attr.memberOf] contains "CN=Webapp2-access")}{
            HTTP::respond 403
        }
    }
    elseif {[string tolower [HTTP::uri]] starts_with "/webapp3"}{
        if {not ([ACCESS::session data get session.ad.last.attr.memberOf] contains "CN=Webapp3-access")}{
            HTTP::respond 403
        }
    }
}