F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

shashe's avatar
shashe
Icon for Cirrus rankCirrus
Sep 25, 2022

How to enforce Role based access controls to VPN users?

I know we can assign role based apps to HTTP(webtop) remote users. How can I do the similar access control for vpn users using a client? Do I have to assign different groups a different IP pool and e...
security
James_Jinwon_Lee's avatar
James_Jinwon_Lee
Icon for Employee rankEmployee
Oct 01, 2022

When you authenticate your remote users with your AD, you can add one more action in the VPE to retrieve the user's group info from the AD. Then, you can assign the different applications on the webtop using the 'Advance Resource Assign' item. 

  • shashe's avatar
    shashe
    Icon for Cirrus rankCirrus
    Oct 03, 2022

    James_Jinwon_Lee Thanks for your response. What if I don't want to use webtop? Can I place those users in different subnets so I can apply Layer4 acls on APM?

    • Scot_JC's avatar
      Scot_JC
      Icon for Employee rankEmployee
      Nov 18, 2022

      Hi,

      Not 100% sure your environment and objectives, but we can always add some "Variable Assign" to the VPE, and with selecting "Confguration Variable", we can then choose Type: Network Access, Name: <NA_object_name>, and then "Property": we can override the original NA settings, especially if we already have some branching, in the VPE, per the group membership.

      Otherwise ... I know we can create some ACLs as an empty sheel, and develop some iRule code to add the ACEs, depending what we need to aloow or deny.