Forum Discussion
VPN split tunneling is something you need to check then:
https://support.f5.com/csp/article/K92105136
- MoonlitCirrus
As Nikoolayy1 mentioned, you could route the IP addresses of the website through the VPN tunnel, if what you need to achieve is to actually route the TCP traffic to the webserver over your corporate network.
In that case you also need to consider whether the IP addresses might change soon, in which case you should choose another method, such as forcing that website through a SOCKS proxy on your internal network by controlling the proxy config on your clients.Your question can also be interpreted like this: You have published a web page on BIG-IP LTM/AWAF, and you want to prevent the entire internet from accessing it while allowing people connected to your enterprise network or your VPN to use it.
This is a wholly different matter - when I need to restrict a web page to certain IP addresses, I create an Address Data Group containing the IPs I want to allow (or deny) on my BIG-IP LTM, then I make sure the Virtual Server is using an iRule instead of a pool as the resource. If you then want to only allow access from certain IPs, you need an irule such as this:when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::host]] { "www.foo.com" { if { ( [class match [IP::client_addr] equals Add_DataGroup_Name] ) } { # Client IP is approved, allow access pool pool_name return } else { # Client IP denied access HTTP::respond 403 return } } } }
There are many more methods - for example, creating a VirtualServer and publishing the site on a VirtualServer that is only accessible internally (the VS is on a vlan which is on your internal network).
Or, if you have BIG-IP APM, you could create a Portal object and publish an internal web site on your webtop so it will be reverse-proxied and made available to users logging on to your APM webtop.