Forum Discussion

KSingh's avatar
Icon for Nimbostratus rankNimbostratus
Jul 12, 2022

How to force the specific site to go through VPN ,not directly to public internet ?

How to force the specific site to go through VPN ,not directly to public internet ?

Example -  I have specific site which needs to be accessed only through VPN or Enterprise network . How can we allow or configure such restriction on VPN F5 ?

We do not want users to access this site from public internet.

2 Replies

  • As Nikoolayy1 mentioned, you could route the IP addresses of the website through the VPN tunnel, if what you need to achieve is to actually route the TCP traffic to the webserver over your corporate network.
    In that case you also need to consider whether the IP addresses might change soon, in which case you should choose another method, such as forcing that website through a SOCKS proxy on your internal network by controlling the proxy config on your clients.

    Your question can also be interpreted like this: You have published a web page on BIG-IP LTM/AWAF, and you want to prevent the entire internet from accessing it while allowing people connected to your enterprise network or your VPN to use it.
    This is a wholly different matter - when I need to restrict a web page to certain IP addresses, I create an Address Data Group containing the IPs I want to allow (or deny) on my BIG-IP LTM, then I make sure the Virtual Server is using an iRule instead of a pool as the resource. If you then want to only allow access from certain IPs, you need an irule such as this:


    when HTTP_REQUEST {
    	switch -glob -- [string tolower [HTTP::host]] {
    		"" {
                 if { ( [class match [IP::client_addr] equals Add_DataGroup_Name] ) } {
    				# Client IP is approved, allow access
                    pool pool_name
                } else {
    				# Client IP denied access
    				HTTP::respond 403


    There are many more methods - for example, creating a VirtualServer and publishing the site on a VirtualServer that is only accessible internally (the VS is on a vlan which is on your internal network).
    Or, if you have BIG-IP APM, you could create a Portal object and publish an internal web site on your webtop so it will be reverse-proxied and made available to users logging on to your APM webtop.