For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Raymond_Feng_97's avatar
Raymond_Feng_97
Historic F5 Account
Jul 20, 2006

how to persistant client when using bigip load balance firepass

There is two problem when using bigip load balance firepass:   1> For ADSL client, when user logon the firepass, his adsl line dropped and reconnected adsl, so the client ip address had been change...
BIG-IP Access Policy Manager (APM)
remote access
security
Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Nov 30, 2007
I've got a bit of a modification to the BigIP LTM Firepass loadbalancing/offload iRule that allows you to enable "Selective" compression (if you are licensed for encryption) on the HTTP profile the VS uses. This effectively compresses all text/ mime types and javascripts that come through Firepass; in our testing, it can speed up pre-login sequences to high-latency clients (e.g., aircards) by as much as 30%.

------------------------------------------


when SERVER_CONNECTED {
  persist add source_addr [IP::client_addr] $::tmout2
}
when RULE_INIT {
  set ssl_handshake 0
   Persistence timeout if MRHSession cookie is 
   present
  set ::tmout 3600
   Persistence timeout if no cookie is found.
   Source IP persistence is used.
  set ::tmout2 600
}
when CLIENTSSL_HANDSHAKE {
  set ssl_handshake 1
}
when CLIENTSSL_CLIENTCERT {
  set ssl_handshake 1
}
when HTTP_REQUEST {
  set http_disable 0
  set sid [HTTP::cookie "MRHSession"]
   Handle cookieless clients
  if { $sid == "" } {
    set sid [findstr [HTTP::uri] "S=" 2 "&"]
  }
  if { $ssl_handshake == 1 } {
    HTTP::header replace "BIGIP" "on"
    HTTP::header replace "BIGIP_SSL_CIPHER" "[SSL::cipher name]"
    HTTP::header replace "BIGIP_SSL_CIPHER_USEKEYSIZE" "[SSL::cipher bits]"
    HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]"
    set ssl_handshake 0
  }
  if { [HTTP::uri] starts_with "/myvpn" } {
    set sid [findstr [HTTP::uri] "sess=" 5 "&"]
    set http_disable 1
  }
  if { [HTTP::uri] starts_with "/tunnel" } {
    set sid [findstr [HTTP::uri] "sess=" 5 "&"]
    set http_disable 1
  }
  if { $sid != "" } {
    persist uie $sid $::tmout
  } else {
    persist source_addr [IP::client_addr] $::tmout2
  }
}
when HTTP_REQUEST_SEND {
  if { $http_disable != 0 } {
    clientside {HTTP::disable}
  } else {
    clientside {COMPRESS::enable}
  }
}
when HTTP_RESPONSE {
  set sid [HTTP::cookie "MRHSession"]
  if { $sid != "" && $sid != "deleted" } {
    persist add uie $sid $::tmout
  }
}