For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ecce's avatar
ecce
Icon for Cirrostratus rankCirrostratus
Sep 18, 2018

Identity aware-based ACL problem

I want to apply ACLs based on user identity (actually, AD group membership). USers connect via RA-VPN though a full webtop. This is a piece of cake with APM using a AD Group Assignment Resource agent. BUT, the problem in this case is that there are THOUSANDS of servers and APMs ACLs does not support a hierarchy (right?). The maintenance job will be overwhelming. It is required that network resources can be added and removed with minimal work, not in several ACLs.

 

I looked a bit at AFM, and there you can group Addresslists and so on in policys, creating a hierarcy. But - AFM has no identity awareness (right?). And it does not seem possible to apply a AFM policy in APM VSE.

 

Is there a way to solve this in BIGIP? The fallback here is to use an external firewall, but I want to know if it is possible to solve this in BIGIP alone.

 

AFM
BIG-IP Access Policy Manager (APM)
security
No RepliesBe the first to reply