For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Willy's avatar
Willy
Icon for Nimbostratus rankNimbostratus
Dec 14, 2016

IP address filter on Virtual RDP server

I am running an LTM/ASM version 11.5.4. Recently an RDP virtual server was setup. Intention is to limit the IP addresses. Only few IP addresses are allowed access to this VS. The ASM module seems to ...
application delivery
ASM Advanced WAF
BIG-IP
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Dec 14, 2016

Hi Willy,

you may use one of the iRules below...

IP::addr based iRule:

The IP::addr based syntax is ideal, if just a few IPs or Subnets are requiring access (less than 5).

when CLIENT_ACCEPTED {
    if { ( [IP::addr [IP::client_addr] equals "10.0.0.0/8"] )
      or ( [IP::addr [IP::client_addr] equals "172.16.0.0/12"] ) 
      or ( [IP::addr [IP::client_addr] equals "192.168.0.0/16"] ) } then {
         Allow the request
    } else {
        reject
    }
}


[class]
/ data-group based iRule:

The 

[class]
/ data-group based syntax is ideal, if just if many IPs or Subnets are requiring access (more than 5)

iRule: 

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals DG_ALLOWED_RDP_CLIENTS] } then {
         Allow the request
    } else {
        reject
    }
}

Data-Group: 

ltm data-group internal DG_ALLOWED_RDP_CLIENTS {
    records {
        10.0.0.0/8 {}
        172.16.0.0/12 {}
        192.168.0.0/16 {}
    }
    type ip
}

Cheers, Kai