iRule for knowing the user

Question

Hi,
&nbsp;     Can a LTM “know” – which user a request is coming from? It should know because it is an Application Level Proxy.&nbsp;
&nbsp;         Can this user information be captured? Based on the user information can an AD group attribute be retrieved? And based on the group retrieved – can a load balancing decision be taken to redirect the user to a higher performance pool – compared to another group that gets redirected to a regular pool?&nbsp;
Moorthy.&nbsp;

moorthy_63564 · Answer

Can a LTM “know” – which user a request is coming from? It should know because it is an Application Level Proxy. 
&nbsp;  
&nbsp; Can this user information be captured? Based on the user information can an AD group attribute be retrieved? And based on the group retrieved – can a load balancing decision be taken to redirect the user to a higher performance pool – compared to another group that gets redirected to a regular pool? &nbsp;

l4l7_53191 · Answer

Moorthy: the answer here is yes - put the APM module onto a BigIP and all of this should be possible. Check with your Field Systems Engineer about what the requirements are and they'll be able to help you sort through any details. To sum it all up though, APM can serve as a generic authentication proxy, and as such it's privy to all of the information you'll be interested in (and much, much more). So you'll fetch the attributes in question, then make some smart decisions on where folks should go based on whatever AD ships back. 
&nbsp;  
&nbsp; Good luck. Oh, and if you don't mind, would you please post back any designs you come up with here? APM is an extremely powerful tool and folks are using it to do some slick stuff. Now we just need to get more of it socialized! 
&nbsp;  
&nbsp; -Matt

moorthy_63564 · Answer

Hi Matt,&nbsp;
            Thanks for your reply,I got your answer,but Here my setup is the LTM is going to loadbalance the Proxy servers. so my requirment is i want to know which user going  through which proxy server. Is it possible? to get that report (without ASM) by iRule.&nbsp;
&nbsp;Moorthy&nbsp;

jrahm · Answer

yes, it is possible.  There are several examples in the codeshare regarding ldap, this one should get you started: 
&nbsp;  
&nbsp; LDAP Proxy: http://devcentral.f5.com/wiki/default.aspx/iRules/LDAPProxy.html Click Here &nbsp;

hooleylist · Answer

You can parse the username (and password) from requests and select a pool based on that information.   
&nbsp;  
&nbsp; But if you want to make an LDAP call to Active Directory to select the pool, you'd need APM or the Advanced Client Auth module and an iRule.  The ACA+iRule option would be a lot more complex compared with APM, as APM gives you a GUI for configuring the lookups.  The iRule would also require more maintenance/regression testing during upgrades of the LTM code.  As Matt suggested, it would be good to get in touch with an F5 SE to discuss your scenario in more detail. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

iRule for knowing the user

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

VPN SSL Users migration

Getting started with a script to delete user APM session(s)

Advertise IPv4 LAN Address Space with iRule for VPN users

redirect based on user input urls

iRULE regsub error

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS