IRule to Limit *Real* User Connections to VIP

Both examples are actually pretty close I think to what you want then. The idea is that, because HTTP is a stateless protocol, you first need a state mechanism for the client to identify itself across requests - a cookie. You then need a tracking mechanism on the server side to correlate all of the clients, based on their cookie "IDs", into a countable structure - the session table. That does not preclude a single user from opening up multiple browsers, getting separate cookies, and consuming multiple sessions - unless you can add something else to the state reference like a source IP address.