Forum Discussion

ThomasP's avatar
ThomasP
Icon for Altostratus rankAltostratus
Mar 20, 2020

Is network access bypassing APM logon pages?

Hello, Maybe it's a stupid question but I've been wondering about it for a while without finding a proper answer. Usually, you can either access your web apps remotely through APM or you can use a...
BIG-IP Access Policy Manager (APM)
security
  • PeteWhite's avatar
    PeteWhite
    Mar 20, 2020

    If APM is being the gatekeeper then if you have a VPN session then you are authenticated. If you then want to access the app then you are already authenticated with APM.

ThomasP's avatar
ThomasP
Icon for Altostratus rankAltostratus
Mar 26, 2020

Thank you Pete for your reply.

 

In that case, it seems that the APM checks (AD query for example) and variable assigments are bypassed, right? Is there any solution for these ?

 

Thank you

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Mar 26, 2020
    Hi Thomas, Take a look at https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/20.html and possibly https://devcentral.f5.com/s/articles/apm-full-step-up-authentication-903
    • Bazsi's avatar
      Bazsi
      Icon for Altostratus rankAltostratus
      Sep 10, 2024

      Hello PeteWhite, If I understand there is no way to change this behaviour, the Edge Client has no respect to the profile scope setting?
      My usecase is that the new service I'm working on should be fully independent. Testers should be able to use the service the same way regardless where they are coming from, internal networks, VPN or the internet (in the future). Futhurermore the new service uses completely different preprod AAA thant the production VPN and the testers usually impersonate test users.

      • Lucas_Thompson's avatar
        Lucas_Thompson
        Icon for Employee rankEmployee
        Sep 10, 2024

        Users coming in from a VPN that is terminated on a BIG-IP are already APM-scoped into their existing Access session on that BIG-IP. They may not create another separate user session through that connection.

        On the one hand, it allows BIG-IP to apply any user data to a network flow, such as inserting SSO information gathered during authentication or authorization inside of the VPN connection so that users can have completely transparent L4 SSO. Other interesting things are also possible with iRules.

        On the other hand, it means that a user cannot connect to the VPN and then login to a webtop where both belong to the same BIG-IP.

          

Related Content