For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ThomasP's avatar
ThomasP
Icon for Altostratus rankAltostratus
Mar 20, 2020
Solved

Is network access bypassing APM logon pages?

Hello, Maybe it's a stupid question but I've been wondering about it for a while without finding a proper answer. Usually, you can either access your web apps remotely through APM or you can use a...
BIG-IP Access Policy Manager (APM)
security
  • PeteWhite's avatar
    PeteWhite
    Mar 20, 2020

    If APM is being the gatekeeper then if you have a VPN session then you are authenticated. If you then want to access the app then you are already authenticated with APM.

PeteWhite's avatar
PeteWhite
Icon for Employee rankEmployee
Mar 26, 2020
Hi Thomas, Take a look at https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/20.html and possibly https://devcentral.f5.com/s/articles/apm-full-step-up-authentication-903
Bazsi's avatar
Bazsi
Icon for Altostratus rankAltostratus
Sep 10, 2024

Hello PeteWhite, If I understand there is no way to change this behaviour, the Edge Client has no respect to the profile scope setting?
My usecase is that the new service I'm working on should be fully independent. Testers should be able to use the service the same way regardless where they are coming from, internal networks, VPN or the internet (in the future). Futhurermore the new service uses completely different preprod AAA thant the production VPN and the testers usually impersonate test users.

  • Lucas_Thompson's avatar
    Lucas_Thompson
    Icon for Employee rankEmployee
    Sep 10, 2024

    Users coming in from a VPN that is terminated on a BIG-IP are already APM-scoped into their existing Access session on that BIG-IP. They may not create another separate user session through that connection.

    On the one hand, it allows BIG-IP to apply any user data to a network flow, such as inserting SSO information gathered during authentication or authorization inside of the VPN connection so that users can have completely transparent L4 SSO. Other interesting things are also possible with iRules.

    On the other hand, it means that a user cannot connect to the VPN and then login to a webtop where both belong to the same BIG-IP.

      

    • Bazsi's avatar
      Bazsi
      Icon for Altostratus rankAltostratus
      Sep 11, 2024

      Hi Lucas_Thompson, Thanks for the clarification! I've found that if the second access policy is in an other route domain than the VPN it can maintain a separate APM session so it could be one way to work around this.

      • Lucas_Thompson's avatar
        Lucas_Thompson
        Icon for Employee rankEmployee
        Sep 11, 2024

        These results are interesting! Thanks for the info.

        When you configure APM services on a BIG-IP, APMD compiles the access policies and stores this information inside of TMM's sessiondb, which is indeed scoped so that the data are separated. However, APMD ordinarily will only operate on policies that belong to a single route domain and ignore other policies.

        Can you share how you're setting up the administrative partitions, route domain, and VLANs in your environment, and what version you're using? Additionally if you're declaring route domains explicitly on your APM-profile vips, or inferring them from an admin partition. I'd like to try to reproduce this in a lab to examine what's happening more closely.