Forum Discussion
TD
Nimbostratus
NimbostratusL7 https ACL with APM SSL VPN not working
Hi,
I am building a POC for Client SSl VPN with F5 APM in AWS.
Since we are using AWS I would like to use L7 ACLs instead of L4 since IP addresses keep changing in AWS.
I got it working for http...
Yossi_Rosenboi1
Employee
EmployeeHi,
if you want to control the l7 traffic with APM then yes that's your only choice. But There is another way to achieve your goal,
you can control traffic to those encrypted apps using LTM policy based on SNI.
no need to decrypt SSL, the policy will evaluate the SNI (which is based on the hostname) and you can create your desired action based on that.
for example you can drop traffic, log it, redirect it to an error page..
steps to do that:
- make sure you have LTM license (required for the ssl persistence profile you will need)
- create a 0.0.0.0/0:443 virtual server INSIDE the tunnel. (no HTTP profile, no SSL profiles)
- attach an SSL persistence profile to the virtual server (that will allow the bigip to parse the ssl hello packet and read the SNI)
- create the policy that's using that.
have a look at the following example for greater details on SNI and LTM policy :
https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348
hope it helps.