Forum Discussion
NimbostratusPortal First
We have a F5 web portal and a few webtop links to virtual servers. Users are able to bypass the portal and go directly to the virtual server's webpage from the internet.
I would like to know how to setup an iRule or something else so that they cannot access the downstream virtual server and have to go through the Portal first. Thank you
3 Replies
- Injeyan_Kostas
Cirrostratus
You could use multidomain sso configuration.
Multi domain sso can be selected in apm policy and then configure all fqdns.
Primary should be your portal.
Then apply apm policy to all VSs.
With this config when a user tries to go directly to a VS will be redirected to portal in order to authenticate. After successful authentication will continue to requested VS.
You may not even need webtop links with this approach. But of course you can leave them for anyone accessing portal itself first.
I'll add that in my experience it has been necessary to use a separate policy than the one that hosts the webtop. Easing the authentication burden to the user can be solved by using a remote authentication server (ADFS/SAML, etc).
More info on multidomain SSO setup for APM policy is here: https://techdocs.f5.com/en-us/bigip-17-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration/single-sign-on-and-multi-domain-support.html
- Injeyan_Kostas
You could use F5 itself as saml idp and saml sp with different policies.
Indeed you have more flexibility with separate policies, but when coming to Portal scenario it's just ugly to present saml resources in the portal as they are not easy customized visually.
