For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Davies_40's avatar
Kevin_Davies_40
Icon for Nacreous rankNacreous
Jun 17, 2014

This is how far I have progressed. It is a work in progress, an hints or tips appreciated...

The Virtual is called vs_faketop and has the iRule below applied. The order of execution is

1st Pass

  • BIGIP Edge Client VPN connection follows second branch
  • iRule saves credentials into table.
  • Network access launches browser session back to the APM with /preauth?key=232343

2nd Pass

  • Browser connection with /preauth?key=23431134
  • Follows first branch
  • iRule retrieves login information for session
  • Opens webtop with supplied credentials.

This is the logging output from ltm/apm.

Think of it as VPN launching a Webtop as its final action. The SSO is done using tables. I tried to comprehend the APM documentation on layered virtual's providing single sign on but didn't get anywhere. If there is another way to do this I am all ears.

when HTTP_REQUEST {
  log local0. "...in HTTP_REQUEST"
  if {[HTTP::uri] eq "/preauth"} {
     retrieve credentials from table storage
    set key [URI::query [HTTP::uri] key]
    set username [table lookup $key:user]
    set password [table lookup $key:pass]
    log local0. "Retrieved credentials"
  }
}
when ACCESS_SESSION_STARTED {
  log local0. "...in ACCESS_SESSION_STARTED"
   inject credentials into session
  if {[info exists username]} {
    ACCESS::session data set session.logon.last.username $username
    ACCESS::session data set session.logon.last.password $password
    log local0. "Assigned credentials"
  }
}
when ACCESS_POLICY_AGENT_EVENT { 
  log local0. "...in ACCESS_POLICY_AGENT_EVENT"

   get current credentials
  set user [ACCESS::session data get session.logon.last.username]
  set pass [ACCESS::session data get session.logon.last.password]

   store them in a table
  set key [crc32 "$user:$pass"]
  table set $key:user $user
  table set $key:pass $pass
  log local0. "Saved credentials user=$user pass=$pass key=$key"

   define customer parameter used in Launch Applications under Network Access 
  ACCESS::session data set session.myapp "https://192.168.86.11/preauth?key=$key"
  unset user pass key
}

The problem at the moment is the app won't launch after the VPN connects. Also "pass" appears to come up empty.