For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rod_23093's avatar
rod_23093
Icon for Nimbostratus rankNimbostratus
Aug 21, 2009

Pre Inspection Question

I have this situation.

 

 

I have a firepass that presents both network access and a citrix portal access to users.

 

 

The problem i have is that I would like to allocate the SSL VPN network access only to our company laptops and citrix portal access to all other non company PC's.

 

 

I would guess I create a pre inspection policy that checks for certificates issued from our CA domain - that way we can tell which nodes belong to our network - however what I can't figure out is how to i dynamically map these applications.

 

 

company laptops get network access

 

no company PC's get portal access

 

 

Any help would be appreciated.

 

 

thanks

 

 

rod
BIG-IP Access Policy Manager (APM)
remote access
security

3 Replies

  • psilvas's avatar
    psilvas
    Icon for Altostratus rankAltostratus
    Aug 22, 2009
    First goto Users>Endpoint Security>Protected configurations to create the rule for Network Access (can create multiple for multiple resources) You should be able to simply go to the bottom of the Network Access resource (creation) page and find: Endpoint Protection Required for this Resource Group - you can then select the Protected Config you created and attach it to that resource. hope that helps.

     

     

    ps
  • rod_23093's avatar
    rod_23093
    Icon for Nimbostratus rankNimbostratus
    Aug 24, 2009
    Hi Thanks for your reply.

     

    The problem is that I have user 1 who is a member of Active Directory Laptop group, and is also a member of domain users group.

     

    The problem is that when user 1 logs in say from an internet kiosk he will be presented with both citrix and network access - I want to restrict network access to non company computers so that no information can be saved locally (you would be able to do this via network access)

     

    I need to know how deliver different application access to a user who is a member of 2 different groups

     

    (laptop users get network access)

     

    (domain users get citrix portal access)

     

    My user is a member of both these groups - however I need to be able to give him only citrix portal access when logging in from a non work PC, and when he logs in using his laptop he gets network access.

     

    Hope thats explained it better.

     

    thanks

     

    Rod
  • rod_23093's avatar
    rod_23093
    Icon for Nimbostratus rankNimbostratus
    Aug 24, 2009
    Hi - I have solved my issue out myself.

     

     

    I created a pre logon sequence that checks the registry (specifically domain membership. key = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"."DefaultDomainName"="DOMAIN NAME"

     

     

    I entered to 2 actions DOMAIN PC and NON Domain PC and set up a new action that defined custom variables, for domain PC I entered domainmember=1 and for non domain pc i entered domainmember=2

     

     

    Domain PC was followed with a loging allowed page and non Domain PC was followed with a Logon Denied Page

     

     

    I set up a new protected configuration called domain check and for the protection criteria I specified unauthorized access and added 2 custom checks session.userdef.DomainMember==1 and session.userdef.DomainMember==2

     

     

    I then applied this new protected configuration to my SSL network access via the protected resources page and hey presto it works

     

     

    domain pc's now get full access and non domain pc's get restricted access (No SSL VPN)

     

     

    Hope that helps.

     

     

    Rod