Pre Inspection Question

Question

I have this situation. 
&nbsp;  
&nbsp; I have a firepass that presents both network access and a citrix portal access to users. 
&nbsp;  
&nbsp; The problem i have is that I would like to allocate the SSL VPN network access only to our company laptops and citrix portal access to all other non company PC's. 
&nbsp;  
&nbsp; I would guess I create a pre inspection policy that checks for certificates issued from our CA domain - that way we can tell which nodes belong to our network - however what I can't figure out is how to i dynamically map these applications. 
&nbsp;  
&nbsp; company laptops get network access 
&nbsp; no company PC's get portal access 
&nbsp;  
&nbsp; Any help would be appreciated. 
&nbsp;  
&nbsp; thanks 
&nbsp;  
&nbsp; rod

psilvas · Answer

First goto Users&gt;Endpoint Security&gt;Protected configurations to create the rule for Network Access (can create multiple for multiple resources) You should be able to simply go to the bottom of the Network Access resource (creation) page and find: Endpoint Protection Required for this Resource Group - you can then select the Protected Config you created and attach it to that resource. hope that helps. 
&nbsp;  
&nbsp; ps

rod_23093 · Answer

Hi Thanks for your reply.  
&nbsp; The problem is that I have user 1 who is a member of Active Directory Laptop group, and is also a member of domain users group.  
&nbsp; The problem is that when user 1 logs in say from an internet kiosk he will be presented with both citrix and network access - I want to restrict network access to non company computers so that no information can be saved locally (you would be able to do this via network access)  
&nbsp; I need to know how deliver different application access to a user who is a member of 2 different groups  
&nbsp; (laptop users get network access)  
&nbsp; (domain users get citrix portal access)  
&nbsp; My user is a member of both these groups - however I need to be able to give him only citrix portal access when logging in from a non work PC, and when he logs in using his laptop he gets network access.  
&nbsp; Hope thats explained it better.  
&nbsp; thanks  
&nbsp; Rod

rod_23093 · Answer

Hi - I have solved my issue out myself. 
&nbsp;  
&nbsp; I created a pre logon sequence that checks the registry (specifically domain membership. key = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"."DefaultDomainName"="DOMAIN NAME"  
&nbsp;  
&nbsp; I entered to 2 actions DOMAIN PC and NON Domain PC and set up a new action that defined custom variables, for domain PC I entered domainmember=1 and for non domain pc i entered domainmember=2  
&nbsp;  
&nbsp; Domain PC was followed with a loging allowed page and non Domain PC was followed with a Logon Denied Page 
&nbsp;  
&nbsp; I set up a new protected configuration called domain check and for the protection criteria I specified unauthorized access and added 2 custom checks session.userdef.DomainMember==1 and session.userdef.DomainMember==2 
&nbsp;  
&nbsp; I then applied this new protected configuration to my SSL network access via the protected resources page and hey presto it works 
&nbsp;  
&nbsp; domain pc's now get full access and non domain pc's get restricted access (No SSL VPN) 
&nbsp;  
&nbsp; Hope that helps. 
&nbsp;  
&nbsp; Rod

Forum Discussion

Pre Inspection Question

Recent Discussions

SNI Sites not taking correct certificate.

How to Renew F5 Device Certificate

irule to enable http/2 acceleration

Service discovery is not happening in AS3

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

Related Content

BIG-IP Edge Endpoint Inspection Failure pre-VPN

To Pre-authenticate or Not to Pre-authenticate

Inspecting a UCS file from a compromised BIG-IP

AFM Protocol Inspection rules for CVE-2022-3602 (aka SpookySSL)

Unsupported Snort Keywords in Protocol Inspection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS