Request from all experience people here

On your FirePass appliance go to the admin page and access Online Help. Carefully read the topic Index : Device Management : Customization : Global. Also read the posts in the Firepass Customization forum (where this is posted).

 

 

Take a look at http://connect.delta.com. Is this the level of customization that you want? If so, add appropriate .inc files as described in the Online Help. For example, the text to the right in the above-cited web page is HTML text from /sandbox/right.inc. You can put files and directories into your sandbox. To refer to an image in a /sandbox/image directory you cannot use a relative path. Refer to /sandbox/image/myimage.jpg, for example.

 

 

You'll find that attempting to customize beyond adding these .inc files is far more difficult and far less well documented.

 

I've found that I can do the following:

 

 

Create a fully customized index.htm login page with username, password, and a customized submit button.

 

 

Create a pretty good looking login error page exposing the standard FirePass login box which will convey errors and allow password change when forced by password expiration. I'm using right.inc for this.

 

 

Create a fully customized logout page using logout.inc.

 

 

I have not been able to do a completely customized login error page. I can completely overlay the standard FirePass page. The problems with this is that FirePass may present a password change control. These different controls (login, password change) will be hidden. If you don't need to support anything other than login, you can completely cover the page surface, give a "login failed" message, and provide a link back to your index.htm page. You might be able to use JavaScript to walk the domain tree, find the error message, and present it in your overlay page.

 

 

I have also not been able to present anything from an IP-specific subdirectory other than the initial index.htm. The .inc files come from the /sandbox directory.

 

 

If you would like a .zip file that you can restore to your sandbox directory that demonstrates the first three items in this reply, email me jhuffman at onecommunications.com.

You can also replace the default index page using the Sandbox. The sandbox will host any standard html you can come up with, as well as customized javascript.

 

 

My firepass has a fully customized main page, with links that go to different types of resources. All users get a certain level of access to email and company directory. Other users get a full suite of applications if they pass AV and Firewall checks. I've also added options that go straight to RDP/Citrix. All of this can be done via Landing URI customization. I have an extensive pre-logon inspection policy that evaluates landing URIs as well as endpoint inspectors. Based on the logic of the prelogon inspection, users may be required to auth with just a username/password, local Certificate, and/or RSA token.

 

 

If a user fails a check for a resource, they are re-directed to custom remediation pages explaining what went wrong and what they can do to fix it. I'm doing all of this stuff before the user even logs in for dynamic group mapping to kick in.

 

 

It's been my experience that F5 lacks documentation on the advanced/cool features of Firepass. However, once you figure out how to use the advanced features, its the most customizable, flexible product on the market.

 

 

Good luck!

I realize that this is an old post, but does anyone have any examples they would like to share? I'm especially interested in how brendan.oconnor was able to get username/password and/or RSA token authentication based on prelogon inspection. I'm trying to have AD + token authentication for one virtual host and AD only authentication for another.

 

 

I'm also interested in /sandbox file examples. I created an index.htm file from modified page source, but it does not work with endpoint inspection because it does not contain valid client data.

 

 

Thanks,

 

Matt

Ditto

 

 

We're trying to create a custom logon page and a custom landing page.

 

 

However if we use customfoot.inc for this you can see the old login page flash up before the new one which isn't very professional.

 

 

So the question I have are:

 

 

1) Can we have a custom index.htm file with the preauth checks? If so how?

 

 

2) Can we determine whether certain checks have passed in the landing page. I want to display the vpn icon if the user has passed the certificate check;

 

 

3) Where do I get more information about this from - F5, do you have any further documentation?

 

 

Regards

 

 

Dan

Matt,

 

 

We are using virtual hosts with the prelogon inspection and custom index.htm files. First we check for the IP address they are hitting. That determines which logon page they get. Then we check the client machine for a reg key and a hidden file. If those are present, we continue the check for the AV, Firewall etc. You could do something similar for the RSA token.

 

 

* When using virtual hosts, the folder names in the sandbox have to be the IP address of the virtual host.

 

 

Dan,

 

 

Yes you can use a custom index.htm file with prelogon checks. Set this up with virtual hosts and point the prelogon inspection to the virtual host.

 

 

You can use protected resources for the vpn icon. I think they will not get the icon if they do not pass the check. * I have not had a chance to test this, but that is the theory.

 

 

As for more information, the boards are probably going to be the best place to look. Or get ahold of your SE.