Forum Discussion
Security considerations for APM portal access
Security considerations for APM portal access
We are publishing an application through APM with a portal access for the first time.
With no ASM in front, are there any security aspects we should consider for the actual "portal delivery"?
We can't do much about the application being published, but perhaps there are settings we should adjust that's not set out of the box for a portal app?
We've already set ACLs as described in theese posts
https://devcentral.f5.com/questions/portal-access-security-problem-manipulation-with-hex-string-in-url-mangle-allows-access-to-any-internal-website-how-to-restrict
https://devcentral.f5.com/articles/apm-security-protecting-internal-resources-using-acls
Is there anything else we should set as a best practice?
Any advice appreciated!
Thanks
/Andreas
- Lucas_Thompson_Historic F5 Account
For security in Portal Access, we generally recommend against proxying the internet, so keep it to internal applications using the split settings in the rewrite profile, so that you're only rewriting your domain.
So:
Split, ACLs. Those are probably the two biggest concerns.
- Lucas_Thompson_Historic F5 Account
Split settings are not relevant to ACLs except that any non-bypass content should be allowed by ACLs.
ACLs control access once the user tries to request content, allow or deny.
Split-settings control what rewrite tells the user about where the content is, either local or remote.
- AndOsCirrostratus
Thanks!
Are URIs compared first against the rewrite and bypass list and then ACLs? Or how does the split setting in rewrite profile work together with ACLs?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com