Forum Discussion

MDPF5_152674's avatar
MDPF5_152674
Icon for Altostratus rankAltostratus
May 10, 2016

Select Node based on a previous LB selection

Hi DevCentral,

 

I would like to ask your opinion/suggestion regarding the following requirement regarding an LTM/APM based scenario:

 

Scenario: I have an AAA - HTTP Server(APM) configured that points to http://10.10.10.10 which is my Virtual server that load balances the HTTP Custom Post request to two different servers(poolX). If the user is successfully authenticated the backend respond with a JSESSIONID cookie that is sent back to the client. The pool where the HTTP Post is sent is the same pool configured on the VS with the Access policy associated. So the problem is the following: BIG-IP send the Custom HTTP Post to the AAA HTTP Server (VS with poolX associated) after that the client need to be balanced to the same server selected during the Custom HTTP Post generated by BIG-IP, otherwise the client could be balanced on the server that does not have the "authenticated session".

 

Thanks in advance,

 

M.

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM
security
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 11, 2016

    Hi,

    In your VS 10.10.10.10 and APM-protected VS, you must configure universal persistence with JSESSIONID. both VS may use the same pool.

    After authentication, extract JSESSIONID cookie from HTTP Auth response (VPE / Variable Assign):

    session.custom.jsessionid = 
expr { [lindex [regexp -inline {JSESSIONID=([^;\\\r]*)} [mcget session.http.last.response_cookie]] 1] }

    Enable this irule on APM-protected VS to insert JSESSIONID in response after authentication:

    when ACCESS_POLICY_COMPLETED {
   if { ([ACCESS::policy result] equals "allow")} {
      set jsessionid [ACCESS::session data get session.custom.jsessionid]
      ACCESS::session data set session.user.sessiontype "ltm_apm"
      ACCESS::respond 302 noserver Set-Cookie "JSESSIONID=$jsessionid;path=/;HttpOnly;secure" Location [ACCESS::session data get session.server.landinguri]
   }
}