Forum Discussion
Tika_92763
Nimbostratus
NimbostratusSource IP restriction without HTTP profile
Hello,
I have to create a irule or find any other way.
Scenario, I am managing 2 Juniper SA 2500 (SSL VPN) devices in active/active clustering. Each client has their own sub-urls -- https://sslvpn.company.com/abc, https://sslvpn.company.com/xyz for clients abc and xyz respectively. They get thier own page for it. Cliets use windows terminal service and file sharing through ssl vpn. One of the client wants to restrict its url based on its source IP. I could not use x-Forwarded because SA devices does not work with http profile for terminal service and file sharing. How can I make a irule or any other way which restricts https://sslvpn.company.com/abc to the source ip? And, it should not affect other clients who use same virtual server but different urls. I am new to irule.
Thanks,
Tika
2 Replies
natheCirrocumulus
Tika,
I think I'd create a data group of allowed source ips and then query on this and the URI.
Eg.when CLIENT_ACCEPTED { if { [class match [IP::client_addr] not equals allowed_nets ] and [[HTTP::uri] starts_with "abc" ] } { reject } }
Would this work for you?
N
Brian_Van_StoneWithout an http profile you will not be able to query the URI.
Perhaps you can SNAT all requests from the restricted range to one SNAT pool, and all requests from the unrestricted range to a different SNAT pool. By doing this you could still perform IP restriction at the SA.when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals allowed_nets] } { snatpool allowedForABC } else { snatpool everyoneElse }}
