Forum Discussion

Tika_92763's avatar
Tika_92763
Icon for Nimbostratus rankNimbostratus
Jul 30, 2012

Source IP restriction without HTTP profile

Hello,

 

 

I have to create a irule or find any other way.

 

 

Scenario, I am managing 2 Juniper SA 2500 (SSL VPN) devices in active/active clustering. Each client has their own sub-urls -- https://sslvpn.company.com/abc, https://sslvpn.company.com/xyz for clients abc and xyz respectively. They get thier own page for it. Cliets use windows terminal service and file sharing through ssl vpn. One of the client wants to restrict its url based on its source IP. I could not use x-Forwarded because SA devices does not work with http profile for terminal service and file sharing. How can I make a irule or any other way which restricts https://sslvpn.company.com/abc to the source ip? And, it should not affect other clients who use same virtual server but different urls. I am new to irule.

 

 

Thanks,

 

Tika
application delivery
dev
devops
iRules
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jul 30, 2012
    Tika,

    I think I'd create a data group of allowed source ips and then query on this and the URI.

    Eg. 
     
when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] not equals allowed_nets ] and [[HTTP::uri] starts_with "abc" ] } {
        reject
    }
}

    Would this work for you?

    N
  • Brian_Van_Stone's avatar
    Brian_Van_Stone
    Icon for Nimbostratus rankNimbostratus
    Jul 30, 2012
    Without an http profile you will not be able to query the URI.

    Perhaps you can SNAT all requests from the restricted range to one SNAT pool, and all requests from the unrestricted range to a different SNAT pool. By doing this you could still perform IP restriction at the SA. 

    when CLIENT_ACCEPTED {    if { [class match [IP::client_addr] equals allowed_nets] } {        snatpool allowedForABC }    else { snatpool everyoneElse }}