Forum Discussion

Tony_Olson_3272's avatar
Tony_Olson_3272
Icon for Nimbostratus rankNimbostratus
Jul 14, 2017

split authentication

I have a customer that wants certain traffic to the same VIP handled 2 different ways:

 

You have the entire URL (Ex: bobsdonuts.krispy.krm ) in pass through where we only need a subset of this in pass through (Ex: bobsdonuts.krispy.krm/config/baseurl.asp). As example the operators access the web page from the bobsdonuts.krispy.krm and get put into the bobsdonuts.krispy.krm/client/...... portion of the site. The operator and the client connection are two different paths

 

Is this possible to do using the same VIP? IS there an access policy path that can achieve this?

 

application delivery
BIG-IP Access Policy Manager (APM)
  • Heinrichm_18951's avatar
    Heinrichm_18951
    Icon for Cirrus rankCirrus
    Jul 18, 2017

    I have customized one of my VIPs to allow this: domain.com/xyz/* authenticated domain.com/xyz/eao.aspx no authentication.

     

    I have achieved this with irules. Is this what you are looking to do?

     

  • Heinrichm_18951's avatar
    Heinrichm_18951
    Icon for Cirrus rankCirrus
    Jul 18, 2017

    I recommend having a look at the Microsoft Exchange Server deployment guide. That's where I found a solution.

     

    To get the one that is optimized for you TMOS version go to > Support > Documentation > BIG-IP LTM > Your Version Deployment Guides > Microsoft Exchange Server 2010 and 2013 (BIG-IP v11 - v13: LTM, APM, AFM)

     

    Basically it is the following with an added layer of security.

     

    when HTTP_REQUEST {
   if { [string tolower [HTTP::uri]] equals "/xyz/eao.aspx" } {
       ACCESS::disable
       }
}

    If you do not want to have to look up the code for Exchange:

     

    priority 1
when HTTP_REQUEST {
    set is_disabled 0
    switch -glob [string tolower [HTTP::path]] {
        "/ews/mrsproxy.svc" -
        "/ews/exchange.asmx/wssecurity" {
            set is_disabled 1
            set path [HTTP::path]
            ACCESS::disable
            HTTP::path _disable-$path
            pool 
        }
        "/autodiscover/autodiscover.svc/wssecurity" -
        "/autodiscover/autodiscover.svc" {
            set is_disabled 1
            set path [HTTP::path]
            ACCESS::disable
            HTTP::path _disable-$path
            pool 
        }
    }
}

when HTTP_REQUEST_RELEASE {
    if { [info exists is_disabled] && $is_disabled == 0 } { return }
    if { [info exists path] } {
        HTTP::path $path
        unset is_disabled
        unset path
    }
}

    I can't claim to comprehend all the commands, however, it is about not giving access to more than the specified URL. One thing to note is the -glob command in the switches

     

    -exact
Use exact matching when comparing string to a pattern. This is the default.
-glob
When matching string to the patterns, use glob-style matching (i.e. the same as implemented by the string match command).

    I hope this will help you on your way