Forum Discussion

benderstine_258's avatar
benderstine_258
Icon for Nimbostratus rankNimbostratus
May 23, 2016

Understanding SSL VPN group configuration and virtual servers

Hello, I'm new to the f5 and the f5 SSL VPN configuration and have some conceptual questions around how to configure SSL VPN groups. I'm coming from a Juniper SSL appliance background and am migrating to the f5. For the scenario let's say we have a company with a sales, marketing, IT, HR security groups in their Active Directory. To give each group on the Juniper its departmental VPN config we could set it up with one IP/departmentname. For instance it would look like: 123.456.789.10/sales, 123.456.789.10/marketing, 123.456.789.10/hr etc. We'd acctually give them a URL but the point is it all resolved to the same IP with the /department appended. So I'm trying to translate how I configure a similar scenario on the f5. So far I have a single VPN profile working successfully going to a single virtual server/IP- let's say that's IT. So now when I want to go add sales do I need to create a new virtual server with a new IP? Do I need a separate virtual server/public IP for each department?

 

The only other way I could figure out to do this was in my AD Query to check group membership I could chain them- have the first check for IT, then fall back to another query for sales, then that fall back to marketing, etc. So there would be a chain of AD queries. Is that how it's done?

 

Thank you,

 

Ben

 

  • Hi,

     

    You can configure a new VS for each department but it can be hard to maintain. I would recommand to use AD resource Group Assign block in the Visual Policy Editor. This way, you can assign different resources (Network Access, RDP, Portal, ACL, webtops, etc.) based on the group membership of the user.

     

    You can also split your policy to behave differently if the starting landing uri is /sales or /it, ...

     

  • Hi,

     

    You can configure a new VS for each department but it can be hard to maintain. I would recommand to use AD resource Group Assign block in the Visual Policy Editor. This way, you can assign different resources (Network Access, RDP, Portal, ACL, webtops, etc.) based on the group membership of the user.

     

    You can also split your policy to behave differently if the starting landing uri is /sales or /it, ...

     

    • benderstine_258's avatar
      benderstine_258
      Icon for Nimbostratus rankNimbostratus
      That answered my question, thank you. I hadn't registered the existence of the AD resource Group Assign block.
  • Hi,

     

    You can configure a new VS for each department but it can be hard to maintain. I would recommand to use AD resource Group Assign block in the Visual Policy Editor. This way, you can assign different resources (Network Access, RDP, Portal, ACL, webtops, etc.) based on the group membership of the user.

     

    You can also split your policy to behave differently if the starting landing uri is /sales or /it, ...

     

    • benderstine_258's avatar
      benderstine_258
      Icon for Nimbostratus rankNimbostratus
      That answered my question, thank you. I hadn't registered the existence of the AD resource Group Assign block.