Forum Discussion
JRahm
Admin
AdminUniversal Persistence by client tcp port
All clients exiting ssl vpn tunnel will share source IP of the appliance, so I need to persist by client tcp port instead to make sure all clients remain on the correct terminal server. I am unfamiliar with iRules, and I am in the process of evaluating BigIP (prepurchase). Can anyone suggest a method? My best crack would be:
rule client_tcpport_persist {
when CLIENT_ACCEPTED {
set cl_tcpport [ findstr [TCP::client_port]]
if {$cl_tcpport ne " "} {
persist uie $cl_tcpport
}
}
}
Thanks.
Jason
- Jason,
First, I'm making some assumptions about your app, but hopefully this will help.
I doubt that client's connections exiting the SSL VPN will in fact have the same source port. So, unfortunately, I don't think persisting on the TCP source port will help.
Is this an HTTP app? If so, then I would actually recommend using Cookie persistence to identify the client.
If not, then you would need to dig into the application data for something that identifies the client.
Most SSL VPN's will arbitrarily assign client connections new source ports to track new connections. So, the same client could came from a number of source ports. Only the VPN software knows the mapping between client and TCP source port. Most, if not all VPN's use a NAT to translate between the original client and the VPN endpoint.
If you did want to continue trying to use just the TCP source port, then your rule is pretty close - you just don't need to use the variable or the findstr command (TCL automatically takes care of converting between numbers and strings):rule client_tcpport_persist { when CLIENT_ACCEPTED { if {[TCP::client_port] != 0} { persist uie [TCP::client_port] } } }
Again, I doubt this will work for you and suggest you try using cookie persistence.
Thanks.
