Forum Discussion
NimbostratusUsing APM to secure VS by machine name
Hi,
We are attempting to meet compliance standards and determine a way to secure access to our Virtual Servers. Short of ACLs due to our IP design based on geographic rather than departments in our company, this would cause us to do a complete redesign and be a administrative nightmare. We determined the next best solution would be to utilize the APM. These servers sit directly behind the F5.
Our only requirement is: We must secure access based on machine name (rather than user)
How we had plan to do this was the following: Utilizing our PKI, deploy certificates based on machine name. Then, query AD utilizing the machine name to determine if you're allowed access.
We've been able to create a certificate and use the module Machine Cert Auth to accomplish the first part. The part we're having extreme trouble with is performing a query based on machine name with AD.
My main concern is, how does the F5 gather the machine name to perform this lookup? The cert contains the machine name, it's almost as if we could develop an iRule to strip from the cert that would work (above my head). Also, I know F5 hows this edge client that maybe we could deploy to gather this info to perform the lookup.
I'd really appreciate any feedback on our current design OR any ideas for alternate solutions utilizing the F5.
24 Replies
Seth_CooperEmployee
I'm guessing just having a valid AD issued certificate isn't enough to validate the machine since you also want to query the domain? What information do you want about the machine from AD? Provide a little bit more info on this and we might be able to help devise a solution to help you out.
Nfordhk_66801We we're going to use the actual machine name to query an OU. Put all the machines that we want to have access in a specific OU. Do you have cert? Yes. Are you in this OU? Yes. Okay you can have access.- Nfordhk_66801We're open to other options but the requirement is based solely on machine, not user.
- Seth_Cooper
What does your policy look like? Did you create the iRule event correctly?
You need to have an "iRule Event" VPE Action. In the action I used the ID "get_computer_name". This ID matches a name in the iRule.
You need to make sure the ID is correct as this is checked in the iRule.
- Nfordhk_66801
Hi Seth,
Yes I created the iRule. Attached are some photos
- Seth_CooperSo I assume you are getting to the "Not Approved - Message Box"? I would suggest while at this page do a "sessiondump -allkeys | grep " from the command line and see what is listed in session.windows_info_os.last.computer". It might be that the session variable isn't populated when the iRule runs. It is also strange that your statistics are showing the ACCESS_POLICY_AGENT_EVENT isn't getting triggered. One other thing to try is to run Internet Explorer "as Administrator" and see if that helps if the windows info agent isn't getting anything. -Seth
- Nfordhk_66801
Ahh, the command lines show a lot more info
0e9eba9c.session.windows_info_os.last.computer 167 |testserver2|testserver2|ourdomain.com|testserver2.ourdomain.com|testserver2|testserver2|ourdomain.com|testserver2.ourdomain.com|I did change the search string to where this server is located.
- Nfordhk_66801Are these fields suppose to be blank? d4f2c301.session.ad./Common/pra-poc-f5-forum_act_active_directory_query_ag.errmsg 40 no matching user found with filter name= d4f2c301.session.ad./Common/pra-poc-f5-forum_act_active_directory_query_ag.queryresult 1 0 d4f2c301.session.ad.last.errmsg 40 no matching user found with filter name=
- Seth_CooperNope... since we are getting the session.windows_info_os.last.computer variable the iRule should parse the array and create the session.custom.computer variable that the VPE can use in the ADQuery. Does your iRule appear to be firing now? You can add a log statement to the iRule and see if we are getting to the right place. If you can validate that we will move on to the next step which would be your AD Query action. -Seth
- Nfordhk_66801I dont think the irule is even being utilized. Commented more info below
- Nfordhk_66801
Those numbers don't increment at all. I even copied and paste the name. I added the logging
when RULE_INIT { set static::THIS_DOMAIN ".insertdomain.com" log local0. } when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "get_computer_name" } { log local0. set computer [string tolower [ACCESS::session data get "session.windows_info_os.last.computer"]] foreach x [split $computer "|"] { if { $x ends_with $static::THIS_DOMAIN } { set machinename [lindex [split $x "."] 0] ACCESS::session data set session.custom.computer $machinename return } } } }I think this is all it gave:
Feb 25 14:13:33 nho-bigip-test info tmm[14917]: 01220002:6: Rule /Common/get_computer_name : local0.
Feb 25 14:13:33 nho-bigip-test info tmm1[14917]: 01220002:6: Rule /Common/get_computer_name : local0.
- Seth_CooperPlease update the log statements to help determine where the iRule is getting to... log local0. “ACCESS_POLICY_AGENT_EVENT before if” log local0. “ACCESS_POLICY_AGENT_EVENT after if” Place these at different places to see what is getting fired and what isn't getting fired. Just to confirm... you did add the iRule to the Virtual Server that the APM policy is tied to? Seth
- Nfordhk_66801Doh! Sorry Seth, I wasn't aware it still needed to be applied to the VS in this scenario. I went ahead and did that. I see tons more information in the logs now. Still failing access but now the iRules are executing. Also there is no more blank fields for the AD query portion. I see the correct DN for the server, it's matching my branch rule. Not sure why it would be failing here.
- Nfordhk_66801i'll add the irule logs and paste the results
- Seth_Cooper
Hey Nick,
I have reproduced the issue you are seeing. The only group your computer is in is also the primary group for that computer. In the AD Query object you need to enable "Fetch Primary Group". This will populate the session.ad.last.attr.memberOf session variable with the group your computer is in. After I enabled it on my env I got the following entry...
489fcf1a.session.ad.last.attr.memberOf 47 CN=Domain Computers,CN=Users,DC=cooper,DC=localAs you can see "Domain Computers" is the primary group and it wouldn't be returned unless you enable it in the AD Query.
Please test and let me know if this resolves your issue.
Seth
- Seth_Cooper
Great! Yea... you just need to see what values you have to choose from that AD returns and base your logic off of that. If distinguishedName is better for your scenario then use it.
Glad you could get it working!
Seth
radamhartman_34Is there a possible update to this answer? I'm interested in implementing a solution like this but am wondering if querying AD for membership of the device has been baked into the platform now.
