For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Clint_16698's avatar
Clint_16698
Icon for Nimbostratus rankNimbostratus
Apr 16, 2008

Using Session variables to control Split Tunneling

Hello I am new here, obviously, and I am also new to F5's products. I just started a job a couple months ago that implements GTM, LTM, and Application Delivery via Firepass.

 

 

I have a problem in that we are trying to implement the Cisco WAAS appliance in the data center and branch sites. The WAAS does not support acceleration of encrypted or compressed traffic. I also have 12 MPLS sites that do not necessarily need SSL tunnels to the web apps since MPLS is private anyways.

 

 

For posture assessment reasons we have chosen to use the Firepass device as an entry point for our webservers. So thats why we are using the firepass to deliver apps to MPLS sites instead of having those users HTTP straight into the webserver.

 

 

Now to my Question:

 

Is there a way that I can use session variables based on source IP address, and have the traffic that meets the condition, be split tunneled to the webserver in the DMZ? I have to use Firepass as an entry point, but not have the data encrypted to accelerate MPLS site data streams.

 

 

Also note that the firepass does not have an interface in the DMZ. Traffic hits the firepass, then gets routed back out to the outside, and from the outside, it goes through the firewall and offloads to the LTM.

 

 

I need a DOC or someone to help me out.

 

 

Thanks in advance.
BIG-IP Access Policy Manager (APM)
remote access
security

2 Replies

  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Apr 21, 2008
    You can create two separate resource groups on firepass to help facilitate. Another option is to use AD groups to separate it out.

     

     

    Let me explain:

     

     

    Certain users come in under the 192.168.1.1 IP address, you can either designate that IP address as a protected configuration and then protected resource group.

     

     

    You can also select an AD group that is given to those who require split tunneling that point to the separate network access resource.

     

     

    Multiple ways of doing thigs on the firepass, I can think of three or four more.
  • Clint_16698's avatar
    Clint_16698
    Icon for Nimbostratus rankNimbostratus
    Apr 23, 2008
    Well I created a test AD group and test AD user account. I used the resource group and master group mapping tables to map the AD group to my firepass groups. My test master group is setup to authenticate through active directory.

     

     

    I created a favorite to my web application with http://myfav.myco.com:80 under the web app tunnels.

     

     

    Also under application access, I go to Master group settings and click the Dynamic Tunnels/web app tunnels for that test MG, and then I choose "Use split tunneling"

     

     

    I put my LAN address space in the field. My webapp is in the DMZ and it has an external IP address which is not on the same segment as my LAN address space.

     

     

    But when I log into firepass with the user that is in the test AD group, I see the Web app tunnel I assigned to the resource group, but when I click on it to launch the app, I think it is still encrypting the connection. It still opens the Dynamic tunnel dialog box.

     

     

     

     

    How will I know that the web application that I launch will be unencrypted?

     

     

    I just want to be able to see the web app tunnel, click on it, and have it open with an unencrypted connection.

     

     

    What else do I need to do?