Forum Discussion
NimbostratusVS requirements for sideband connection
As part of an Access Policy, I want to make a sideband connection to a McAfee ePO server to see if the McAfee Agent GUID retrieved from the registry is in fact registered as a corporate device. The call itself is simple enough: https://epo-server:8443/remote/system.find?searchText=38EDE1D1-E565-44DD-9E36-EE089FF9F85E and this will return something like:
OK:
System Location: 3423
System Name: EMM-SYSNAME
Description: null
System Description: N/A
Time Zone: Central Standard Time
Default Language: 0409
User Name: first.last
Domain Name: corpdomain
DNS Name: EMM-SYSNAME.corpdomain.com
IP Address: 0:0:0:0:0:FFFF:AC16:799F
IP Address: 172.2.11.19
Etc.
The remote user will connect with the Edge Client. Prior to presenting the user with a logon page, I have an iRule event which calls “Mark Seecof's HTTP Super SIDEBAND Requestor” (https://devcentral.f5.com/wiki/irules.HTTP-Super-SIDEBAND-Requestor-Client-Handles-Redirects-Cookies-Chunked-Transfer-APM-Access-etc.ashx) to lookup the GUID in ePO.
Since the call is HTTPS, the iRule indicates that a helper virtual server is required for TLS.
From the irule:
SB_uri = absolute URI of target, plus optionally...
SB_virt = (optional) name of target virtual server--if set, used in lieu of host/port in $SB_uri (also see $SB_redir below)
If you set $SB_virt then host in $SB_uri can be anything (xxx), but if you do not set $SB_virt you must either put IP (to use port 80) or IP:port in host part of $SB_uri, or ensure your LTM's DNS setup is valid so [RESOLV::lookup] will work.
So, hardcoding for the moment I have…
set SB_uri https://epo-server:8443/remote/system.find?searchText=38EDE1D1-E565-44DD-9E36-EE089FF9F85E
…but I don’t know how the VS is supposed to be defined??
Running 11.5
Thanks.
- JRahm
Admin
hi david, what I've seen others do in the past is to make a sideband to a local http virtual that then has a serverside SSL profile to connect to the remote service.
Michael_Koyfma1Cirrus
David,
You might be able to do this in a much easier way(no sideband connection) by leveraging HTTP Auth method in the Visual Policy Editor. Take a look here for an example of how it is done with another service such as OTP
- Kevin_Stewart
Employee
Since the call is HTTPS, the iRule indicates that a helper virtual server is required for TLS
To add onto Jason's comment, you'd basically create an HTTP virtual server with an internal, non-routable listening address (so that it's not accessible to clients). That virtual would have a pool that pointed to your remote HTTPS resource, and then you'd apply a server SSL profile. Your sideband iRule would then reference this virtual server by name (the SB_virt variable in this case). Your iRule will make a sideband call to the HTTP virtual server (by name), which will send the traffic to the remote HTTPS server(s) in its pool.
The SB_uri variable should just be the URI portion on the request, so in this case just "/remote/system.find?searchText=38EDE1D1-E565-44DD-9E36-EE089FF9F85E".
M_QuevedoAdding on to Jason's and Kevin's comments, the page for the HTTP Super SIDEBAND Requestor now includes full documentation for HTTPS access via a helper virtual server.
