Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

allow *.microsoft.com to connect to a virtual server

awan_m
Cirrus
Cirrus

‎17-May-2023 21:54

Hi,

i have a VIP that should only be accessable by domain *.microsoft.com - i have AFM provisioned and a DNS resolver . but the Rule cannot take *.microsoft.com as source . 

is there a way to achieve this .

thanks 

Labels:
0 Kudos
4 REPLIES 4

Paulius
MVP
MVP

‎17-May-2023 21:59

@awan_m I don't believe this is possible because the AFM would perform a DNS lookup for the literal DNS record of *.microsoft.com instead of what you most likely want which is any sub-domain of .microsoft.com. I don't know if I would allow that through either if you could because that is a significant amount of sources that could potentially be allowed through depending on DNS resolution. What is the purpose of the VIP that you need to allow any sub-domain of .microsoft.com through?

0 Kudos

awan_m
Cirrus
Cirrus
In response to Paulius

‎17-May-2023 22:14

thanks for the reply - its a specific domain IPs to be able to connect to a VIP that presents an API . the problem with an ip address list is that i will change all the time . i need to resolve the requestors IP to a domain and if its *.XYZ.com the allow it to connect .

0 Kudos

Paulius
MVP
MVP
In response to awan_m

‎18-May-2023 05:22

@awan_m It seems like the options you have is to ask Microsoft for specific FQDNs that will resolve to the appropriate IPs or to ask them for the IP ranges that the requests could come from and allow those IP ranges.

0 Kudos

Michael__
Nimbostratus
Nimbostratus
In response to awan_m

‎19-May-2023 08:09

Hi,

you could try that with an irule, something that way:

when CLIENT_ACCEPTED {

  set CLIENTIP [IP::client_addr]
  set PTR "[lindex [RESOLV::lookup @1.1.1.1 -ptr $CLIENTIP] 0]"
  set PTRreverse "[lindex [RESOLV::lookup @1.1.1.1 -a $PTR] 0]"

  if {($CLIENTIP eq $PTRreverse) && ($PTR ends_with ".microsoft.com")}{
     log local0. "OK - $CLIENTIP - $PTR - $PTRreverse -"

   } else {
     log local0. "FAIL - $CLIENTIP - $PTR - $PTRreverse -" 
       reject
  }
}
0 Kudos
Copyright © 2023 Khoros, LLC