Forum Discussion

mrichter's avatar
mrichter
Icon for Nimbostratus rankNimbostratus
Sep 24, 2015

APM and VIP Targeting Configuration Issues

We have a use case where we'd like to use multiple domain names and apply different access policies based on differing domain names. The main article I read to work around this is to use VIP targeting and apply an iRule on the main/director Virtual Server to accomplish this.

when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
    "app1.domain.com" { virtual app1_vs }
    "app2.domain.com" { virtual app2_vs }
    "app3.domain.com" { virtual app3_vs }
    "app4.domain.com" { virtual app4_vs }
  }
}

So far I haven't been able to get this working. Policy manager itself functions correctly and passes, but as soon as the VPN tunnel tries to setup it immediately disconnects:

10:00:02 PDT 2015:notice hostname tmm1[19040] 01490505 562a3210PPP tunnel 0x57003446b100 closed.

10:00:02 PDT 2015:notice hostname tmm1[19040]01490505 562a3210PPP tunnel 0x57003446b100 started

So a few questions I have here in regards to this setup.

  1. Does it really work and is any functionality lost?
  2. Is DTLS still supported and if so, what does that configuration look like?
  3. Are there any issues with having route domains configured (perhaps that's what causing my disconnect)?
  4. Is there something special that needs to be configured on the directed virtual server? Right now I'm just configuring it as SSL and applied the appropriate access policy.

Thanks in advance.

APM
application delivery
deployment
design
devops
iRules
security

3 Replies

Sort By
  • Robert_Teller_7's avatar
    Robert_Teller_7
    Historic F5 Account
    Oct 06, 2015
    Just out of curiosity can you add logic to the VPE to execute different branch logic based on the FQDN rather than using the V2V function?
  • mrichter's avatar
    mrichter
    Icon for Nimbostratus rankNimbostratus
    Oct 06, 2015

    My use case is based on a desire to have multiple access policies. The whole point really is to avoid having a single policy if at all possible without needing to burn additional public IPs.

     

  • Robert_Teller_7's avatar
    Robert_Teller_7
    Historic F5 Account
    Oct 06, 2015

    From my testing I was able to get the Virtual to Virtual targeting to work.

     

    I believe the issue you are running into two issues. 1. You are switching APM Policies based on the HTTP::host variable and that information will not be available when negotiating DTLS 1. You have the HTTP profile applied to the external virtual since you are using the HTTP::host method

     

    Make sure the externally exposed virtual has both the ClientSSL and ServerSSL Profile applied and try removing the HTTP profile from the virtual.

     

    Instead of using the HTTP::host method to identify the destination FQDN you will have to use the SNI attribute of the client ssl request. Take a look at TLS Server Name Indication for some great information on SNI