cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

APM and VIP Targeting Configuration Issues

mrichter
Nimbostratus
Nimbostratus

We have a use case where we'd like to use multiple domain names and apply different access policies based on differing domain names. The main article I read to work around this is to use VIP targeting and apply an iRule on the main/director Virtual Server to accomplish this.

 

when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "app1.domain.com" { virtual app1_vs } "app2.domain.com" { virtual app2_vs } "app3.domain.com" { virtual app3_vs } "app4.domain.com" { virtual app4_vs } } }

So far I haven't been able to get this working. Policy manager itself functions correctly and passes, but as soon as the VPN tunnel tries to setup it immediately disconnects:

 

10:00:02 PDT 2015:notice hostname tmm1[19040] 01490505 562a3210PPP tunnel 0x57003446b100 closed.

 

10:00:02 PDT 2015:notice hostname tmm1[19040]01490505 562a3210PPP tunnel 0x57003446b100 started

 

So a few questions I have here in regards to this setup.

 

  1. Does it really work and is any functionality lost?
  2. Is DTLS still supported and if so, what does that configuration look like?
  3. Are there any issues with having route domains configured (perhaps that's what causing my disconnect)?
  4. Is there something special that needs to be configured on the directed virtual server? Right now I'm just configuring it as SSL and applied the appropriate access policy.

Thanks in advance.

 

3 REPLIES 3

Robert_Teller_7
Historic F5 Account
Just out of curiosity can you add logic to the VPE to execute different branch logic based on the FQDN rather than using the V2V function?

mrichter
Nimbostratus
Nimbostratus

My use case is based on a desire to have multiple access policies. The whole point really is to avoid having a single policy if at all possible without needing to burn additional public IPs.

 

Robert_Teller_7
Historic F5 Account

From my testing I was able to get the Virtual to Virtual targeting to work.

 

I believe the issue you are running into two issues. 1. You are switching APM Policies based on the HTTP::host variable and that information will not be available when negotiating DTLS 1. You have the HTTP profile applied to the external virtual since you are using the HTTP::host method

 

Make sure the externally exposed virtual has both the ClientSSL and ServerSSL Profile applied and try removing the HTTP profile from the virtual.

 

Instead of using the HTTP::host method to identify the destination FQDN you will have to use the SNI attribute of the client ssl request. Take a look at TLS Server Name Indication for some great information on SNI