Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

APM custom address space by client IP?

Go to solution
mjb109
Nimbostratus
Nimbostratus

‎20-Jan-2023 14:20

Hi all:

Strange client requirement, but figured I'd ask as a thought experiment. What we'd like to do is use different split-tunnel address spaces depending on a client's location/IP. For example, if a user is in an office we know is protected, don't tunnel things like Internet browsing. If that same user takes their laptop home/to a coffee shop/etc, tunnel everything. Is something like this even possible?

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Lucas_Thompson
F5 Employee
F5 Employee
In response to Leslie_Hubertus

‎24-Jan-2023 09:19

@Juergen_Mang is spot on, it's pretty straightforward. You'd create:

  1. Two or more Network Access Lists that comply with your desired connectivity properties
  2. Create an *empty* item in a per-session access policy, name it "check client IP" or something
  3. Add branch rules to check the client IP. The Expression Builder has these built-in already.
  4. Branch to an Advanced Resource Assign that assigns the appropriate resource

 

Lucas_Thompson_1-1674580738216.png

 

Lucas_Thompson_0-1674580704848.png

 

View solution in original post

6 REPLIES 6

Go to solution
Paulius
MVP
MVP

‎20-Jan-2023 15:04

@mjb109 Typically the way traffic is tunneled is by the particular policy applied to the tunnel that you are attempting to form and not dynamically. Realistically you would have to configure two different tunnels one they connect to when they are at work and one when they are at home.

0 Kudos

Go to solution
mjb109
Nimbostratus
Nimbostratus

‎20-Jan-2023 15:34

I had considered that; unfortunately it relies upon a user to do the right thing. I was thinking more along the lines of an iRule with some logic like:

if client::IP == <Some list>; use profile 'foo'

else, use profile 'bar'

I guess another option would be to create the two tunnels, then a redirect VIP for all users that follows similar logic, but sends a redirect instead to get a user to the right endpoint.

0 Kudos

Go to solution
Juergen_Mang
MVP
MVP

‎23-Jan-2023 01:23

Not tested, but this should work:

Create a second Network List with the other Lease Pool and use the Advanced Ressource Assign Policy Agent to assign this for spcific Client-IPs.

Go to solution
Leslie_Hubertus
Community Manager
Community Manager

‎23-Jan-2023 17:20

@Lucas_Thompson - here's one in your wheelhouse. 🙂

0 Kudos

Go to solution
Lucas_Thompson
F5 Employee
F5 Employee
In response to Leslie_Hubertus

‎24-Jan-2023 09:19

@Juergen_Mang is spot on, it's pretty straightforward. You'd create:

  1. Two or more Network Access Lists that comply with your desired connectivity properties
  2. Create an *empty* item in a per-session access policy, name it "check client IP" or something
  3. Add branch rules to check the client IP. The Expression Builder has these built-in already.
  4. Branch to an Advanced Resource Assign that assigns the appropriate resource

 

Lucas_Thompson_1-1674580738216.png

 

Lucas_Thompson_0-1674580704848.png

 

Go to solution
mjb109
Nimbostratus
Nimbostratus
In response to Lucas_Thompson

‎24-Jan-2023 10:55

This looks like it will work nicely. Thanks to all!

0 Kudos
Copyright © 2023 Khoros, LLC