Forum Discussion

mjb109's avatar
mjb109
Icon for Nimbostratus rankNimbostratus
Jan 20, 2023
Solved

APM custom address space by client IP?

Hi all:

Strange client requirement, but figured I'd ask as a thought experiment. What we'd like to do is use different split-tunnel address spaces depending on a client's location/IP. For example, if a user is in an office we know is protected, don't tunnel things like Internet browsing. If that same user takes their laptop home/to a coffee shop/etc, tunnel everything. Is something like this even possible?

security
  • Lucas_Thompson's avatar
    Lucas_Thompson
    Jan 24, 2023

    Juergen_Mang is spot on, it's pretty straightforward. You'd create:

    1. Two or more Network Access Lists that comply with your desired connectivity properties
    2. Create an *empty* item in a per-session access policy, name it "check client IP" or something
    3. Add branch rules to check the client IP. The Expression Builder has these built-in already.
    4. Branch to an Advanced Resource Assign that assigns the appropriate resource

     

     

     

6 Replies

Sort By
  • Juergen_Mang's avatar
    Juergen_Mang
    Icon for MVP rankMVP
    Jan 23, 2023

    Not tested, but this should work:

    Create a second Network List with the other Lease Pool and use the Advanced Ressource Assign Policy Agent to assign this for spcific Client-IPs.

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Jan 20, 2023

    mjb109 Typically the way traffic is tunneled is by the particular policy applied to the tunnel that you are attempting to form and not dynamically. Realistically you would have to configure two different tunnels one they connect to when they are at work and one when they are at home.

  • mjb109's avatar
    mjb109
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2023

    I had considered that; unfortunately it relies upon a user to do the right thing. I was thinking more along the lines of an iRule with some logic like:

    if client::IP == <Some list>; use profile 'foo'

    else, use profile 'bar'

    I guess another option would be to create the two tunnels, then a redirect VIP for all users that follows similar logic, but sends a redirect instead to get a user to the right endpoint.

    • Lucas_Thompson's avatar
      Lucas_Thompson
      Icon for Employee rankEmployee
      Jan 24, 2023

      Juergen_Mang is spot on, it's pretty straightforward. You'd create:

      1. Two or more Network Access Lists that comply with your desired connectivity properties
      2. Create an *empty* item in a per-session access policy, name it "check client IP" or something
      3. Add branch rules to check the client IP. The Expression Builder has these built-in already.
      4. Branch to an Advanced Resource Assign that assigns the appropriate resource

       

       

       

      • mjb109's avatar
        mjb109
        Icon for Nimbostratus rankNimbostratus
        Jan 24, 2023

        This looks like it will work nicely. Thanks to all!