Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

APM custom address space by client IP?

mjb109
Nimbostratus
Nimbostratus

Hi all:

Strange client requirement, but figured I'd ask as a thought experiment. What we'd like to do is use different split-tunnel address spaces depending on a client's location/IP. For example, if a user is in an office we know is protected, don't tunnel things like Internet browsing. If that same user takes their laptop home/to a coffee shop/etc, tunnel everything. Is something like this even possible?

1 ACCEPTED SOLUTION

@Juergen_Mang is spot on, it's pretty straightforward. You'd create:

  1. Two or more Network Access Lists that comply with your desired connectivity properties
  2. Create an *empty* item in a per-session access policy, name it "check client IP" or something
  3. Add branch rules to check the client IP. The Expression Builder has these built-in already.
  4. Branch to an Advanced Resource Assign that assigns the appropriate resource

 

Lucas_Thompson_1-1674580738216.png

 

Lucas_Thompson_0-1674580704848.png

 

View solution in original post

6 REPLIES 6

Paulius
MVP
MVP

@mjb109 Typically the way traffic is tunneled is by the particular policy applied to the tunnel that you are attempting to form and not dynamically. Realistically you would have to configure two different tunnels one they connect to when they are at work and one when they are at home.

mjb109
Nimbostratus
Nimbostratus

I had considered that; unfortunately it relies upon a user to do the right thing. I was thinking more along the lines of an iRule with some logic like:

if client::IP == <Some list>; use profile 'foo'

else, use profile 'bar'

I guess another option would be to create the two tunnels, then a redirect VIP for all users that follows similar logic, but sends a redirect instead to get a user to the right endpoint.

Not tested, but this should work:

Create a second Network List with the other Lease Pool and use the Advanced Ressource Assign Policy Agent to assign this for spcific Client-IPs.

Leslie_Hubertus
Community Manager
Community Manager

@Lucas_Thompson - here's one in your wheelhouse. 🙂

@Juergen_Mang is spot on, it's pretty straightforward. You'd create:

  1. Two or more Network Access Lists that comply with your desired connectivity properties
  2. Create an *empty* item in a per-session access policy, name it "check client IP" or something
  3. Add branch rules to check the client IP. The Expression Builder has these built-in already.
  4. Branch to an Advanced Resource Assign that assigns the appropriate resource

 

Lucas_Thompson_1-1674580738216.png

 

Lucas_Thompson_0-1674580704848.png

 

This looks like it will work nicely. Thanks to all!