APM - dynamically enabling access policy when 401 back from server is detected
I'm working a new fronting of an F5 APM instance in front of Sharepoint 2013. We are looking to expand our ability to offer Sharepoint across a large corporate network that has multiple domains. There will be no domain trusts so you can imagine Sharepoint on one domain and users could be on any number of domains, however all users will have a PKI certificate and account on the Sharepoint domain. We will simply be having F5 take a client cert and process Kerberos on the back-end to allow "off-domain" users to access "on-domain" sharepoint from any remote location - pretty standard stuff.
I have a technical issue with the placement of this APM: The sharepoint team also offers "anonymous" access to certain data locations within this Sharepoint instance. So we will have both credentialed access and anon access through the same F5 VIP; probably not the best way to do things, but this is what they gave me to deal with.
Now, normally I can simply use an irule to perform URI inspection to ACCESS::disable and ACCESS::enable based on URI path when I have to offer anon and credentialed access. The issue with this particular SP instance is that the anon resources are all over the place - no reasonable way for me to mask out based on URIs.
What I've envisioned is keeping the service anon until the SP IIS front-end sends back a 401, then dynamically enabling APM and performing an access policy evaluation. If the policy passes, the user will have access to resources per the users AD settings; if the user doesn't have access - APM will deny based on AD checks within the policy after performing a client cert parsing.
Anyone have a suggestion on how to implement something like this?