Forum Discussion

ThomasP's avatar
ThomasP
Icon for Altostratus rankAltostratus
Mar 20, 2020
Solved

Is network access bypassing APM logon pages?

Hello,

Maybe it's a stupid question but I've been wondering about it for a while without finding a proper answer.

Usually, you can either access your web apps remotely through APM or you can use a SSL VPN connection to have a full network access.

Recently when I was connected to the VPN (BigIP Edge Client), I tried to access different web apps through APM in order to test some APM workflows (vpe config) and I noticed I was somehow bypassing the APM logon pages : actually I was able to access the web apps without having the APM logon pages.

 

Maybe these were silly tests but still i'm wondering : what happened ?

 

I used an irule to have verbose logs, I saw that my vpn session ID were being used when accessing these web apps.

 

Is there any credential forwarding ? How does it work ?

 

Thank you

 

Thomas

  • If APM is being the gatekeeper then if you have a VPN session then you are authenticated. If you then want to access the app then you are already authenticated with APM.

3 Replies

  • If APM is being the gatekeeper then if you have a VPN session then you are authenticated. If you then want to access the app then you are already authenticated with APM.

  • Thank you Pete for your reply.

     

    In that case, it seems that the APM checks (AD query for example) and variable assigments are bypassed, right? Is there any solution for these ?

     

    Thank you

    • PeteWhite's avatar
      PeteWhite
      Icon for Employee rankEmployee
      Hi Thomas, Take a look at https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/20.html and possibly https://devcentral.f5.com/s/articles/apm-full-step-up-authentication-903