Forum Discussion

bigiptechie_982's avatar
bigiptechie_982
Icon for Nimbostratus rankNimbostratus
Nov 21, 2012

Restrict access to one Url through F5 LTM for external access only

 

Dear All,

 

 

I have a kind of design and configuration question, we have one SharePoint portal where we want to publish it to externally and internally using F5 LTM.

 

Under the main web page, we have departments tab and under departments we need to restrict/hide or redirect access to Asset management url TAB.

 

What would be the best practices for this setup?

 

It is by creating two virtual servers, one for public access and once for internal access and updates our internal and external DNS accordingly; then at Public Virtual server blocks access to that specific URL using Irule.

 

One more question; is there any way to completely hide Asset management TAB.

 

Please advice about the best practices to handle the above requirements

 

config
design

7 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 21, 2012
    Ideally there would be some way in SP to restrict display and access to relevant resource based on source IP address or something else? An iRule could insert a HTTP header if that helps?

     

     

    You could get away with one Virtual Server but two would probably be more secure, with each restricted to the VLAN used by clients to connect (which I assume are different internally and externally). You could then use an iRule to block the URL in question and apply it only to the external Virtual Server. There's probably not too much to be done about it's display.

     

     

    If you can provide the URL(s) I can do something for you.
  • bigiptechie_982's avatar
    bigiptechie_982
    Icon for Nimbostratus rankNimbostratus
    Nov 21, 2012
    i was thinking of doing that with data group and irule, that will allow only internal subnets IP ranges and block all other.

     

     

    please find urls below

     

     

    first page

     

     

    https://portal.example.com/Pages/Home.aspx

     

     

    deployments page

     

     

    https://portal.example.com/Departments/Pages/default.aspx

     

     

    asset page that will be accessible only from inside

     

     

    https://portal.example.com/Departments/asset/Pages/Home.aspx

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 21, 2012
    I'd take Steve's suggestion and try to implement this on the application. IIS accepts a lot of different encoding methods so it would be difficult to fully normalize all of the URIs to protect a specific page:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900

     

     

    Aaron
  • bigiptechie_982's avatar
    bigiptechie_982
    Icon for Nimbostratus rankNimbostratus
    Nov 22, 2012
    Hi Aaron

     

     

    Thank you for your input, actually the application will see all connections are coming from F5 Floating IP, since the implementation for this app is using SNAT, i am not sure if they can extract or use the XFF value to block external connections.

     

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 22, 2012
    The XFF header will show the client's true source, not the SNAT address.

     

     

    You can certainly provide authorization rules based on data group entries, but as the rules get more complex you'll want to consider relying more on the application.

     

  • bigiptechie_982's avatar
    bigiptechie_982
    Icon for Nimbostratus rankNimbostratus
    Nov 27, 2012
    Thank you Kevin

     

     

    I know that XFF header will show the client's source :-)

     

     

    But my question was will the application team be able to do their restriction based on the value of the XFF ? do they need a third party filter for that?

     

     

    Thanks,

     

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 27, 2012

    That would depend on the application I guess. The Wikipedia page: http://en.wikipedia.org/wiki/X-Forwarded-For states this: "X-Forwarded-For logging is supported by many web servers including Apache. Microsoft IIS 6.0 & 7.0 can use a third party ISAPI filter to accomplish this task. IIS 7.0 can also use a HTTP Module for this filtering."

     

    I know nginx supports XFF too: http://wiki.nginx.org/HttpRealipModule. There's some information on using the XFF value within PHP here as well: https://devcentral.f5.com/weblogs/macvittie/archive/2008/06/02/3323.aspx.

     

     

    Obviously you'll be using the XFF for more than logging but all this support suggests it's not too difficult.