From Netscaler Access Gateway to F5 APM

Question

Hello friends,&nbsp;
I really appreciate you could help me by giving some guidance about APM.&nbsp;
I have an Citrix Access Gateway (AGEE) in my production environment. Users get AAA services from a Radius+RSA token (authentication) and from a LDAP (accounting). I have purchased APM in order to replace it, but I am having a bad time in trying to map the configuration from the one to the other.&nbsp;
In AGEE I define AAA groups with the same name they have in the AD LDAP servers. The users who belong to Technicians Group get access to an "Intranet Application" declared on the AGEE. Then, some authorization policies are applied. Intranet applications and authorization policies are features i have to configure in AGEE for the TECHVPN (Technicians Group). &nbsp;
The following are some images about the mentioned features.&nbsp;
![Image Text](/Portals/0/Users/243/31/44531/Intranet applications.jpg)&nbsp;
&nbsp;
So, I have figured out that I need to create an Access Profile called TECHVPN (the same name located in the LDAP and AD) and in the VPE Resource assign I would give access from ACLs which will be the same as authorization policies of AGEE. Is correct what I am thinking? What about the intranet applications? Guess intranet applications are the access network I define in APM, but AGGE does not give an IP address to any user who connects to the VPN. Does APM give an IP to the user?&nbsp;
Please, I'll appreciate some guidance. I need to deploy APM today.&nbsp;
Thanks in advance.&nbsp;
Regards.&nbsp;
JM&nbsp;

boneyard · Answer

read throught the APM manual, perhaps it will make some connections between netscaler and apm for you.&nbsp;
from an APM point of view i would first ask: are you looking for a SSL VPN like solution, so full network access (with ACLs if needed) or are you looking for a webtop (APM term) solution, where you end up on a http(s) page were you can access internal websites, start app tunnels ...&nbsp;
as for your screenshot, it seems to be some form of ACL based on destination IPs which i can't really map on an APM type of setup. what exactly is the use?&nbsp;

jmanya_44531 · Answer

Hello friend,&nbsp;
Appreciate your answer.&nbsp;
Actually, the users get access to the network and they are able to see a portal with the links to web apps regarding to their credentials and user type. The users are able to work in the network as if they were in their office. I have already created the webtops to show the internal web pages but I have not figured out how to apply the access rules of the screenshot. Those are authorization policies. Indeed, such policies are difficult to create due to they have AND &amp; OR statements. The use of such policies is to allow or deny access to some network segments or specific hosts. &nbsp;
Which wizard could I use?&nbsp;
Regards&nbsp;
JM&nbsp;

boneyard · Answer

no wizard for that im afraid. it sounds like you want to apply ACLs, which you can do based on AD groups and such in the resource assignment VPE. the ACLs themselves are also in the APM menu section, just setup a little differently.

jmanya_44531 · Answer

Dear friend,&nbsp;
What I want is to give access to a network segment and to a portal with webtops (webtops and their corresponding links have been configured). Nowadays, users can do that by using Access Gateway Plug-In after a succesfull authentication and authorization. But, how can I define the network segment? There is an statement which says:&nbsp;
DEST.PORT==443&amp;&amp;(DEST.IP==aaa.aaa.aaa.aaa||DEST.IP==bbb.bbb.bbb.bbb)&nbsp;
The statement above is applied to a group of users, in this case TECHVPN.&nbsp;
In APM I can't define an statement like that in the field ACL. &nbsp;
I remain attentive for any response. Thanks&nbsp;
Regards,&nbsp;
JM&nbsp;

boneyard · Answer

it is a different device, it has a different gui.&nbsp;
you first create an ACL, just give it a name, i.e. TECHVPN, nothing else needs to be change now, click [Create]. then you add the actual ACL lines, with [Add]. Type should be L4 , Source IP / Port seems to be any as you just focus on destination. at Destination you add the port 443 and IP1, action Allow. with a second line you can create another port 443 and IP2 and another Allow. &nbsp;
you need to add a deny everything as the final line, there doesnt seem to be an implicit deny.&nbsp;

Forum Discussion

From Netscaler Access Gateway to F5 APM

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Using BIG-IP Kubernetes Gateway API Controller

Get Started With Kubernetes SIG Gateway API

Integrating F5 BIG-IP with Kubernetes SIG Gateway API