Forum Discussion

David_G__33241's avatar
David_G__33241
Icon for Nimbostratus rankNimbostratus
Mar 21, 2014

VS requirements for sideband connection

As part of an Access Policy, I want to make a sideband connection to a McAfee ePO server to see if the McAfee Agent GUID retrieved from the registry is in fact registered as a corporate device. The call itself is simple enough: https://epo-server:8443/remote/system.find?searchText=38EDE1D1-E565-44DD-9E36-EE089FF9F85E and this will return something like:

 

OK:

 

System Location: 3423

 

System Name: EMM-SYSNAME

 

Description: null

 

System Description: N/A

 

Time Zone: Central Standard Time

 

Default Language: 0409

 

User Name: first.last

 

Domain Name: corpdomain

 

DNS Name: EMM-SYSNAME.corpdomain.com

 

IP Address: 0:0:0:0:0:FFFF:AC16:799F

 

IP Address: 172.2.11.19

 

Etc.

 

The remote user will connect with the Edge Client. Prior to presenting the user with a logon page, I have an iRule event which calls “Mark Seecof's HTTP Super SIDEBAND Requestor” (https://devcentral.f5.com/wiki/irules.HTTP-Super-SIDEBAND-Requestor-Client-Handles-Redirects-Cookies-Chunked-Transfer-APM-Access-etc.ashx) to lookup the GUID in ePO.

 

Since the call is HTTPS, the iRule indicates that a helper virtual server is required for TLS.

 

From the irule:

 

SB_uri = absolute URI of target, plus optionally...

 

SB_virt = (optional) name of target virtual server--if set, used in lieu of host/port in $SB_uri (also see $SB_redir below)

 

If you set $SB_virt then host in $SB_uri can be anything (xxx), but if you do not set $SB_virt you must either put IP (to use port 80) or IP:port in host part of $SB_uri, or ensure your LTM's DNS setup is valid so [RESOLV::lookup] will work.

 

So, hardcoding for the moment I have…

 

set SB_uri https://epo-server:8443/remote/system.find?searchText=38EDE1D1-E565-44DD-9E36-EE089FF9F85E

 

…but I don’t know how the VS is supposed to be defined??

 

Running 11.5

 

Thanks.

 

APM
design
security

4 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 21, 2014

    hi david, what I've seen others do in the past is to make a sideband to a local http virtual that then has a serverside SSL profile to connect to the remote service.

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Mar 21, 2014

    David,

     

    You might be able to do this in a much easier way(no sideband connection) by leveraging HTTP Auth method in the Visual Policy Editor. Take a look here for an example of how it is done with another service such as OTP

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 24, 2014

    Since the call is HTTPS, the iRule indicates that a helper virtual server is required for TLS

     

    To add onto Jason's comment, you'd basically create an HTTP virtual server with an internal, non-routable listening address (so that it's not accessible to clients). That virtual would have a pool that pointed to your remote HTTPS resource, and then you'd apply a server SSL profile. Your sideband iRule would then reference this virtual server by name (the SB_virt variable in this case). Your iRule will make a sideband call to the HTTP virtual server (by name), which will send the traffic to the remote HTTPS server(s) in its pool.

     

    The SB_uri variable should just be the URI portion on the request, so in this case just "/remote/system.find?searchText=38EDE1D1-E565-44DD-9E36-EE089FF9F85E".