Firewall access to be opened for APM to operate

Question

Hi,
we have an APM cluster (2 devices in HA). we want to know when user or client is authenticating from external authentication server like AD or RSA or Radius or ACS...., what IP from F5 is communicating with authentication server to open access for it on the Firewall ? is it the self ip or the floating ip or the management ip ?&nbsp;
when user tries to do RDP to a server or any kind of session, will he use his IP or it will be the floating or self ip of F5 ? so what IP i should allow access to RDP server on the firewall ?&nbsp;

amine_kadimi · Answer

Hi, 
First of all, your best option is to use tcpdump to get the exact IPs used in your environment. For example if your authentication server is 10.0.0.1 then:
tcpdump -nni 0.0 host 10.0.0.1

when user tries to do RDP to a server or any kind of session, will he use his IP or it will be the floating or self ip of F5 ? so what IP i should allow access to RDP server on the firewall ?

If you are using SNAT automap then it'll be the floating IP of the exit VLAN from which the BIG IP reaches the server. If there is no SNAT then it'll be the client assigned IP from the lease pool. Again tcpdump is your best friend.

boneyard · Answer

i agree with Amine, just use tcpdump to be sure.&nbsp;
but from experience i believe the AAA stuff is the done from the non floating self IP (or management IP if you setup management routing) and the user stuff is done from the floating IP. but again, measuring and testing it is the safest.&nbsp;
also be sure to report back your results, it will help other.&nbsp;

jinshu · Answer

Purely depends on your routes. If you have management route configured and the AAA server is in management network, then the server would receive the authentication packets from your F5 management address. Otherwise it would take floating address of F5 and go out.&nbsp;
As boneyard and Amine suggested run the tcpdump and verify it once before you go ahead.&nbsp;
-Jinshu&nbsp;

pieter_velkene2 · Answer

Hi,
I believe it's a known issue (238556)&nbsp;
From https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-12-0-0.html:&nbsp;

Other issues&nbsp;
AAA types for Securid and RADIUS in APM will not source packets from the floating IP address for the traffic group, as customers would expect. Because RSA authentication server is sensitive to the incoming IP address of the authentication packets, an extra virtual server is required to SNAT the authentication requests to the correct (floating) address so that the same source IP will be used in both members of an HA pair. You see this when you use RADIUS AAA or RSA AAA in an APM access policy. Authentication will fail because RSA expects the source IP address to be specific, and will not tolerate changes for HA failover.&nbsp;

Forum Discussion

Firewall access to be opened for APM to operate

4 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Re: SYN Cookie operation

Security Operations Center - Helpers Behind the Scenes

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two