APM :: Access to Resources w/No Webtop or Network Access

Question

Stupid question (humor me please). Is it possible to create an access policy that allows access to resource(s), but without accessing them through a webtop or through a Network Access VPN?&nbsp;
As an example, the user has a mobile device with custom applications on it. The user accesses a URL (abstracted from them within the app) which points to the F5 APM. The APM fires-off an iRule which connects to our MDM via its API to validate that the phone's UUID is valid, the phone has recently checked in, and as far as the MDM is concerned, the phone is in compliance. Once that decision tree is passed, the F5 pulls the local client certificate, validates that it is signed by our internal CA (and is not revoked), and then allows the connection inbound.&nbsp;
I can do all of the above already - so I know that part works...&nbsp;
... but how can I then provide access to resources without a webtop or through Network Access VPN? I don't know if that is even possible, but my guess would be I would have to allow access to a resource based on URI at that point, and have some level of rewriting to get the request to the server it needs to go. Is there something built-in for this? Or am I looking at another custom iRule?&nbsp;
The reason for this is that I do not want to have the user presented a webtop, or have the phone connected to the network. I want it completely abstracted so that when they fire-up X custom app (written in house), that it's calls to the back-end web server(s) is completely abstracted from them and it is authenticated by APM in the process.&nbsp;
I may just be out of my mind... but it happens.&nbsp;

ryan77777 · Answer

Here's an idea... &nbsp;
The user's phone does all of the above as far as authentication goes. &nbsp;
Once it passes, the APM populates a variable indicating the check passed. After that I call an iRule event in the VPE disabling APM (via ACCESS::disable) and pass the connection to the pool assigned to the VS. I don't know if this is even possible (will the variable stick? will the apm actually then pass the connection back to the vs?), but let's assume it is.&nbsp;
I'm guessing at that point, I would need another iRule to validate the variable populated above as "passed", dynamically select the pool required (depending on what server the app needs to connect to), and also have the logic to rewrite the HTTP header (remove the part of the URI that controls the pool decision since the back-end doesn't need it, and possibly host header issues).&nbsp;
https://f5-apm-server.net/server_control_decision_in_uri/index.html?options=x&nbsp;
This would be a hack job and a half I suppose LOL - but I guess it's something I can test in the meantime.&nbsp;

leonardo_souza · Answer

I have seen a lot more crazy requirements, and your requirements are not that uncommon.&nbsp;
If my understand of the requirements are correct, I see 2 options:&nbsp;
1 - Portal Access&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-portal-access-13-0-0/1.html&nbsp;
2 - Web Application Access&nbsp;
I can't find any link, but is easy to explain.
This is basically APM + LTM, APM is used to authenticate, and after the request is load balanced by the LTM.
So, you create a virtual server, link to the APM policy with the logic you need, and is done.
Client must point to virtual server, and APM will process first, and when finished, LTM will process the traffic.&nbsp;
In case you don't know, there is also 2 clients you can use for that, in your case the Edge Portal can be a good option:&nbsp;
https://support.f5.com/csp/article/K12488&nbsp;

stanislas_piro2 · Answer

Hi,&nbsp;
What do you mean by without a webtop?&nbsp;
do you mean without a Full webtop?&nbsp;
In APM, you can use resource object with Portal Webtop.&nbsp;
A portal webtop is a webtop hosted on an internal server. If you require to hide multiple internal web server behind one public hostname, but without F5 webtop (named full webtop), you can create an Portal webtop with internal URL to redirect user to this server after authentication. every link in this web server will be rewrote (even External links)&nbsp;
If you want to access only one URL, LTM+APM mode is recommended. &nbsp;

ryan77777 · Answer

Ok, this was easier than I had initially thought.&nbsp;
I created an LTM-APM access profile, created the client cert inspection, compliance check, and then based on landing URI (via branches), I assigned different static pools (if landing URI /x send to y.pool).&nbsp;
Works great...&nbsp;
Not sure how this can really scale as designed (would need to create a new branch for each landing URI)... but I couldn't find a way to assign resources via iRule. If I can assign the resource via iRule, then I could just populate a data group and future pool additions would be trivial (and not clutter-up the VPE logic).&nbsp;

Forum Discussion

APM :: Access to Resources w/No Webtop or Network Access

4 Replies

Recent Discussions

About custome Response Blocking Page

About IPI check ip list

Cookie Violation - Expired TimeStamp.

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

CGNAT with DS-lite and LSN

Related Content

DevCentral Resources

Select Between Multiple Network Access Resources with the Edge Client

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

F5 Resources for COVID-19

BIG-IP Terraform Resources