Forum Discussion

e0013192_143645's avatar
e0013192_143645
Icon for Nimbostratus rankNimbostratus
Feb 08, 2018

APM AD auth resticted by client source and client OU

I have a requirement to allow internal users to access to SharePoint if they come from our internal IP addresses and they are part of a specific OU. I have a separate requirement that will allow connectivity from the internet but only to one specific OU.

 

For the internal users I have an irule after the Logon Page which restrict the connections by client source address. Then I have the AD Query for the specific OU.

 

What I'm not sure of is how to allow connectivity from internet users but to only one OU that the internal users are not allowed to access.

 

This is what I have so far and it will allow internal users to SharePoint so now I need to allow internet user to connect to SharePoint on a completely different OU than my internal users.

 

 

APM
application delivery

2 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Feb 08, 2018

    I hope this VPE screenshot is a POC configuration.

     

    1. there is no Authentication box, only a AD query box which doesn't check password.
    2. iRule event to check client source IP is a really bad idea. you can do it with an box in VPE (sever-side client check)
    3. if you want to block access to a virtual server based on irule, you can do it within an event before policy evaluation (HTTP_REQUEST or ACCESS_ACL_ALLOWED) without irule event requirement.
  • e0013192's avatar
    e0013192
    Icon for Altostratus rankAltostratus
    Feb 20, 2018

    Yes this is a POC. I have removed the iRule and I'm just focusing on get the authentication based on the OU. This is what I see in the log.

     

    AD module: query with 'OU=038-task,OU=Clients,DC=clientqa,DC=ent' failed: no matching user found with filter OU=038-task,OU=Clients,DC=clientqa,DC=ent (-1)

     

    When I run a tcpdump between the F5 and AD I see a bindRequest(1) to "" not to the CN and OU i expect.