Forum Discussion

Demeter_Luo's avatar
Demeter_Luo
Icon for Nimbostratus rankNimbostratus
Oct 31, 2016

LTM VS inheritance APM VS VPE-Poilcy issue.

Hello~

 

I have a LTM combo APM device and a special scene.

 

I hope customer after login the VPN(APM-Listener) ,and then accesee the non-APM-listener can inherit APM-listener-VPE-policy, such as VPE assigned ACL.

 

Configuration list is as follows:

 

(1) VS_VPN_PORT_443(APM-listener) ---Access policy VPE associated FULL webtop,local auth and ACL .....

 

(2) VS_XXX_PORT_ANY (non-APM-listener) ---standard type, pool .....

 

I test the result is the successful login VPN(APM-listener), then access to non-APM-listener, but not by the VPE-ACL limit.

 

How to configure non-APM-listener to make non-APM-listener to inherit the APM-listener policy?

 

Thanks everyone. D.Luo

 

1 Reply

  • Hi,

    I created this to authenticate users with APM and allow with AFM:

    On the APM VS, assign this irule:

    when ACCESS_ACL_ALLOWED {
        log local0. "requete de [IP::client_addr]"
        switch [HTTP::path] {
            "/status" {
                 limit to 1 connection per IP address
                set value [table lookup -subtable IPAdmins [IP::client_addr]]
                set lifetime [table lifetime -subtable IPAdmins -remaining [IP::client_addr]]
                set lifetime_formated [clock format $lifetime -format {%H:%M:%S}]
                if {$lifetime < 1} {ACCESS::respond 302 noserver Location "/disconnect"}
                ACCESS::respond 200 content "
                    
                        Authenticated
                    
                        You are authenticated successfuly : 
                        session time remaining : $lifetime_formated
                        Your client IP : [IP::client_addr]
                        Your autorization role : $value
                    
                    
                " noserver
            }
            "/disconnect" {
                table delete -subtable IPAdmins [IP::client_addr]
                ACCESS::respond 302 noserver Location "/vdesk/hangup.php3"
    
            }
            default {
                table set -subtable IPAdmins [IP::client_addr] [ACCESS::session data get session.localdb.groups] 7200 43200
                ACCESS::respond 302 noserver Location "/status"
            }
        }
    }
    

    On the routing VS, assign this irule

    when CLIENT_ACCEPTED {
        switch [table lookup -subtable IPAdmins [IP::client_addr]] {
            "Group1" {virtual /Common/VS-GROUP1}
            "Group2" {virtual /Common/VS-GROUP2}
            "Group3" {virtual /Common/VS-GROUP3}
            default {drop}
        }
    }
    

    Each VS VS-GROUPX is a forwarding VS with dedicated AFM policy.

    If you do not have AFM module, you can filter in the irule with Datagroup instead of assigning VS.