Forum Discussion

TD's avatar
TD
Icon for Nimbostratus rankNimbostratus
May 07, 2019

L7 https ACL with APM SSL VPN not working

Hi, I am building a POC for Client SSl VPN with F5 APM in AWS. Since we are using AWS I would like to use L7 ACLs instead of L4 since IP addresses keep changing in AWS.

 

I got it working for http but not for https.

 

In another post I found this: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_resources.html147209

 

You can use a Layer 4 or Layer 7 ACL with network access, web applications, or web access management connections, with the following configuration notes. With network access, you can use a Layer 7 ACL that is configured to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies, and the default access profile, access. For HTTPS network access connections, you can use Layer 7 ACL entries only if the virtual server has the private key of the backend server.

 

Does that really means I will have to create an additional VS for every single URL I want to access via https and also need the key for that URL?

 

I hope not.

 

Thanks.

 

2 Replies

  • Hi,

    if you want to control the l7 traffic with APM then yes that's your only choice. But There is another way to achieve your goal,

    you can control traffic to those encrypted apps using LTM policy based on SNI.

    no need to decrypt SSL, the policy will evaluate the SNI (which is based on the hostname) and you can create your desired action based on that.

    for example you can drop traffic, log it, redirect it to an error page..

     

    steps to do that:

    1. make sure you have LTM license (required for the ssl persistence profile you will need)
    2. create a 0.0.0.0/0:443 virtual server INSIDE the tunnel. (no HTTP profile, no SSL profiles)
    3. attach an SSL persistence profile to the virtual server (that will allow the bigip to parse the ssl hello packet and read the SNI)
    4. create the policy that's using that.

     

    have a look at the following example for greater details on SNI and LTM policy :

    https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348

     

    hope it helps.

     

     

  • TD's avatar
    TD
    Icon for Nimbostratus rankNimbostratus

    Hi, thanks for your answer. Looks like the new Forum messed up the answers to my questions since they are all gone....

    I posted an answer to my question yesterday showing how we have done it now but it is gone today.

     

    We store the FQDNs and ports (TCL formatted list) the user needs to access in an attribute in LDAP and send this to the f5 during login. An irule then queries the DNS for the IPs of the FQDNs and then creates the ACLs out of this information. To make this a little faster the F5 is set up as a DNS Cache, maybe in the future even as a Slave.

    This is working fine so far. Henrik Gyllkrans helped me with the irule. Thanks again Henrik.

    We will extend the irule to also be able to catch IP addresses so if you have don't have a name for a service you can also add an IP to the TCL list.

     

    Your idea is something I had in mind as well but then I thought about TLS1.3 where the servername field is encrypted thus we would have the need for SSL termination on the F5 to read the servername. We do not want the F5 to do the SSL termination.

     

    But out of curiosity how do I create the SSL Server INSIDE the Tunnel? Is that automatically done if I don't choose a HTTP and SSL Profile?