Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Apr 18, 2016

AFM rule and AD groups

Hi,

 

I am trying to replicate Microsoft FTMG firewall functionality (found in other products working as forward proxy as well) to use AD group membership to allow or deny traffic.

 

In FTMG when creating FW rule it's possible to specify as condiftions:

 

  • source of the traffic
  • destination of the traffic
  • group membership

As a result traffic from given source to given destination is allowed if source IP is of the user belonging to specified group/groups in AD.

 

I assume that it's based on simple mapping between IP and user logon that is retrieved from AD.

 

So it can be replicated using DCAgent or LogonAgent provided by F5 and ifmap vs implemented on BIG-IP. But it's very complicated to manage after implementing.

 

My setup is using:

 

  • AFM rule set to check src and dst at L4, set with Accept
  • Rule has iRule attached
  • iRule is using FLOW_INIT event and ACL::action to change default FW rule action to reject based on
  • Evaluation of APM policy via ACCESS::policy evaluate
  • Evaluated Access Policy is using Transparent Identity Import to find username for src IP of the connecting computer - using mappings stored on BIG-IP via ifmap
  • After identifying username AD Query is performed (probably LDAP query to AD would be faster?) to check user group membership
  • Based on that different Branches are used to Allow (user belongs to required groups) or Deny (user do not belong to required group)
  • Based on Allow or Deny returned by Access Policy either Default FW Rule action is used (Accept) or action is changed via ACL::action reject

It's working but crazy to manage :-(

 

I wonder if I missing some easier to manage way of implementing FTMG functionality?

 

Piotr

 

No RepliesBe the first to reply