Forum Discussion

veato's avatar
veato
Icon for Nimbostratus rankNimbostratus
May 23, 2017

Force Access Policy Depending on User

I currently have a Vs for SharePoint with no Access Policy as it only deals with trusted domain joined clients. It does have a couple of iRules; one regarding NTLM (I think to facilitate single sign-on although I didn't build this) and the second assigns a pool based on the requested URL.

 

Our organisation has partner organisations and whilst their username UPN suffix is different we're all members of the same AD. For example I am me@org1.com and the partner organisation is them@org2.com.

 

A requirement has arisen now whereby the partner organisation wish to put 2FA in front of the SharePoint application but I don't want to do this for everyone in the AD.

 

Is it possible then to force some kind of policy/rule/profile that only kicks in when a user e.g. "ORG2\them" attempts to access SharePoint without forcing everyone to go through a log on process?

 

2fa
APM
application delivery
iapp
irule
LTM
sharepoint

1 Reply

Sort By
  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    May 23, 2017

    Hi Veato,

     

    If I assume that you can read the "UPN" from your irule, I think there is many ways to manage this.

     

    First solution : with less changes on your BIG-IP (but never tested)

     

    1) Add an APM profile to your existing VS that will handle the 2 FA

     

    2) Add the command "Access::disable" to your irule to disable APM by default

     

    3) Add a condition to check if your users have to make 2 FA, if the condition is verified then do an "Access::enable"

     

    For more info check this https://devcentral.f5.com/wiki/iRules.ACCESS__enable.ashx

     

    Second solution : requires more changes (already implemented)

     

    You will need three VSs :

     

    • VS_PARENT_PORT_443 // this VS will have only an irule (no pool) with a condition to check the UPN, based on this variable it will redirect traffic to sub-VS
    • VS_CHILD_2FA_PORT_4443 // this VS will have an APM policy that will make the 2 FA + pool_sharepoint
    • VS_CHILD_PORT_4444 // this VS will process the traffic for other users that don't need the 2 FA + pool_sharepoint

    Hope it helps

     

    Regards