Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Create ACLs that use variables

When we create a Remote Desktop application, we assign the hostname to be a variable from Active Directory. For example, we would pull a hostname from AD using %{session.ad.last.attr.ipPhone}. APM will automatically create a dynamic ACL rule based on the Remote Desktop and it will appear as %{session.ad.last.attr.ipPhone}:3389 under the ACLs > All ACLs list. This works great. Some of our users have Mac computers and we store their hostname in AD, just like for windows. Our Mac users will use Apple Remote Desktop to connect to their computer. F5 lacks the ability to add ARD entries, so the user will have to bring up that connection manually after starting a full VPN session. We are having trouble being able to create ACLs for the Macs because we cannot create a user defined ACL to accept variables of the destination hostname %{session.ad.last.attr.ipPhone} plus we are not able to tell what the clients source IP will be at the time. We already read the article about Dynamic ACLs and we do not want to have our support staff directly tinkering with ACLs in AD. We tried another method where we would create 3 fake Microsoft Remote Desktop items for each Mac (need to open 3 ports per Mac for ARD to work), but then the users webtop is littered with fake, broken icons to make the Macs work. Any ideas how we can create ACLs that mimic the ones automatically created by the Microsoft Remote Desktop?

0
Rate this Discussion

Replies to this Discussion

placeholder+image

I'm confused about what the trouble actually is here.

If you look at the users' session variables, you can see the ACL entries that are assigned to the user. So if you want to make some dynamic custom ACLs that have 3 ports, it should work fine. You can use TCL script to assign a string that represents whatever ACL you like, then process it with a Dynamic ACL Policy Item in the VPE.

0
Comments on this Reply
Comment made 11-Jul-2016 by Andrey Terentyev

This definitely works with dynamic acl and an iRule. An example configuration would look like this:

  1. Create a Dynamic ACL under "Access Control Lists : User-defined ACLs". This will be your allow ACL.
  2. Create a Static L4 ACL that matches all addresses/ports with action Reject. This will be your default deny-all ACL.
  3. In access policy, add a Variable Assign action and set "session.assigned.hostname" to the ARD hostname assigned to the user.
  4. Next, add an iRule Event agent. This iRule Event will be used to resolve the assigned hostname to IP address and set the value for Dynamic ACL.
  5. Next, add Dynamic ACL Assign agent, choose the Dynamic ACL (from step 1), choose Source = Custom and specify session variable name that will be set by iRule Event. Let's use "session.dyn_acl" for example.
  6. Next, add ACL Assign agent and choose the deny-all ACL (from step 2).

Add an iRule to the virtual server (substitute static::dns with your DNS server's IP):

when RULE_INIT {
    set static::dns 10.192.145.230
}

when ACCESS_POLICY_AGENT_EVENT {
    set hostname [ACCESS::session data get session.assigned.hostname]
    set ip [lindex [RESOLV::lookup @$static::dns $hostname] 0]
    ACCESS::session data set session.dyn_acl "{ allow ip any $ip }"
}
0
placeholder+image

Thanks Andrey, we were able to adapt your code snippet and got it working for the Apple VNC screen sharing. For anyone else trying to do this, the iRule will also need to be added to the virtual server as a resource. We also have an AD Query before the iRule Event so that it has the Active Directory variables available for usage.

when RULE_INIT {
    set static::dns 8.8.8.8
}

when ACCESS_POLICY_AGENT_EVENT {
    set hostname1 [ACCESS::session data get session.ad.last.attr.facsimileTelephoneNumber]
    if { [string length $hostname1] && ($hostname1 contains "MC" || $hostname1 contains "MB") } then {
        append hostname1 "." [ACCESS::session data get session.ad.last.actualdomain]
        set ip1 [lindex [RESOLV::lookup @$static::dns $hostname1] 0]
        if { [string length $ip1] } then {
            append ip1 ":5900"
            ACCESS::session data set session.dyn_acl_1 "{ allow tcp any $ip1 }"
        }
    }
}   
0
placeholder+image

I also had a case open with F5 and they submitted/added us to these feature requests.

  1. Bug 604118 - "[RFE] Support remote desktop access to MacOSX from APM webtop"
  2. Bug 604134 - "[RFE] APM ACLs to support session vars and FQDNs/hostnames"
0