Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Help with group mapping ??

Hi,

I'm struggling to get my mind around group configuration - could anybody give me some guidance please?

We use Virtual host based customisation to present custom webtops to people that access on different virtual host addresses (different IP addresses) but we need to do something more complex now to present different custom webtops based on combinations of criteria such as the virtual host address used, then a check of the client operating system and then a check of membership of an AD security group.

Since the configuration of the webtop to be used is defined against the group in Portal Access:Web Applications:Intranet Webtops then it looks like what I need to be able to do is to assign a user connection into a particular group based on the IP address they accessed, the client OS and the AD membership. The problem is from what I understand the group mapping decision is made only based on one method (you can't AND or OR methods together. I can't see that there's a way to build a decision on group membership based on more than one criteria.

I've attached a schematic of what I'm trying to do if it helps

Am I trying to achieve something impossible - could anyone give me a steer on how to achieve this?

Many thanks,
Kevin
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Right, some questions though. Can the user be in a MAC employee group and in the windows data only group? I am guessing that means Microsoft Windows OS?

You will actually have to switch your drawing. Firepass goes by order to determine the master group. So, if a user comes in with a MAC os they will hit order number one. Regardless of the other AD groups they will go to MAC Master group.

For the voice AD group side you will need to do if they are any other OS & have the AD group then you are in the windows voice master group. This must be order number two.

For anyone else they will go into the default master group (voice data only).


For the MAC OS do -> Session Variable (%session.os.platform%) == MAC master group
For the VOICE AD GROUP do -> Active Dir. -> Windows VOICE master group

For the Windows AD GROUP do -> Active Dir. -> Windows data master group
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Similar to this.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Mike,

Thanks for your reply I'll have a ponder on what I can do with the outline you've given me there.

The reason for the separation of users connecting from a Mac is that their webtop shortcut to a Windows TS has to be very different to that the Windows users would use. We also have a web application which is unfortunately Internet Explorer only....

Unfortunately the FirePass is not quite as flexible as would be ideal but I'll see how it works out.

Many thanks,
Kevin
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Posted By ksadler on 01/01/2010 10:42 AM

Mike,

Thanks for your reply I'll have a ponder on what I can do with the outline you've given me there.

The reason for the separation of users connecting from a Mac is that their webtop shortcut to a Windows TS has to be very different to that the Windows users would use. We also have a web application which is unfortunately Internet Explorer only....

Unfortunately the FirePass is not quite as flexible as would be ideal but I'll see how it works out.

Many thanks,
Kevin


Yepp, we do the exact same thing. We just make sure anyone with a MAC OS receives the Java application tunnel which initiates a connection to the TS.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You could assign the group based on the new feature, Advanced Session Variables. ASV's can be assigned different values based on different combinations of conditions (e.g. if variable1 == "value1" AND variable2 =! value3 then ASV = group1). The ASV value could even be set to the a URL of a webtop, or the literal name of a resource group which you could then map "verbatim".

We use this to map some of our partners to different resource groups based on what IP address they come from, and some can come from several different IP addresses, but we assign them using a combination of OR statements:

CONDITION
session.network.client.ip == "001.002.003.004" OR session.network.client.ip == "005.006.007.008"

VALUE
"literal_resource_group_name"


Not meaning to sound harsh, but I cannot agree that the Firepass is not flexible. I evaluated all the market leading products before going for Firepass, and it was head and shoulders above the rest in this department, and it has only gotten better since then (v6.0.1). ASV's are a particularly powerful feature.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
James,

Thanks for the suggestion, that seems to offer a huge amount more scope and looks like it will be capable of exactly what's needed.

Maybe not so inflexible after all but still quite hard work to produce what you need. I agree with your comments about other gateways, we looked at the Juniper and Aventail before going for the FirePass.

Many thanks,
Kevin
0