Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

nested virtuals with APM

Hi guys,

hoping someone can help me here.

i have a scenario that consists of the following:

there is an LTM balanced web site, call it www.example.com this website doesn't have authentication enforced by APM (call the virtual server www)
we wish to deploy several applications/sites to

these will need to have authentication enforced by APM. each site/application might have a different authentication process so different APM access polices will be needed.

the solution i came up with was to deploy a virtual server per application(call the virtuals uri1 and ur2) and deploy an Irule on the virtual server www to forward to either virtual uri1 or uri2 based on the uri.

 irule looks something like:

 if {[HTTP::uri] contains "/uri1/" } {
                virtual uri1
if {[HTTP::uri] contains "/uri2/" } {
               virtual uri2

now without APM this works fine, I can go to www.example.com/uri1/ and i will get forwarded to virtual uri1 (then back to its pool) and all is good. When i apply APM access policy to the virtual uri1. it stops working when i go to www.example.com/uri1/ if i go to http://*virutal server uri1 ip address*/uri1 then APM works fine.

When it doesn't work the web browser displays  in the url bar www.example.com/my.policy and the content of the page is a 404 error from one of the web servers. So it looks like the APM logon page doesn't  like traversing the multiple vips.

does anyone know how to fix this or a better way to do it?

Rate this Question

Answers to this Question

I recently did something similar to this.

The way i did this was branching in the APM policy itself instead.

landingURI1 -success- authentication - resource assignment - Allow 
-|_fallback_ landingURI2-success-authentication-resource assignment - Allow 
 ----------------------------|_fallback - DENY

of course you should be  able to set the fallback to allow instead granting access to the main site without authentication and requiring auth in the matched uri's..