Forum Discussion

Martijn_65080's avatar
Jun 28, 2013

Enable APM on Specific URI only and Force OTP

Hi All,

 

I am trying to selctively enable APM policy processing on a SharePoint subsite. Basically what I want to do is authentication and OTP enforcement on a subsite of SharePoint. I created the follwing Irule, which seems to work for the initial spawning of the F5 Logon page. After log on I get a page can not be displayed. After removing the Irule I am able to logon and get the OTP working but....

 

I only want the OTP and authentication offload for a specific subsite. Removing the Irule makes all traffic go via APM. I created a Landing URI selection in the policy in which I only route traffic for the specific URI through a macro that does the authentication and OTP part. All other traffic not destined for the specific URI is allowed to go throug directly via an Allow ending.

 

The problem is that users can go to the Top Level site first and do a direct logon to SharePoint there. APM treats this traffic as allowed because of my allowed ending and sets the APM cookies. When users go to the specific subsite in the same browser session they will not be asked to enter their credentials and OTP because APM detects the cookie that was set when the user browsed the top level site. I can't block or ask OTP access to the toplevel site and all other subsites because of the nature of the sites running on that farm. I tried the follwing Irule;

 

when HTTP_REQUEST {

 

Check the requested HTTP path

 

switch -glob [string tolower [HTTP::path]] {

 

"/myuri*" {

 

Enable APM for this path

 

ACCESS::enable

 

}

 

default {

 

Disable APM all others

 

ACCESS::disable

 

}

 

}

 

}

 

 

Hopefully you all have a better and functioning way to get this right...

 

Kind regards,

 

Martijn

 

6 Replies

  • Martjin,

     

    There is a much better and cleaner way to do this, as playing with ACCESS::enable and ACCESS:disable on the same flow is not ideal.

     

     

    I suggest the following. Leave your setup as is in terms of LTM flow. Remove ACCESS profile from it. Create new internal only(like 192.168.10.10) virtual server that would look identical to your existing one and put ACCESS profile on it. Also add OneCOnnect profile with 255.255.255.255 mask to your main existing virtual where you will remove ACCESS profile from.

     

     

    Then modify your irule, and instead of ACCESS::enable command have this one: virtual virtual_name. Substitute the name of your internal virtual server where italicized, of course.

     

    This way, any traffic that needs ot be protected will be sent to the patht that is always protected.

     

     

    Give it a shot and let us know how it works out. Good luck

     

     

     

  • Martjin,

     

    There is a much better and cleaner way to do this, as playing with ACCESS::enable and ACCESS:disable on the same flow is not ideal.

     

     

    I suggest the following. Leave your setup as is in terms of LTM flow. Remove ACCESS profile from it. Create new internal only(like 192.168.10.10) virtual server that would look identical to your existing one and put ACCESS profile on it. Also add OneCOnnect profile with 255.255.255.255 mask to your main existing virtual where you will remove ACCESS profile from.

     

     

    Then modify your irule, and instead of ACCESS::enable command have this one: virtual virtual_name. Substitute the name of your internal virtual server where italicized, of course.

     

    This way, any traffic that needs ot be protected will be sent to the patht that is always protected.

     

     

    Give it a shot and let us know how it works out. Good luck

     

     

     

    • Martijn_65080's avatar
      Martijn_65080
      Icon for Cirrus rankCirrus
      Hi Michael, I tried but the use of virtual virtualname is not allowed under when HTTP_REQUEST. I finally solved it a little bit differennt and dirty. See details here; https://devcentral.f5.com/s/feed/0D51T00006i7LyoSAE
  • Hi Michael, Thanks, on holiday now but I will give it a go when I get back in the office.

     

     

    Thanks !

     

     

    Martijn