OneConnect: Security Consideration

Is it to be meant the use of the server-side connection simultaneously by client A and client B?yes, that is correct

 

 

I want to separate the user traffics for security reasons. Should not I use OneConnect?

 

 

Source mask cannot be used as a solution, because there is Reverse Proxy on the client side and source IP has been translated by PAT. If that's the case, I'd say you should disable OneConnect.

 

 

/deb

Hi Deb,

 

 

if i configure oneconnect profile with network mask /24. What will i see source ip address in sniffed packets on server side (between bigip and servers).

 

 

why ask this question;

 

 

the server has access list ; some client accessible application the others not

 

if i configure the oneconnect profile with mask /24 some times i see forbidden.

 

 

when i look the tcpdump on client side source address exist on server accesslist but when i look the server side tcpdump i see different source address.

 

 

what i understand f5 uses first time opened connection on server side (when oneconnect enabled) and if the ip address can be different client address on client side?

 

 

regards

 

 

zafer