Post Edge Client connected actions

Can you explain this bit more detailed?

We have an Edge client configured to automatically connect to the VPN when detecting the right conditions. In certain scenarios where the client does not comply with requirements we would like a webtop to appear instead of having a full VPN connection.

If you can autostart URL, can't it branch out in the VPE based on either client type or the failed compliance?

If you can autostart URL

How is this done? I can only autostart a URL after VPN is connected.

Can't it branch out in the VPE based on either client type or the failed compliance?

Yes I am sure it can but does edge client auto-connect support webtops or only VPN access...

AFAIK, the EdgeClient supports network webtop and not full webtop. So doesn't look like it is possible.

If you are not stuck with using the Edge Client you can use the browser components and either present them with a "Full" or "Portal" webtop without the network access resources or you can give them a "Network Access Webtop" that will auto launch the SSLVPN tunnel. This is all based on using the browser instead of the Standalone Edge Client.

Seth

You pretty much confirmed what I thought. It has given me an idea though... if I can use an iRule to redirect them to a webtop, conceivably I can save their credentials in a table referenced with a hash of them, I can and pick them up with an iRule in the new webtop using a preauth=hashkey on the redirected URI. Really depends if I can set the network access application strings dynamically from an iRule. Note: You can specify "http://string" as the application, I have tested. It loads using the default browser on the client side after the VPN connection has completed.

iRule SaveHashCookie
Key      Value
Hash    Username Password

Redirect URI
http://webtop.site.com/?preauth=hash

iRule EatHashCookie
Get preauth hash key
Lookup table using key
Load credentials

Proceed...

This is how far I have progressed. It is a work in progress, an hints or tips appreciated...

The Virtual is called vs_faketop and has the iRule below applied. The order of execution is

1st Pass

• BIGIP Edge Client VPN connection follows second branch
• iRule saves credentials into table.
• Network access launches browser session back to the APM with /preauth?key=232343

2nd Pass

• Browser connection with /preauth?key=23431134
• Follows first branch
• iRule retrieves login information for session
• Opens webtop with supplied credentials.

This is the logging output from ltm/apm.

Think of it as VPN launching a Webtop as its final action. The SSO is done using tables. I tried to comprehend the APM documentation on layered virtual's providing single sign on but didn't get anywhere. If there is another way to do this I am all ears.

when HTTP_REQUEST {
  log local0. "...in HTTP_REQUEST"
  if {[HTTP::uri] eq "/preauth"} {
     retrieve credentials from table storage
    set key [URI::query [HTTP::uri] key]
    set username [table lookup $key:user]
    set password [table lookup $key:pass]
    log local0. "Retrieved credentials"
  }
}
when ACCESS_SESSION_STARTED {
  log local0. "...in ACCESS_SESSION_STARTED"
   inject credentials into session
  if {[info exists username]} {
    ACCESS::session data set session.logon.last.username $username
    ACCESS::session data set session.logon.last.password $password
    log local0. "Assigned credentials"
  }
}
when ACCESS_POLICY_AGENT_EVENT { 
  log local0. "...in ACCESS_POLICY_AGENT_EVENT"

   get current credentials
  set user [ACCESS::session data get session.logon.last.username]
  set pass [ACCESS::session data get session.logon.last.password]

   store them in a table
  set key [crc32 "$user:$pass"]
  table set $key:user $user
  table set $key:pass $pass
  log local0. "Saved credentials user=$user pass=$pass key=$key"

   define customer parameter used in Launch Applications under Network Access 
  ACCESS::session data set session.myapp "https://192.168.86.11/preauth?key=$key"
  unset user pass key
}

The problem at the moment is the app won't launch after the VPN connects. Also "pass" appears to come up empty.

2nd Pass

Once 1st pass completed with 'APM allow', it won't execute the first branch. Does it explain the issue?

2nd Pass

Once 1st pass completed with 'APM allow', it won't execute the first branch. Does it explain the issue?