Forum Discussion

Kevin_Davies_40's avatar
Kevin_Davies_40
Icon for Nacreous rankNacreous
Oct 24, 2015
Solved

APM logout issue [resolved]

I have an APM deployment that is working flawlessly except for the logout page. It is an SSL-VPN access policy. Whenever we logout the logout page that appears next fails to load at all. Then after about 15 seconds when the page reloads it displays correctly.

 

APM
security
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Oct 26, 2015

    Glad it's sorted.

     

    APM has two ways to deal with this situation:

     

    1. There is a Windows System Service called "DNS Relay Proxy" that we (optionally) install as part of Edge Client when you run the fat installer. This guy will intercept the DNS requests to the vpn endpoint hostname and resolve it to the same IP as it originally used before the VPN was established.
    2. If DNS Relay Proxy is not installed, Edge Client will attempt to insert a host entry for the vpn endpoint hostname to the original IP. This only works if the user has privs to do it.

    If neither of those things are applicable, there isn't really much else it can do to help.

     

2 Replies

Sort By
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Oct 24, 2015

    It turns out it was a DNS issue. If DNS name was vpn.mydns.com and the internal IP address was say 192.168.30.40 it is not routable across the Internet. The client would click the logout button, at that moment in time the VPN is still active, so they get the 192.168 address and the page would fail to load. Then the VPN would disconnect and when the page refreshed 15 seconds later, the DNS would resolve to the external IP address and the logout page would display for them. The solution was to ensure the internal DNS had the same external address for the vpn.mydns.com and not a private IP address.

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Oct 26, 2015

    Glad it's sorted.

     

    APM has two ways to deal with this situation:

     

    1. There is a Windows System Service called "DNS Relay Proxy" that we (optionally) install as part of Edge Client when you run the fat installer. This guy will intercept the DNS requests to the vpn endpoint hostname and resolve it to the same IP as it originally used before the VPN was established.
    2. If DNS Relay Proxy is not installed, Edge Client will attempt to insert a host entry for the vpn endpoint hostname to the original IP. This only works if the user has privs to do it.

    If neither of those things are applicable, there isn't really much else it can do to help.