Forum Discussion

eric_156978's avatar
Oct 30, 2015
Solved

Access Policy Not evaluating when using a VPN tunnel

Hi,

 

I'm having an issue with a VPN tunnel. The VPN itself is working fine, however, the problem I'm running into is when a VPN user tries to access a virtual server hosted on the same F5 they are tunneled into, the Access Policy doesn't seem to start.

 

I can get to the virtual server resource no problem, but I don't have an APM cookie, nothing evaluates, and I don't see the access policy really start in the APM log at all. The Access Policy on the virtual server works fine if I connect to it from anything other than across the VPN.

 

Is there some setting that would be blocking an access policy from being run inside a VPN tunnel? Another note, the VPN itself has an APM, not sure if that would be getting in the way, but I've tried using another browser or incognito mode to no avail.

 

Appreciate the help!

 

  • The inside VPN tunnel traffic is automatically considered to be part of the user's already authenticated session. You can't run an APM VPN, then get another separate session to the same APM through the same tunnel.

     

    You'll have to think of another way to accomplish your use case. If you can describe it more fully, maybe we can come up with some suggestions.

     

7 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    The inside VPN tunnel traffic is automatically considered to be part of the user's already authenticated session. You can't run an APM VPN, then get another separate session to the same APM through the same tunnel.

     

    You'll have to think of another way to accomplish your use case. If you can describe it more fully, maybe we can come up with some suggestions.

     

    • eric_156978's avatar
      eric_156978
      Icon for Cirrus rankCirrus
      Thanks for the info. That makes sense, but is frustrating. The resources I'm trying to get users to are websites that have a lot of different things going on that the access policy controls(login banner, Kerberos mapping, running iRules, selecting pools, etc). They are internally facing only, hence the need for the VPN. The VPN tunnel really needs to have the access policy on it too(ldap user auth, certificate validation, etc). The hurdle I see now is if my VPN is https://vpn.example.com and my web resource is https://site1.example.com, can https://site1.example.com reuse the access policy from https://vpn.example.com or is there a way for it to start a new one?
    • eric_156978's avatar
      eric_156978
      Icon for Cirrus rankCirrus
      I got it working cleanly. The key point was that any part of the VPN access policy evaluated is available on any other browser session. Once I got that worked out, i created irules that set things up correctly based on the request type. Thanks for the tip!
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    The session scope basically depends on the cookie. It's fine for users to have multiple sessions. APM is very flexible here. You can define a wider cookie domain, like "example.com", then the same session will be used because the browser will transmit the cookie to any *.example.com domain. If you don't define any cookie scope, the browser infers it from the FQDN and will only transmit it to that domain.

     

    APM also supports "multidomain" mode, where it will 302 the user to any number of different domains to set the cookie. This way you can have one session for vpn.example.com and apps.example.com, but then a separate session for apps1.example.com.

     

    The only real limitation is as you discovered: VPN traffic is always considered to be part of the access policy which started it.

     

    Maybe you can have a Full Webtop for the remote people and provide a menu of links, for apps, vpn, etc. You could also make a decision based on the source IP address of the traffic, and choose to do more authentication on external users, like maybe only doing certificate validation for those guys.

     

    • amolari's avatar
      amolari
      Icon for Cirrus rankCirrus
      hi Lucas I'm falling in the same case and we have the requirement to provide access (authorization) to the internal VSs(with AP), depending on user's group. I was thinking (as a workaround) to create ACLs to backend resources depending on user's group membership. Is there any other "workaround" we could think of. Force policy re-evaluation is AFAIK not possible. A webtop, as you suggested seems also not a viable way, as some of those internal apps are using AJAX... Thanks Alex