Forum Discussion

Vlad2016_287645's avatar
Vlad2016_287645
Icon for Nimbostratus rankNimbostratus
Aug 26, 2016

Reverse Proxy with LDAP Groups per URI

Hi,

 

I am quite new with F5 and need some tips on how to implement a solution replacing an existing Web Access Management platform with F5 APM. There are hundreds of Web Applications that should be accessed through a single host like: https://host.domain.com/appName1. Each application has a corresponding LDAP group or several groups. Only users from specific groups can access a corresponding application. I was thinking about a portal resource access, but it requires adding each resource to a webtop section and there is only one level of sections which is not enough. I was thinking using a Web App behind F5 that displays all links in a multi layer tree and when a leave is clicked it goes through F5 proxy. Webtop also creates long URIs which are not easily readable /f-w-encode(application URL).This is going to be quite nightmarish to migrate hundreds of apps like this. Other options, probably rewrites and iRules, not sure how those can fit in my requirements.

 

Thanks,

 

APM
security

1 Reply

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 26, 2016

    Hi,

     

    • for reverse proxy with group based uri access, you can create one ACL per group, and assign to groups with "AD group resource assign" (Access policy type All necessary to get "AD group resource assign" box)

       

    • for pool server assignment based on URI, you can use Local traffic policies which is easier than irules.

       

    • Before think about rewriting, you can check if app servers really need it.

       

      • some app servers does not need rewriting as all links in response page are relative.
      • some app servers support to configure reverse proxy hostname, port and protocol, all links in response page contains the right client side URL.
      • if app server is defined to allow requests for a internal hostname, you can add external URI in server name configuration.
    • If rewriting is necessary, try first a rewrite profile instead of irules.