Forum Discussion

kevin_flynn_180's avatar
kevin_flynn_180
Icon for Nimbostratus rankNimbostratus
Nov 21, 2016

Webtop links auto published

Hey guys, We're looking to build an automated deployment platform for customers. The problem I am running into is publishing a webtop with only links that the customer has access to. In most scenarios this could be to RDP sessions, vpn's, etc.

 

I haven't found a way to do this via an irule, xml, text doc, smoke signal, etc yet. Alternatives I've also considered include AD (i.e. AD lookup, pull attributes, publish links for the three devices the user has listed). Does anyone have any thoughts on reading in a file, list, or lookup to then create objects on the webtop?

 

I appreciate any thoughts or insights.

 

APM
application delivery
automate
BIG-IP
file
irule
security
webtop

3 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Nov 22, 2016

    Here's sort of how that goes:

     

    1. The resource and its associated customization are created via Web GUI or some other way
    2. The resource and customization are associated with the access policy
    3. The access policy snapshot with that information is created (this is what happens when you do "apply access policy")
    4. The resource and full webtop are assigned to the user's session by the access policy.
    5. Full webtop shows up and loads the resources and their customization.

    So, depending on your requirements you have a few options. Here are some important points:

     

    1. You can't dynamically create resources at run-time because the objects must first exist in the snapshot.
    2. You can customize the webtop's HTML and JS as much as you like using Advanced Customization.
    3. You cannot dynamically execute server-side code in the full webtop because it's cached as a static file. You'll notice that there is some PHP in there, but that is only executed ONCE. Thereafter, it's cached.
    4. You CAN include client-side javascript in the webtop.
    5. The APM renderer (http server that sends pages to end-users) does do real-time substitution of session variables. For example, %{session.logon.last.username} becomes the user's username. You can use any built-in session variable or any you've created in this way.

    So generally if I had to create a solution like this, I'd do some LDAP/AD queries and do some %{xxxxx} session variable substitution, then read that in with a clientside js function and render it in whatever way is appropriate. This would be complicated front-end web development, but not particularly abnormal.

     

    • kevin_flynn_180's avatar
      kevin_flynn_180
      Icon for Nimbostratus rankNimbostratus
      Nov 22, 2016

      Lucas, Thanks. I was thinking that a solution revolving around 5 would work, just needs some imagination.

       

      Forgetting everything else going on... we are working to deploy servers in a rapid manner (openstack) for customers. Logging into a portal, they would get a webtop where they can click on the servers they own, and connect.

       

      Obviously this can change dynamically and thus some of my questions. Even if we publish a xml file twice a day that gets read in and deployed, I'd be happy. Of course, doing an AD lookup with associated server objects is better.

       

      User logs in, ad lookup, has x,y,z objects associated, creates x,y,z on webtop...

       

    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Nov 22, 2016

      What sort of access are you providing with the webtop? Is it reverse proxy, apptunnel, VPN, or ?

       

      You could always have the process that does the deployment auto-create the resources+customization via TMSH in BIG-IP, and then do "apply access policy" (the tmsh command for that is available too).