APM Resource assignment through CLI

Hi,

You can use the following commands to speed up the process of working with a BIG-IP APM policy:

To create Portal Access resources:

create apm resource portal-access pa_example application-uri http://pa_example/index items add { item { host pa_example paths /index } }

To create Remote Desktop resources:

create apm resource remote-desktop rdp ip_example color-depth 24-bit ip ip_example port 3389 window-size full-screen

To create your policy:

tmsh create cli transaction
create apm policy agent ending-allow /Common/vpnexample_end_allow_ag { }
create apm policy agent ending-deny /Common/vpnexample_end_deny_ag { }
create apm policy agent ending-deny /Common/vpnexample_end_deny2_ag { }
create apm policy policy-item /Common/vpnexample_end_allow { agents add { /Common/vpnexample_end_allow_ag { type ending-allow } } caption Allow color 1 item-type ending }
create apm policy policy-item /Common/vpnexample_end_deny { agents add { /Common/vpnexample_end_deny_ag { type ending-deny } } caption Deny color 2 item-type ending }
create apm policy policy-item /Common/vpnexample_end_deny2 { agents add { /Common/vpnexample_end_deny2_ag { type ending-deny } } caption Deny2 color 4 item-type ending }
create apm policy policy-item /Common/vpnexample_ent { caption Start color 1 rules { { caption fallback next-item /Common/vpnexample_end_deny } } }
create apm policy access-policy /Common/vpnexample { default-ending /Common/vpnexample_end_deny items add { vpnexample_end_allow { } vpnexample_end_deny { } vpnexample_end_deny2 { } vpnexample_ent { } } start-item vpnexample_ent }
create apm profile access /Common/vpnexample { accept-languages add { es } access-policy /Common/vpnexample}
submit cli transaction

To review, search and filter your APM policy:

list apm | grep -A 15 -B 15 vpnexample_end_allow

To modify/change your APM policy resources

modify apm policy policy-item vpnexample_act_full_resource_assign_10 caption Remote_Access_10 rules { { caption fallback next-item /Common/vpnexample_end_allow } }

I hope it helps.

Hi,

I think you are trying to do complicated configuration for something quite simple.

you can :

• use Advanced ressource assign to assign resources based on the username
• use generic RDP with host value RDP_%{session.logon.last.username} if user E72074 have to connect to hostname is RDP_E72074 (you can also create a DNS CNAME in internal AD to do that)
• use an irule to assign resources

 This irule uses a Data Group named user_resources_DG with value format: (with curly brakets)
 {{resources Portal Access} {resources Application Tunnel} {resources Network Access} {resources RDP}}
when ACCESS_POLICY_COMPLETED {
    if {[ACCESS::policy result] equals "allow" && [class match [string tolower [ACCESS::session data get session.logon.last.username]] equals user_resources_DG]} {
        set resources [class match -value [string tolower [ACCESS::session data get session.logon.last.username]] equals user_resources_DG]
        ACCESS::session data set session.assigned.resources.pa [lindex $resources 0]
        ACCESS::session data set session.assigned.resources.at [lindex $resources 1]
        ACCESS::session data set session.assigned.resources.na [lindex $resources 2]
        ACCESS::session data set session.assigned.resources.rd [lindex $resources 3]
    }
}