Apply access profile to non-standard virtual server?

Question

Have some older software causing issues. Is there any way to apply and access profile to a virtual server type Forwarding IP? I have a link to the virtual server on a WebTop which works when set to this type (server IP is same as virtual server). &nbsp;
I also get it to work when I use the standard type, but whenever I apply an HTTP profile (required to apply an access profile) the link no longer works. If there is a way to set up an HTTP profile which would not cause this issues that would work as well.&nbsp;
I need this to prevent access to the server if the WepTop (access policy) is not used. I have multi-domain SSO used to accomplish this for other similar resources.&nbsp;
Any help would be appreciated.&nbsp;

raghavendrasy_7 · Answer

Can you please provide your virtual server configuration. Did you apply http profile to VIP 443 or VIP 80?&nbsp;

raghavendrasy · Answer

Can you please provide your virtual server configuration. Did you apply http profile to VIP 443 or VIP 80?&nbsp;

ehergott_345008 · Answer

I asked a similar question to this and received a response that if I apply the HTTP profile then I need the SSL cert and a client ssl profile applied. I have requested this from the admins, but have not gotten it yet. So I have it set up as a Forwarding IP server using port 443.&nbsp;
This is fine, but I need to prevent an admin from reaching the virtual server without first going through an access policy I created.&nbsp;
Mentioned I could do this via an iRule using a table, but unsure how to do this properly. I came up with something like this to include in the policy:&nbsp;
when CLIENT ACCEPTED {&nbsp;
table set -subtable enforcewebtop::[IP::client_addr]
}&nbsp;
when CLIENT_CLOSED {
  table delete -subtable enforcewebtop:[IP::client_addr]
}&nbsp;
Here is what I was thinking for the iRule to apply to the forwarding vs. Basically if it cannot find the client IP then redirect.&nbsp;
when CLIENT ACCEPTED {&nbsp;
if { [table lookup -subtable enforcewebtop "[IP::client_addr]" != "" } {
    HTTP::redirect "link to the webtop here"
}
}&nbsp;
I am sure I am missing a lot. It does not have to be a redirect either. Could also just reject. I was also unsure if I would need to set the variable to the Client IP to actually lookup the table?&nbsp;
Any help would be appreciated.&nbsp;

ehergott_345008 · Answer

I asked a similar question to this and received a response that if I apply the HTTP profile then I need the SSL cert and a client ssl profile applied. I have requested this from the admins, but have not gotten it yet. So I have it set up as a Forwarding IP server using port 443.&nbsp;
This is fine, but I need to prevent an admin from reaching the virtual server without first going through an access policy I created.&nbsp;
Mentioned I could do this via an iRule using a table, but unsure how to do this properly. I came up with something like this to include in the policy:&nbsp;
when CLIENT ACCEPTED {&nbsp;
table set -subtable enforcewebtop::[IP::client_addr]
}&nbsp;
when CLIENT_CLOSED {
  table delete -subtable enforcewebtop:[IP::client_addr]
}&nbsp;
Here is what I was thinking for the iRule to apply to the forwarding vs. Basically if it cannot find the client IP then redirect.&nbsp;
when CLIENT ACCEPTED {&nbsp;
if { [table lookup -subtable enforcewebtop "[IP::client_addr]" != "" } {
    HTTP::redirect "link to the webtop here"
}
}&nbsp;
I am sure I am missing a lot. It does not have to be a redirect either. Could also just reject. I was also unsure if I would need to set the variable to the Client IP to actually lookup the table?&nbsp;
Any help would be appreciated.&nbsp;

Forum Discussion

Apply access profile to non-standard virtual server?

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

URL/URI redirect for virtual server without http profile.

Server Side SSL profile not match with Client side SSL profile?

Tmsh command - virtual address list vs virtual server IP list (discrepancy)

VIP and SSL Profile Inventory

http and https VIP with non-standard port