f5beginner
Cirrostratus
CirrostratusDifferent Access Policies per Virtual Server
Hi All,
I need to set up different access policies per one Virtual server.
I have to set up different access rules per hosts.
Thank you
Forum Discussion
8 Replies
rob_carrYou can configure multiple multiple access profiles ( there is a one-to-one mapping between access profiles and access policies ) with APM.
f5beginnerHi Rob, thanks for quick answer.
Okay but I need to set up multiple access profiles per Virtual server or if this is not possible, there should be possible to set up access policy for multiple http hosts. Because I have setted up multiple hosts per Virtual Server, and each host should have different access policies.
Thank you
- f5beginner
Hi ALL, any Idea ?
HeinoCirrus
As there are no other answers, I'll provide a few suggestions. I'm by no means an expert on APM.
As far as I understand it isn't possible to change the APM policy after the client has connected, as the APM cookie is set as the first thing. I might be wrong, but I see no option to change the access profile on clouddocs.
1st, easiest solution
What you might be able to do instead is create a single APM and the branch that based on which service has been requested. You would need to verify that it doesn't automatically allow access to the other sites.
2nd, reconfigure system
I haven't tested this, but it shoud be possible. In the irules that define which service is your destination, you will have to change the pool with a new virtual server. You can then create X amount of internal virtual servers, each with their own access profile.
Stanislas_Piro2Cumulonimbus
Look at this article
https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348
you can create one virtual server listening on public IP address forwarding to internal virtual servers with different access policies
- f5beginner
Hi, thanks for answers,
@Heino, 1. advice looks good, but question is, how to do it, I found Per-request policy and there it looks like it is possible to distinguise sites via URL, but I do not know, how to set up it to cooperate with Per-session policy.
Thank you
- Heino
Cool with the per-request policy. I'm not certain it'll be all that efficient on the system ressources, but it is worth a try.
If you go to edit the per request policy. Click on '+' to add a new action:
- General Purpose > Empty
- Branch Rules > Add Branch > Simple
- Agent Sel: URL Branching
- Condition: Equals (or whatever you need)
Add as many branches as you have host names
- f5beginner
Yes, this one I know, but I do not know, how to connect it with per-session policy, because there is setted up logon page...., I think, that better will be to do it by iRule.
Question is if is, how to assign access profile by irule, because this should work, if it is possible:
This will match site test.sk and test2.com and I need to asssign access profile, if it is possible.
when HTTP_REQUEST { if {([HTTP::host] contains "test.com") || ([HTTP::host] equals "test2.com")} { } }