Wednesday, November 23, 2016

F5 APM policy on a VS with a portal access checklist

Here's a few checklist items when diagnostics of portal access  within a F5 with APM policies.

Portal access is a means for  providing  external users access to internal or even external websites and by rerouting and writing the requested URI for the requested target.

Check out a typical  portal access  mountain-top  view of a typical use for a internal only web servers that needs outside users to access theses  internal services. This is a typical use case for APM policy and for portal rewrites.

Things to check for when it does not work

1: ensure that you have SNAT enabled on VirtualServer that has the accesspolicy &  a rewrite profile on the virtual-server

NOTE:  the VS will use the SNAT pool when making the client connection to the site and present the output to the user who has access the webportal ( aka webtop )

2: ensure the links are correct and reachable from the F5 for the hosted URI. Check for  typos or incorrect paths.

  curl  with the interface option could be very  helpful

3: the portal  resources has to be applied in a webtop for the advance resource assignments ensure  you add the resource

4: use the f5  reporting to  validate that user is receiving the resource

5: use tcpdump or tshark on  the f5 if you suspect  layer3 issues

e.g  from bash shell

 tmsh -c "list net vlan one-line"
 tmsh -c "list net self  one-line"

tcpdump -n -i <interfacename>  host x.x.x.x  and por 80 or 443

A sample portal cfg for a URI hosted site that's made available in a F5  webtop portal

The advantages of this approach for deploying  portal access

  • you can provide  security for HTTP-only websites
  • host either  URI or static content , and require access-policy controls 
  • control user access based on User-Agent type for support OSes
  • demand AUTHENTICATION for applications that does not support or have  server-side authentications functions
  • reduce public exposure and ipv4 address usage ( the single portal  door provide access )
  • reduce the need for UCC or *cards certificates for aach internal hosted site
  • can add MFA for authentication requires
  •  Provide access to external websites that are locked down to a certain  network or ip-ranges
  • provide end-users access to sites that have zero internal access
  • ensure tighter security with regards to SSL/TLS and for older applications that doesn't support TLSv1.x

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment