Here's a few checklist items when diagnostics of portal access within a F5 with APM policies.
Portal access is a means for providing external users access to internal or even external websites and by rerouting and writing the requested URI for the requested target.
Check out a typical portal access mountain-top view of a typical use for a internal only web servers that needs outside users to access theses internal services. This is a typical use case for APM policy and for portal rewrites.
Things to check for when it does not work
1: ensure that you have SNAT enabled on VirtualServer that has the accesspolicy & a rewrite profile on the virtual-server
NOTE: the VS will use the SNAT pool when making the client connection to the site and present the output to the user who has access the webportal ( aka webtop )
2: ensure the links are correct and reachable from the F5 for the hosted URI. Check for typos or incorrect paths.
curl with the interface option could be very helpful
3: the portal resources has to be applied in a webtop for the advance resource assignments ensure you add the resource
4: use the f5 reporting to validate that user is receiving the resource
5: use tcpdump or tshark on the f5 if you suspect layer3 issues
e.g from bash shell
tmsh -c "list net vlan one-line"
tmsh -c "list net self one-line"
tcpdump -n -i <interfacename> host x.x.x.x and por 80 or 443
A sample portal cfg for a URI hosted site that's made available in a F5 webtop portal
The advantages of this approach for deploying portal access
- you can provide security for HTTP-only websites
- host either URI or static content , and require access-policy controls
- control user access based on User-Agent type for support OSes
- demand AUTHENTICATION for applications that does not support or have server-side authentications functions
- reduce public exposure and ipv4 address usage ( the single portal door provide access )
- reduce the need for UCC or *cards certificates for aach internal hosted site
- can add MFA for authentication requires
- Provide access to external websites that are locked down to a certain network or ip-ranges
- provide end-users access to sites that have zero internal access
- ensure tighter security with regards to SSL/TLS and for older applications that doesn't support TLSv1.x
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment