Forum Discussion

Hugo_Frauches_2's avatar
Aug 11, 2017
Solved

Access internal DMZ virtual server in SSL VPN

Hello,

 

I have setup an LAB for learning prupose and i was wondering if its possible to access an internal Virtual Server in the DMZ (Load balance for internal users), i could not achieved this directly via VPN, its is possible via Webtop reverse proxy and adding the VPN vlan to the DMZ Virtual server. Here is my topology:

 

1) Connected to the VPN Virtual server at 10.128.10.14

 

2) I dont have any ACL so i can connect to all off the DMZ servers in Pool LTM (10.128.20.151, 10.128.20.152,10.128.20.153)

 

3) When i try to connect to the internal virtual server in DMZ its not possible.

 

I have both Virtual servers configured with Auto Map, as i said before i can connect to this virtual server adding the ssl vpn vlan to the dmz virtual server, but doing this its an L2 i guess and i cant control the access via ACL in my APM policy.

 

Here is the topology from my LAB.

 

 

  • Hi,

     

    If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.

     

    Then, you can define an LDAP query to filter who can access the VS or not.

     

    Or you can use an irule to control who can access the Virtual Server.

     

    Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.

     

    Hope it helps

     

    Yann

     

22 Replies

  • so i don't quite yet it, you can connect if you add the sslvpn vlan to the listen on VLAN list, but you don't want to?

     

  • Adding the sslvpn vlan to the Virtual Server allow me to connect, but i cant retrict access to it, example:

     

    APM Policy

     

    1) User from group A can access this virtual server.

     

    2) User from other groups cant access.

     

    This type of control does not work because when i add the vLan the connection isnt retricted at all.

     

  • never tested that, but you are sure the APM access list don't work then?

     

    have you done a packet capture to see if traffic leaves the big-ip from the lease pool and with which address?

     

  • I have tested the access control with the APM module and doesnt worked. I will make more tests and post the result.

     

  • Hi,

     

    If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.

     

    Then, you can define an LDAP query to filter who can access the VS or not.

     

    Or you can use an irule to control who can access the Virtual Server.

     

    Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.

     

    Hope it helps

     

    Yann

     

    • Hugo_Frauches_2's avatar
      Hugo_Frauches_2
      Icon for Cirrus rankCirrus

      Dear Yann,

       

      The virtual server im trying to access is configured with HTTP, i really dont want to create any access restrictions, im testing without an ACL in APM. I need to understand why i can access the nodes in DMZ (Red, Green, Blue, Hackit) but i cant access the internal Virtual Server 10.128.20.10 of this nodes.

       

      Its this a problem related to routes? Or maybe its works like that because of F5 design, since im connecting to and Virtual Server (VPN SSL) and im trying to coonnect to another Virtual Server (Internal DMZ).

       

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus

      I think the main problem is related to the vlans selected for your internal VS. You must add the Connectivity profile to the list of vlans allowed in your internal VS configuration to allow vpn users to access this VS

       

      hope it helps

       

      Yann

       

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus

      I agree with Yann, I had a customer with same issue... Connectivity profile was forgotten in VS VLAN allowed.

       

  • Hi,

     

    If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.

     

    Then, you can define an LDAP query to filter who can access the VS or not.

     

    Or you can use an irule to control who can access the Virtual Server.

     

    Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.

     

    Hope it helps

     

    Yann

     

    • Hugo_Frauches_2's avatar
      Hugo_Frauches_2
      Icon for Cirrus rankCirrus

      Dear Yann,

       

      The virtual server im trying to access is configured with HTTP, i really dont want to create any access restrictions, im testing without an ACL in APM. I need to understand why i can access the nodes in DMZ (Red, Green, Blue, Hackit) but i cant access the internal Virtual Server 10.128.20.10 of this nodes.

       

      Its this a problem related to routes? Or maybe its works like that because of F5 design, since im connecting to and Virtual Server (VPN SSL) and im trying to coonnect to another Virtual Server (Internal DMZ).

       

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous

      I think the main problem is related to the vlans selected for your internal VS. You must add the Connectivity profile to the list of vlans allowed in your internal VS configuration to allow vpn users to access this VS

       

      hope it helps

       

      Yann

       

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus

      I agree with Yann, I had a customer with same issue... Connectivity profile was forgotten in VS VLAN allowed.