Access internal DMZ virtual server in SSL VPN

Hello,

I have setup an LAB for learning prupose and i was wondering if its possible to access an internal Virtual Server in the DMZ (Load balance for internal users), i could not achieved this directly via VPN, its is possible via Webtop reverse proxy and adding the VPN vlan to the DMZ Virtual server. Here is my topology:

1) Connected to the VPN Virtual server at 10.128.10.14

2) I dont have any ACL so i can connect to all off the DMZ servers in Pool LTM (10.128.20.151, 10.128.20.152,10.128.20.153)

3) When i try to connect to the internal virtual server in DMZ its not possible.

I have both Virtual servers configured with Auto Map, as i said before i can connect to this virtual server adding the ssl vpn vlan to the dmz virtual server, but doing this its an L2 i guess and i cant control the access via ACL in my APM policy.

Here is the topology from my LAB.

application delivery

BIG-IP

BIG-IP Access Policy Manager (APM)

Yann_Desmarest_
Aug 17, 2017
Hi,

If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.

Then, you can define an LDAP query to filter who can access the VS or not.

Or you can use an irule to control who can access the Virtual Server.

Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.

Hope it helps

Yann

22 Replies

boneyard
MVP
Aug 11, 2017
so i don't quite yet it, you can connect if you add the sslvpn vlan to the listen on VLAN list, but you don't want to?
Hugo_Frauches_2
Cirrus
Aug 11, 2017
Adding the sslvpn vlan to the Virtual Server allow me to connect, but i cant retrict access to it, example:

APM Policy

1) User from group A can access this virtual server.

2) User from other groups cant access.

This type of control does not work because when i add the vLan the connection isnt retricted at all.
boneyard
MVP
Aug 13, 2017
never tested that, but you are sure the APM access list don't work then?

have you done a packet capture to see if traffic leaves the big-ip from the lease pool and with which address?
Hugo_Frauches_2
Cirrus
Aug 14, 2017
I have tested the access control with the APM module and doesnt worked. I will make more tests and post the result.
Yann_Desmarest
Cirrus
Aug 17, 2017
Hi,

If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.

Then, you can define an LDAP query to filter who can access the VS or not.

Or you can use an irule to control who can access the Virtual Server.

Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.

Hope it helps

Yann
- Hugo_Frauches_2
  Cirrus
  Aug 18, 2017
  Dear Yann,
  
  The virtual server im trying to access is configured with HTTP, i really dont want to create any access restrictions, im testing without an ACL in APM. I need to understand why i can access the nodes in DMZ (Red, Green, Blue, Hackit) but i cant access the internal Virtual Server 10.128.20.10 of this nodes.
  
  Its this a problem related to routes? Or maybe its works like that because of F5 design, since im connecting to and Virtual Server (VPN SSL) and im trying to coonnect to another Virtual Server (Internal DMZ).
- Yann_Desmarest
  Cirrus
  Aug 18, 2017
  I think the main problem is related to the vlans selected for your internal VS. You must add the Connectivity profile to the list of vlans allowed in your internal VS configuration to allow vpn users to access this VS
  
  hope it helps
  
  Yann
- Stanislas_Piro2
  Cumulonimbus
  Aug 18, 2017
  I agree with Yann, I had a customer with same issue... Connectivity profile was forgotten in VS VLAN allowed.
Yann_Desmarest_
Nacreous
Aug 17, 2017
Hi,

If the internal Virtual Server is HTTP or HTTPs, you may assign an SSO Access profile that allow you to get the username and password of the main Network Access policy.

Then, you can define an LDAP query to filter who can access the VS or not.

Or you can use an irule to control who can access the Virtual Server.

Alternatively, you can define several Lease pool based on different user populatiion and attach an irule to the DNZ Virtual Server allowing access to some lease IP addresses and reject or drop access for some others.

Hope it helps

Yann
- Hugo_Frauches_2
  Cirrus
  Aug 18, 2017
  Dear Yann,
  
  The virtual server im trying to access is configured with HTTP, i really dont want to create any access restrictions, im testing without an ACL in APM. I need to understand why i can access the nodes in DMZ (Red, Green, Blue, Hackit) but i cant access the internal Virtual Server 10.128.20.10 of this nodes.
  
  Its this a problem related to routes? Or maybe its works like that because of F5 design, since im connecting to and Virtual Server (VPN SSL) and im trying to coonnect to another Virtual Server (Internal DMZ).
- Yann_Desmarest_
  Nacreous
  Aug 18, 2017
  I think the main problem is related to the vlans selected for your internal VS. You must add the Connectivity profile to the list of vlans allowed in your internal VS configuration to allow vpn users to access this VS
  
  hope it helps
  
  Yann
- Stanislas_Piro2
  Cumulonimbus
  Aug 18, 2017
  I agree with Yann, I had a customer with same issue... Connectivity profile was forgotten in VS VLAN allowed.