Forum Discussion

ThomasP's avatar
ThomasP
Icon for Altostratus rankAltostratus
Mar 20, 2020

Is network access bypassing APM logon pages?

Hello,

Maybe it's a stupid question but I've been wondering about it for a while without finding a proper answer.

Usually, you can either access your web apps remotely through APM or you can use a SSL VPN connection to have a full network access.

Recently when I was connected to the VPN (BigIP Edge Client), I tried to access different web apps through APM in order to test some APM workflows (vpe config) and I noticed I was somehow bypassing the APM logon pages : actually I was able to access the web apps without having the APM logon pages.

 

Maybe these were silly tests but still i'm wondering : what happened ?

 

I used an irule to have verbose logs, I saw that my vpn session ID were being used when accessing these web apps.

 

Is there any credential forwarding ? How does it work ?

 

Thank you

 

Thomas

  • If APM is being the gatekeeper then if you have a VPN session then you are authenticated. If you then want to access the app then you are already authenticated with APM.

  • Thank you Pete for your reply.

     

    In that case, it seems that the APM checks (AD query for example) and variable assigments are bypassed, right? Is there any solution for these ?

     

    Thank you

    • PeteWhite's avatar
      PeteWhite
      Icon for Employee rankEmployee
      Hi Thomas, Take a look at https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/20.html and possibly https://devcentral.f5.com/s/articles/apm-full-step-up-authentication-903
      • Bazsi's avatar
        Bazsi
        Icon for Altostratus rankAltostratus

        Hello PeteWhite, If I understand there is no way to change this behaviour, the Edge Client has no respect to the profile scope setting?
        My usecase is that the new service I'm working on should be fully independent. Testers should be able to use the service the same way regardless where they are coming from, internal networks, VPN or the internet (in the future). Futhurermore the new service uses completely different preprod AAA thant the production VPN and the testers usually impersonate test users.

  • If APM is being the gatekeeper then if you have a VPN session then you are authenticated. If you then want to access the app then you are already authenticated with APM.