BIG IP APM: Max Sessions Per User Enable users to terminate a specified session

Similar documents
One Time Passwords via an SMS Gateway with BIG IP Access Policy Manager

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

Citrix Federated Authentication Service Integration with APM

APM Cookbook: Single Sign On (SSO) using Kerberos

Converting a Cisco ACE configuration file to F5 BIG IP Format

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

v.10 - Working the GTM Command Line Interface

Deploying the BIG-IP LTM with IBM QRadar Logging

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services

Document version: 1.0 What's inside: Products and versions tested Important:

Maintain Your F5 Solution with Fast, Reliable Support

F5 and Nuage Networks Partnership Overview for Enterprises

Deploying the BIG-IP System with Oracle Hyperion Applications

US FEDERAL: Enabling Kerberos for Smartcard Authentication to Apache.

BIG IQ Reporting for Subscription and ELA Programs

Prompta volumus denique eam ei, mel autem

Server Virtualization Incentive Program

Complying with PCI DSS 3.0

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

VMware vcenter Site Recovery Manager

Large FSI DDoS Protection Reference Architecture

Archived. Deploying the BIG-IP LTM with IBM Lotus inotes BIG-IP LTM , 10.1, 11.2, IBM Lotus inotes 8.5 (applies to 8.5.

Deploying the BIG-IP System with CA SiteMinder

Deploying the BIG-IP System v11 with DNS Servers

Configuring Smart Card Authentication to BIG IP Management Interface

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

Geolocation and Application Delivery

Enhancing VMware Horizon View with F5 Solutions

Deploying a Next-Generation IPS Infrastructure

Session Initiated Protocol (SIP): A Five-Function Protocol

Deploying the BIG-IP LTM with Oracle JD Edwards EnterpriseOne

Data Center Virtualization Q&A

Secure Mobile Access to Corporate Applications

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

Improving VDI with Scalable Infrastructure

Deploying a Next-Generation IPS Infrastructure

The F5 Intelligent DNS Scale Reference Architecture

Cookies, Sessions, and Persistence

Load Balancing 101: Nuts and Bolts

Configuring the BIG-IP APM as a SAML 2.0 Identity Provider for Microsoft Office 365

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Securing the Cloud. White Paper by Peter Silva

Resource Provisioning Hardware Virtualization, Your Way

Enabling Long Distance Live Migration with F5 and VMware vmotion

Archived. For more information of IBM Maximo Asset Management system see:

Multi-Tenancy Designs for the F5 High-Performance Services Fabric

The Programmable Network

Protecting Against Online Banking Fraud with F5

Optimize and Accelerate Your Mission- Critical Applications across the WAN

F5 iapps: Moving Application Delivery Beyond the Network

Unified Application Delivery

SNMP: Simplified. White Paper by F5

Deploying the BIG-IP LTM and APM with VMware View 4.6

Load Balancing 101: Nuts and Bolts

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Vulnerability Assessment with Application Security

Deploying the BIG-IP Data Center Firewall

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

The F5 Application Services Reference Architecture

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

Simplifying Security for Mobile Networks

Considerations for VoLTE Implementation

Network Functions Virtualization - Everything Old Is New Again

TCP Optimization for Service Providers

Protect Against Evolving DDoS Threats: The Case for Hybrid

NGIPS Recommended Practices

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

F5 Reference Architecture for Cisco ACI

Solutions Guide. F5 solutions for the emerging 5G landscape

BIG-IP Global Traffic Manager

Lab - Remote Desktop in Windows 8

Lab - Remote Desktop in Windows 7 and Vista

File System Inventory Summary Report

The Myth of Network Address Translation as Security

Prompta volumus denique eam ei, mel autem

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper

Global Distributed Service in the Cloud with F5 and VMware

Distributing Applications for Disaster Planning and Availability

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

The Expectation of SSL Everywhere

OPTIMIZE. MONETIZE. SECURE. Agile, scalable network solutions for service providers.

Using the F5 ARX Solution for Automated Storage Tiering

BYOD 2.0: Moving Beyond MDM

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager with Oracle Access Manager

OpenStack Heat Template Composition

Cisco Service Control Traffic Optimization: Capacity Control Solution Guide, Release 3.6.x

Automating the Data Center

F5 Tech Brief. Authentication 101

Providing Security and Acceleration for Remote Users

Report Studio: Using Java Script to Select and Submit Values to a SAP Prompt.

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Okta Integration Guide for Web Access Management with F5 BIG-IP

Unified Access and Optimization with F5 BIG-IP Edge Gateway

Transcription:

BIG IP APM: Max Sessions Per User Enable users to terminate a specified session Robert Teller, 2015-22-12 Technical Challenge Recently I was speaking with a customer and they mentioned that they leveraged the Max Sessions Per User setting within BIG-IP APM Access Profile to limit the number of concurrent connections that a single user could have at any point in time. The customer mentioned that this works but often their users would complain that the wrong session was terminated or that a session they were actively using was closed. After reproducing the scenario in a lab environment I observed that the BIG-IP APM would terminate sessions based on FIFO (First In, First Out). Meaning that the oldest session was always terminated first regardless of which session the user was actively interacting with. Since this was confusing for the customer I figured others experienced this problem and it would be worth sharing my solution with the world. So how do you enforce Max Sessions Per User and enable your users to intelligently select which session to terminate? The Solution If we break down the problem statement above we can see that it it is really two issues. First we need to identify if a user has exceeded the maximum number of allocated sessions, then if they have we need to provide them a way to select which session should be terminated. Enforce Max Sessions Per User BIG-IP APM Access Profiles natively provide a way to limit the Maximum number of Sessions a user can establish but it doesn t provide a way to interact with pre-existing sessions. For more information on Access Profile settings see => https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-11-6-0/9.html#taskid

If the built-in functionality won t achieve what we want lets build our own using APM irule Events. irule Session Enforcement The ACCESS::uuid irule function will allow us to identify all active sessions for a specified Access Profile and Username. The irule below will prevent a user from establishing more than 3 sessions when CLIENT_ACCEPTED ACCESS::restrict_irule_events disable when ACCESS_POLICY_COMPLETED set max_sessions 3 log local0. "[PROFILE::access name].$apm_username => session number [llength $apm_cookie_list]" if [llength $apm_cookie_list] >= $max_sessions ACCESS::session remove ACCESS::respond 302 location "/vdesk/hangup.php3" This will allow us to limit concurrent connections for a user but is too late in the authentication process to enable the user to select a session to terminate. Instead of having the logic execute in the ACCESS_POLICY_COMPLETED section let s try using an VPE irule event. APM VPE irule Event Session Enforcement First update your Access Policy to look similar to the images below with an irule Event placed after the user authentication event. The irule event id will be referenced in your irule max_session_count The branch logic will be used to identify if the user has more than 3 concurrent sessions expr [mcget session.logon.last.count] >= 3

Update the irule you created earlier with the code below, this will allow the VPE policy to pause and execute events within the irule. when ACCESS_POLICY_AGENT_EVENT switch [ACCESS::policy agent_id] "max_session_count" ACCESS::session data set session.logon.last.count [llength $apm_cookie_list] Now as long as the user is below the defined maximum allowed connections they will be allowed to connect as normal. Enabling users to select a Session to be Terminated Now this is the tricky part, we need to provide an interface to the user that will enable them to select a session to be terminated. We could spend a bunch of time creating a custom web interface using javascript or we could re-purpose the Logon Page object built into the APM and display the information to the user with minimal customization. Remove the Password field from the Logon Page object and replace it with Radio and set the variable name to terminate Click on the textbox in the Values column of the terminate row and add one entry for each session the user is allowed to have. (If the max session count is set to 3 then add 3 options) The contents for the radio buttons will be dynamically generated within the irule Event and stored as APM Session Variables The Value field should be %session.logon.active.#.sid (Session ID s will be stored in a list variable that starts at 0, replace # with the appropriate index number starting at 0) %session.logon.active.0.sid

%session.logon.active.1.sid %session.logon.active.2.sid The Text field should be %session.logon.active.#.text (The # should be replaced with the corresponding list index id) %session.logon.active.0.text %session.logon.active.1.text %session.logon.active.2.text After adding the appropriate number of options the final option should be cancel with text that will indicate that the current session will be terminated if the user selects cancel Click on the Branch Rules tab and add a new Branch Rule to handle logic that will allow the user to cancel Session Termination expr [mcget session.logon.last.terminate] == "cancel"

Next update the irule created earlier with the snippet listed below. The updated irule will populate the session variables that will be used to display session information to the user. when ACCESS_POLICY_AGENT_EVENT switch [ACCESS::policy agent_id] "max_session_count" for set i 0 $i < [llength $apm_cookie_list] incr i set _clientip [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.clientip] set _starttime [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.starttim set _timeformat [clock format $_starttime format "%H:%M:%S %d %b %Y "] set _connectiontype [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.sess set _browsertype [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.client.type] set _sessionid [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.sessioni set _sessioninfo "<table style='border collapse: collapse' width='100%'>" append _sessioninfo "<tr><td style='border: 1px solid black'>session ID</td><td style='border: 1p append _sessioninfo "<tr><td style='border: 1px solid black'>start Time</td><td style='border: 1p append _sessioninfo "<tr><td style='border: 1px solid black'>client IP</td><td style='border: 1px append _sessioninfo "<tr><td style='border: 1px solid black'>connection Type</td><td style='borde append _sessioninfo "<tr><td style='border: 1px solid black'>browser Type</td><td style='border: append _sessioninfo "</table>" ACCESS::session data set session.logon.active.$i.sid $_sessionid ACCESS::session data set session.logon.active.$i.text $_sessioninfo ACCESS::session data set session.logon.last.count [llength $apm_cookie_list]

Terminate the selected Session Now that we have a way to select a session to terminate add a second VPE irule Event to handle the Session Termination The irule event id will be referenced in your irule terminate_session The branch logic will be used to verify that the session was terminated successfully, if it fails to terminate the users current session will be terminated instead. expr [mcget session.logon.last.terminateresult] == 1 Next update the irule created earlier with the snippet listed below. The updates will add a second irule Event that will handle the session termination when ACCESS_POLICY_AGENT_EVENT switch [ACCESS::policy agent_id] "max_session_count" for set i 0 $i < [llength $apm_cookie_list] incr i set _clientip [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.clientip] set _starttime [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.starttim set _timeformat [clock format $_starttime format "%H:%M:%S %d %b %Y "] set _connectiontype [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.sess set _browsertype [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.client.type] set _sessionid [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.sessioni set _sessioninfo "<table style='border collapse: collapse' width='100%'>" append _sessioninfo "<tr><td style='border: 1px solid black'>session ID</td><td style='border: 1p append _sessioninfo "<tr><td style='border: 1px solid black'>start Time</td><td style='border: 1p append _sessioninfo "<tr><td style='border: 1px solid black'>client IP</td><td style='border: 1px

append _sessioninfo "<tr><td style='border: 1px solid black'>client IP</td><td style='border: 1px append _sessioninfo "<tr><td style='border: 1px solid black'>connection Type</td><td style='borde append _sessioninfo "<tr><td style='border: 1px solid black'>browser Type</td><td style='border: append _sessioninfo "</table>" ACCESS::session data set session.logon.active.$i.sid $_sessionid ACCESS::session data set session.logon.active.$i.text $_sessioninfo ACCESS::session data set session.logon.last.count [llength $apm_cookie_list] "terminate_session" set removed 0 for set i 0 $i < [llength $apm_cookie_list] incr i set _terminateid [ACCESS::session data get session.logon.last.terminate] set _sessionid [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.sessioni if $_sessionid eq $_terminateid set removed 1 ACCESS::session remove sid [lindex $apm_cookie_list $i] break ACCESS::session data set session.logon.last.terminateresult $removed Time to Test Now establish enough sessions to exceed the maximum concurrent user count and you should see receive a logon page prompting you to select a session to terminate.

Putting Everything Together Step 1 Edit your Access Policy When this step is complete your Access Policy should look similar to the attached imaged 1. The first irule Event should have the following information populated The irule event id will be referenced in your irule max_session_count The branch logic will be used to identify if the user has more than 3 concurrent sessions expr [mcget session.logon.last.count] >= 3 2. The Logon Page Session Termination should have the following information populated Remove the Password field from the Logon Page object and replace it with Radio and set the variable name to terminate Click on the textbox in the Values column of the terminate row and add one entry for each session the user is allowed to have. (If the max session count is set to 3 then add 3 options) The contents for the radio buttons will be dynamically generated within the irule Event and stored as APM Session Variables The Value field should be %session.logon.active.#.sid (Session ID s will be stored in a list variable that starts at 0, replace # with the appropriate index number starting at 0) %session.logon.active.0.sid %session.logon.active.1.sid %session.logon.active.2.sid The Text field should be %session.logon.active.#.text (The # should be replaced with the corresponding list index id) %session.logon.active.0.text %session.logon.active.1.text

%session.logon.active.1.text %session.logon.active.2.text After adding the appropriate number of options the final option should be cancel with text that will indicate that the current session will be terminated if the user selects cancel Click on the Branch Rules tab and add a new Branch Rule to handle logic that will allow the user to cancel Session Termination expr [mcget session.logon.last.terminate] == "cancel" 3. The second irule Event should have the following information populated The irule event id will be referenced in your irule terminate_session The branch logic will be used to verify that the session was terminated successfully, if it fails to terminate the users current session will be terminated instead. expr [mcget session.logon.last.terminateresult] == 1 Step 2 Create and Apply the Custom irule when ACCESS_POLICY_AGENT_EVENT switch [ACCESS::policy agent_id] "max_session_count" for set i 0 $i < [llength $apm_cookie_list] incr i set _clientip [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.clientip] set _starttime [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.starttim set _timeformat [clock format $_starttime format "%H:%M:%S %d %b %Y "] set _connectiontype [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.sess set _browsertype [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.client.type] set _sessionid [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.sessioni set _sessioninfo "<table style='border collapse: collapse' width='100%'>" append _sessioninfo "<tr><td style='border: 1px solid black'>session ID</td><td style='border: 1p append _sessioninfo "<tr><td style='border: 1px solid black'>start Time</td><td style='border: 1p append _sessioninfo "<tr><td style='border: 1px solid black'>client IP</td><td style='border: 1px append _sessioninfo "<tr><td style='border: 1px solid black'>connection Type</td><td style='borde append _sessioninfo "<tr><td style='border: 1px solid black'>browser Type</td><td style='border: append _sessioninfo "</table>" ACCESS::session data set session.logon.active.$i.sid $_sessionid ACCESS::session data set session.logon.active.$i.text $_sessioninfo ACCESS::session data set session.logon.last.count [llength $apm_cookie_list] "terminate_session" set removed 0 for set i 0 $i < [llength $apm_cookie_list] incr i set _terminateid [ACCESS::session data get session.logon.last.terminate] set _sessionid [ACCESS::session data get sid [lindex $apm_cookie_list $i] session.user.sessioni if $_sessionid eq $_terminateid

if $_sessionid eq $_terminateid set removed 1 ACCESS::session remove sid [lindex $apm_cookie_list $i] break ACCESS::session data set session.logon.last.terminateresult $removed F5 Networks, Inc. 401 Elliot Avenue West, Seattle, WA 98119 888-882-4447 f5.com F5 Networks, Inc. Corporate Headquarters info@f5.com F5 Networks Asia-Pacific apacinfo@f5.com F5 Networks Ltd. Europe/Middle-East/Africa emeainfo@f5.com F5 Networks Japan K.K. f5j-info@f5.com 2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS04-00015 0113

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback