topic ACE4710 and url based inspection in Application Networking

ACE4710 and url based inspection

srdjankatic — Fri, 29 Nov 2013 09:43:45 GMT

Dear all,

i have one server farm with app servers that serve web app on ceratin url, let's say http://server:port/application1.

I nedd to publish different module off same app on same ip and port but different url to another group of users, let's say http://server:port/application2.

When second group of users type /application1 they should not be allowed to get login page, only for url /application2

I was thinking about L7 policy. ACE4710 is not xml firewall but is it possible to set authorization or L7 acl based on url on web server?

How would you implement this solution in my case?

Thank You

ACE4710 and url based inspection

Kanwaljeet Singh — Fri, 29 Nov 2013 14:30:35 GMT

Hi,

ACE have the capacity to inspect L7 information and take decisions but if i have understood your requirement correctly , you want both the URL's resolved to same VIP and loadbalanced to same serverfarm but second group shouldn't have access to application in case they use URL used by first group.

I am not sure how ACE would differentiate between different set of groups. If you want that any user coming with , for example, application2 needs to be dropped that can be done.

I haven't tested but you can try a combination of "match source address and match url" and use different VIP's and get loadbalanced to same set of real servers running same application in different serverfarms.

For one group:

class-map type http loadbalance match-all test11
2 match source-address 1.1.1.1 255.255.255.255
3 match http url /test1

class-map match-all testing

2 match virtual-address 2.2.2.2 tcp eq www

For second group:

class-map type http loadbalance match-all test12

2 match source-address 3.3.3.3 255.255.255.255

3 match http url /test2

class-map match-all testing

2 match virtual-address 4.4.4.4 tcp eq www

Regards,

Kanwal

ACE4710 and url based inspection

Kanwaljeet Singh — Fri, 29 Nov 2013 14:36:45 GMT

Hi,

In fact i was thinking if you are using loadbalancing based on src IP, you don't need to define URL there.

Just get users from 1 group to one vip and 2 group to another and get them to loadbalance traffic to same rservers in different serverfarms.

Regards,

Kanwal

ACE4710 and url based inspection

srdjankatic — Fri, 29 Nov 2013 15:24:40 GMT

Hi Kanwal, tnx for quick response.

This idea is based on security requirement

With your config if second group go to second VIP but add url for first group, (by mistake or with intesion) will they be able to get login screen for app1 for first group since same rserver hosts both urls? Idea is to de facto prevent second group user to type /application1 and get login page, they should be denied.

I will try your config soon as possible and test also.

Tnx,

Srdjan

ACE4710 and url based inspection

Kanwaljeet Singh — Fri, 29 Nov 2013 15:29:09 GMT

Hi Srdjan,

If the users will not match the condition in class-map they will be dropped there itself and question of users going to real server doesn't arise.

You will have to define different VIP and different conditions for different set of users.

Regards,

Kanwal

ACE4710 and url based inspection

srdjankatic — Fri, 29 Nov 2013 15:39:30 GMT

Thank you Kanwal, will try it next week.