In short looking for session from intranet web service VIP land in the intranet. From internet web service VIP land in the internet

You will need to provide more information.

Do you have multiple servers ?

Do they all receive the traffic internet and intranet ?

Where is the CSS in the network ?

Basically, the CSS does not care about intranet and internet.

It just route the traffic to a client through a gateway.

So do you have a different gateway for intranet and internet ?

The CSS normally guarantees that the response goes back to where it came from.

Nothing to do. This is automatic.

Gilles.

One CSS in DMZ 172.x.x.x

Second CSS in intranet 10.x.x.x

2 DMZ Web Srvr LB with 172.x.x.10 VIP - HTTPS

2 Intra Web Srvr LB with 10.x.x.50 VIP - HTTP

2 DMZ SignOn Srvr LB with 172.x.x.99 VIP - HTTPS

---------------------------------------

====================

Internal SignOn Path

- Browser hits 10.x.x.50, session immediate redirects to 172.x.x.99.

- User Performs Login.

- Session returned to 10.x.x.50 with secure token.

====================

External SignOn Path

- Browser hits 172.x.x.10 , session immediate redirects to 172.x.x.99.

- User Performs Login.

- Session returned to 172.x.x.10 with secure token.

======================

Try direct URL to SignOn the SignOn service will say DENIED & stop traffic.

------------------------------------

SignOn server also has URL Firewall(all URLS denied except whitelist allow URL)

==================================

Our security experts want extra level of control beyond SignOn App Server to ensure someone can't hack into the internal. Since SSO VIP is Firewall ruled allowable in internet and intranet.

I was thinking CSS rule/script or RP on top CSS. or any other recommendations.