CSS Scripting - URL Protection

Unanswered Question
Aug 27th, 2009
User Badges:

Can it be done and anyone have sample script to examine IPADDRESS source range 10.x.x.x or maybe gateway address, ensure return traffic goes 10.x.x.x ? Then traffic source Internet, goes back internet. Have a case where we need to give HTTPS access on Signle SignOn server (Application does URL redirect to it) with access both intranet and internet. Thus 1 SignOn service

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
masterappsdba Thu, 08/27/2009 - 15:14
User Badges:

In short looking for session from intranet web service VIP land in the intranet. From internet web service VIP land in the internet

Gilles Dufour Fri, 08/28/2009 - 02:31
User Badges:
  • Cisco Employee,

You will need to provide more information.

Do you have multiple servers ?

Do they all receive the traffic internet and intranet ?

Where is the CSS in the network ?

Basically, the CSS does not care about intranet and internet.

It just route the traffic to a client through a gateway.

So do you have a different gateway for intranet and internet ?

The CSS normally guarantees that the response goes back to where it came from.

Nothing to do. This is automatic.


masterappsdba Fri, 08/28/2009 - 08:21
User Badges:

One CSS in DMZ 172.x.x.x

Second CSS in intranet 10.x.x.x

2 DMZ Web Srvr LB with 172.x.x.10 VIP - HTTPS

2 Intra Web Srvr LB with 10.x.x.50 VIP - HTTP

2 DMZ SignOn Srvr LB with 172.x.x.99 VIP - HTTPS



Internal SignOn Path

- Browser hits 10.x.x.50, session immediate redirects to 172.x.x.99.

- User Performs Login.

- Session returned to 10.x.x.50 with secure token.


External SignOn Path

- Browser hits 172.x.x.10 , session immediate redirects to 172.x.x.99.

- User Performs Login.

- Session returned to 172.x.x.10 with secure token.


Try direct URL to SignOn the SignOn service will say DENIED & stop traffic.


SignOn server also has URL Firewall(all URLS denied except whitelist allow URL)


Our security experts want extra level of control beyond SignOn App Server to ensure someone can't hack into the internal. Since SSO VIP is Firewall ruled allowable in internet and intranet.

I was thinking CSS rule/script or RP on top CSS. or any other recommendations.


This Discussion