Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE4710 and url based inspection

Dear all,

i have one server farm with app servers that serve web app on ceratin url, let's say   http://server:port/application1.

I nedd to publish different module  off same app on same ip and port but different url to another group of users, let's say  http://server:port/application2.

When second group of users type /application1 they should not be allowed to get login page, only for url /application2

I was thinking about L7 policy. ACE4710 is not xml firewall but is it possible to set authorization or L7 acl based on url on web server?

How would you implement this solution in my case?

Thank You

5 REPLIES
Cisco Employee

ACE4710 and url based inspection

Hi,

ACE have the capacity to inspect L7 information and take decisions but if i have understood your requirement correctly , you want both the URL's resolved to same VIP and loadbalanced to same serverfarm  but second group shouldn't have access to application in case they use URL used by first group.

I am not sure how ACE would differentiate between different set of groups. If you want that any user coming with , for example, application2 needs to be dropped that can be done.

I haven't tested but you can try a combination of "match source address and match url" and use different VIP's and get loadbalanced to same set of real servers running same application in different serverfarms.

For one group:


class-map type http loadbalance match-all test11
  2 match source-address 1.1.1.1 255.255.255.255
  3 match http url /test1

class-map match-all testing

  2 match virtual-address 2.2.2.2 tcp eq www

For second group:

class-map type http loadbalance match-all test12

2 match source-address 3.3.3.3 255.255.255.255

3 match http url /test2

class-map match-all testing

2 match virtual-address 4.4.4.4 tcp eq www

Regards,

Kanwal

Cisco Employee

ACE4710 and url based inspection

Hi,

In fact i was thinking if you are using loadbalancing based on src IP, you don't need to define URL there.

Just get users from 1 group to one vip and 2 group to another and get them to loadbalance traffic to same rservers in different serverfarms.

Regards,

Kanwal

New Member

ACE4710 and url based inspection

Hi Kanwal, tnx for quick response.

This idea is based on security requirement

With your config if second group go to second VIP but add url for first group, (by mistake or with intesion) will they be able to get login screen for app1 for first group since same rserver hosts both urls? Idea is to de facto prevent second group user to type /application1 and get login page, they should be denied.

  I will try your config soon as possible and test also.

Tnx,

Srdjan

Cisco Employee

ACE4710 and url based inspection

Hi Srdjan,

If the users will not match the condition in class-map they will be dropped there itself and question of users going to real server doesn't arise.

You will have to define different VIP and different conditions for different set of users.

Regards,

Kanwal

New Member

ACE4710 and url based inspection

Thank you Kanwal, will try it next week.

320
Views
0
Helpful
5
Replies
CreatePlease login to create content