cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
325
Views
0
Helpful
4
Replies

CSS Scripting - URL Protection

masterappsdba
Level 1
Level 1

Can it be done and anyone have sample script to examine IPADDRESS source range 10.x.x.x or maybe gateway address, ensure return traffic goes 10.x.x.x ? Then traffic source Internet, goes back internet. Have a case where we need to give HTTPS access on Signle SignOn server (Application does URL redirect to it) with access both intranet and internet. Thus 1 SignOn service

4 Replies 4

masterappsdba
Level 1
Level 1

Forgot to mention, CS 11509 series

In short looking for session from intranet web service VIP land in the intranet. From internet web service VIP land in the internet

You will need to provide more information.

Do you have multiple servers ?

Do they all receive the traffic internet and intranet ?

Where is the CSS in the network ?

Basically, the CSS does not care about intranet and internet.

It just route the traffic to a client through a gateway.

So do you have a different gateway for intranet and internet ?

The CSS normally guarantees that the response goes back to where it came from.

Nothing to do. This is automatic.

Gilles.

One CSS in DMZ 172.x.x.x

Second CSS in intranet 10.x.x.x

2 DMZ Web Srvr LB with 172.x.x.10 VIP - HTTPS

2 Intra Web Srvr LB with 10.x.x.50 VIP - HTTP

2 DMZ SignOn Srvr LB with 172.x.x.99 VIP - HTTPS

---------------------------------------

====================

Internal SignOn Path

- Browser hits 10.x.x.50, session immediate redirects to 172.x.x.99.

- User Performs Login.

- Session returned to 10.x.x.50 with secure token.

====================

External SignOn Path

- Browser hits 172.x.x.10 , session immediate redirects to 172.x.x.99.

- User Performs Login.

- Session returned to 172.x.x.10 with secure token.

======================

Try direct URL to SignOn the SignOn service will say DENIED & stop traffic.

------------------------------------

SignOn server also has URL Firewall(all URLS denied except whitelist allow URL)

==================================

Our security experts want extra level of control beyond SignOn App Server to ensure someone can't hack into the internal. Since SSO VIP is Firewall ruled allowable in internet and intranet.

I was thinking CSS rule/script or RP on top CSS. or any other recommendations.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: