Lab 3: Utilize HTTP Connector(16.0)

HTTP Connector is a feature released in BIG-IP APM 15.1 that allows HTTP requests to be initiated from a Per-Request Policy. This could be used to send a request to an API to retrieve additional information to make an access control decision, or send information to update an external resource.

Section 3.1 - Create the HTTP Connector Request

The HTTP Connector is made up of two parts. The first part is called the HTTP Connector Transport and it defines settings related to SSL, DNS, timeouts, and payload sizes. The second part is the HTTP Connector Request which contains specific details such as HTTP Method, URL, message body, and how to handle the HTTP responses.

Task 1 - Create a DNS Resolver

1. From the jumphost, return to Firefox then navigate to the BIG-IP GUI at https://bigip1.f5lab.local

2. Login with the following credentials:

   • User: admin
   • Password: admin

3. Navigate to Network >> DNS Resolvers >> DNS Resolver List. Click the + (Plus symbol) Symbol

   

4. Enter Name internal_resolver and click Finished

   

5. Click internal_resolver

   

6. Click the Forward Zones tab

   

7. Click Add

   

8. Enter . (a Single dot) in the Name field

9. Add a Nameserver by entering Address 10.1.20.7 and click Add

10. Click Finished

    

Task 2 - Create a ServerSide SSL Profile

1. Navigate to Local Traffic >> Profiles >> SSL >> Server. Click the + (Plus Symbol) Symbol

   

2. Enter Name adapi.f5lab.local

3. Check Custom box to the right of the Certificate and Key fields to make them editable.

4. Select apiadmin.crt from the Certificate dropdown

5. Select apiadmin.key from the key dropdown

6. Click Finished at the Bottom of the page

   

Task 3 - Create a HTTP Connector Transport

1. Navigate to Access >> Authentication >> HTTP Connector >> HTTP Connector Transport Click the + (Plus Symbol)

   

2. Enter the name demo-http-connector

3. Select internal_resolver from the DNS Resolver dropdown

4. Select adapi.f5lab.local from the Server SSL Profile

5. Click Save

   

Task 4 - Create a HTTP Connector Request

1. Navigate to Access >> Authentication >> HTTP Connector >> HTTP Connector Request. Click the + (Plus Symbol)

   

2. Enter name get-aduser-attributes

3. Select demo-http-connector from the dropdown

4. Enter URL https://adapi.f5lab.local:8443/user?username=%{perflow.username}

5. Enter GET for the Method

6. Select Parse for the Response Action

7. Click Save

   

Section 3.2 - Add HTTP Connector to the IAP Policy

Now that the HTTP Connector Request has been defined you will add it to basic.acme.com application and test.

Task 1 - Add the HTTP Connector Request

1. From the web browser, click on the Guided Configuration

   

2. Click IAP_DEMO

   

3. Click on Contextual Access

   

4. Click on basic.acme.com

   

5. Click Add under Additional Checks

   

6. Enter Name get-user-status

7. Check HTTP Connector Request

8. Select get-aduser-attributes from the HTTP Connector Request dropdown

9. Under Value (Success Expression) enter expr {[mcget {subsession.http_connector.body.userAccountControl}] == 66048 }

10. Select Step Up from the Match Action dropdown

11. Select Custom Radius based Authentication (MFA) from the Step Up Authentication field

    

12. Change the Match Action field for the Default Fallback rule to Reject

    

13. Click Assign User Groups

14. Enter Product Management in the Primary Authentication filter Group Name

15. Click Add beside Product Management

16. Click Any under Selected User Groups

17. Click Save

    

18. Click Deploy. Deployment will take a few moments

    

Section 3.3 - Testing

In this section you will test how HTTP connector can influence policy changes dynamically as conditions change in the network

Warning

You must use Firefox for testing!

Task 1 - Access basic.acme.com

1. From the Jumphost’s Firefox browser access the site https://iap1.acme.com

2. Login with the Username: user2 and Password: user2

   

3. Click the basic.acme.com tile

   

4. Enter the PIN 123456 for RADIUS authentication

   

5. You will be presented the website

   

6. From a separate browser tab access the BIG-IP management interface https://bigip1.f5lab.local

7. Navigate to Access >> Overview >> Active Sessions

   

8. You will see an active session for user2.

9. Expand the session to see all the sub-sessions by clicking the + (Plus symbol) to the left of the session ID.

   Note

   Your session ID will not match the one displayed in the screenshot below.

   

10. Click View to the right of the HTTP Connector request get-user-status to see the sub-session variables.

    

11. You will notice that HTTP Connector received multiple values back in the response and each JSON key was parsed to individual subsession variables.

12. userAccountControl is currently set to 66048. Which mean the account is enabled and the password never expires.

    

13. Click Cancel

14. Expand the session to see all the sub-sessions by clicking the + (Plus Symbol) to the left of the session ID.

    Note

    You session ID will not match the one displayed in the screenshot below.

    

15. If the HTTP Connector sub-session still exists check off that specific sub-session only and click Kill Selected Sessions

    Note

    You are doing this to speed up the process and bypass the typical timers associated with HTTP Connector. This will enable you to see HTTP Connector trigger immediately on the next HTTP request sent from the jumphost.

    

16. Locate DisableUser2.ps1 Powershell script located on the desktop.

17. Right click the script and select Run with PowerShell. A Powershell window will appear displaying User2 account is Disabled.

    

18. Return to webtop and click the basic.acme.com tile.

    

19. Click on one of the links for the website. You will receive a Deny Page.

    

20. If you return to the sub-session variables screen in BIG-IP you will see UserAccountControl was 66050.

    

21. This concludes lab 3.