Lab 3: Utilize HTTP Connector(15.1)

HTTP Connector is a new feature released in BIG-IP APM 15.1 that allows HTTP requests to be initiated from a Per-Request Policy. This could be used to send a request to an API to retrieve additional information to make an access control decision, or send information to update an external resource.

Section 3.1 - Create the HTTP Connector Request

The HTTP Connector is made up of two parts. The first part is called the HTTP Connector Transport and it defines settings related to SSL, DNS, timeouts, and payload sizes. The second part is the HTTP Connector Request which contains specific details such as HTTP Method, URL, message body, and how to handle the HTTP responses.

Task 1 - Create a DNS Resolver

1. Return to the BIG-IP GUI

2. Navigate to Network >> DNS Resolvers >> DNS Resolver List. Click the + (Plus symbol) Symbol

   

3. Enter Name internal_resolver and click Finished

   

4. Click internal_resolver

   

5. Click the Forward Zones tab

   

6. Click Add

   

7. Enter . (a Single dot) in the Name field

8. Add a Nameserver by entering Address 10.1.20.7 and click Add

9. Click Finished

   

Task 2 - Create a ServerSide SSL Profile

1. Navigate to Local Traffic >> Profiles >> SSL >> Server. Click the + (Plus Symbol) Symbol

   

2. Enter Name adapi.f5lab.local

3. Check Custom box to the right of the Certificate and Key fields to make them editable.

4. Select apiadmin.crt from the Certificate dropdown

5. Select apiadmin.key from the key dropdown

6. Click Finished at the Bottom of the page

   

Task 3 - Create a HTTP Connector Transport

1. Navigate to Access >> Authentication >> HTTP Connector >> HTTP Connector Transport Click the + (Plus Symbol)

   

2. Enter the name demo-http-connector

3. Select internal_resolver from the DNS Resolver dropdown

4. Select adapi.f5lab.local from the Server SSL Profile

5. Click Save

   

Task 4 - Create a HTTP Connector Request

1. Navigate to Access >> Authentication >> HTTP Connector >> HTTP Connector Request. Click the + (Plus Symbol)

   

2. Enter name get-aduser-attributes

3. Select demo-http-connector from the dropdown

4. Enter URL https://adapi.f5lab.local:8443/user?username=%{perflow.username}

5. Enter GET for the Method

6. Select Parse for the Response Action

7. Click Save

   

Section 3.2 - Add HTTP Connector to the IAP Policy

Now that the HTTP Connector Request has been defined you will add it to basic.acme.com application and test.

Task 1 - Add the HTTP Connector Request

1. From the web browser, click on the Access tab located on the left side.

   

2. Click Guided Configuration

3. Click IAP_DEMO

   

4. Click on Contextual Access

   

5. Click on basic.acme.com

   

6. Click Add under Trigger Rules

   

7. Enter Name get-user-status

8. Check HTTP Connector Request

9. Select get-aduser-attributes from the HTTP Connector Request dropdown

10. Under Value (Success Expression) enter expr {[mcget {subsession.http_connector.body.userAccountControl}] == 66048 }

11. Select Step Up from the Match Action dropdown

12. Select Custom Radius based Authentication (MFA) from the Step Up Authentication field

13. Click Save

    

14. Change the Match Action field for the Default Fallback rule to Reject

15. Click Save

    

16. Click Deploy. Deployment will take a few moments.

    

Section 3.3 - Testing

In this section you will test how HTTP connector can influence policy changes dynamically as conditions change in the network .

Task 1 - Access basic.acme.com

1. From the jump box open Chrome and open Developer Tools

   

2. Ensure Disable Cache is checked

   

3. Access the site https://basic.acme.com

4. Login with the Username: user2 and Password: user2

   

5. Enter the PIN 123456 for RADIUS authentication

   

6. You will be presented the website

   

7. From a separate browser tab access the BIG-IP management interface https://bigip1.f5lab.local

8. Navigate to Access >> Overview >> Active Sessions

   

9. You will see an active session for user2.

10. Expand the session to see all the sub-sessions by clicking the + (Plus symbol) to the left of the session ID.

    Note

    Your session ID will not match the one displayed in the screenshot below.

    

11. Click View to the right of the HTTP Connector request get-user-status to see the sub-session variables.

    

12. You will notice that HTTP Connector received multiple values back in the response and each JSON key was parsed to individual subsession variables.

13. userAccountControl is currently set to 66048. Which mean the account is enabled and the password never expires.

    

14. Click Cancel

15. Expand the session to see all the sub-sessions by clicking the + (Plus Symbol) to the left of the session ID.

    Note

    You session ID will not match the one displayed in the screenshot below.

    

16. If the HTTP Connector sub-session still exists check off that specific sub-session only and click Kill Selected Sessions

    Note

    You are doing this to speed up the process and bypass the typical timers associated with HTTP Connector. This will enable you to see HTTP Connector trigger immediately on the next HTTP request sent from the jumphost.

    

17. Locate the DisableUser2.ps1 Powershell script located on the desktop.

18. Right click the script and select Run with PowerShell. A Powershell window will appear displaying User2 account is Disabled.

    

19. Return to your existing https://basic.acme.com session.

20. Click on one of the links for the website. You will receive a Deny Page.

    

21. If you return to the sub-session variables screen in BIG-IP you will see UserAccountControl was 66050.

    

22. This concludes lab 3.