Manual Chapter : Configuring App Tunnel Access

Applies To:

Show Versions Show Versions


  • 16.0.1, 16.0.0, 15.1.0
Manual Chapter

Configuring App Tunnel Access

What are app tunnels?

app tunnel
(application tunnel) provides secure, application-level TCP/IP connections from the client to the network. App tunnels are particularly useful for users with limited privileges who attempt to access particular web applications, as app tunnels do not require that the user has administrative privileges to install.
Additionally, optimization is available for app tunnels. With compression settings for app tunnels, you can specify the available compression codecs for client-to-server connections. The server compares the available compression types configured with the available compression types on the server, and chooses the most effective mutual compression setting. You configure compression for the server in the connectivity profile.
Because app tunnels do not require administrative rights, some features of Network Access and Optimized Application tunnels are not available with app tunnels. For example, the application tunnel cannot easily resolve domain names in applications without a client-side DNS redirector, or modification of the system hosts file.
For tunnels that access backend servers by using DNS resolution, use Optimized Application Tunnels in the Network Access menus instead. Optimized Applications require administrative rights on the local system.

About ACLs to control access from app tunnels

When you create an app tunnel, Access Policy Manager (APM) automatically creates an allow ACL for the IP addresses and ports specified in the app tunnel. To disallow access to any other IP addresses and ports, you must create ACLs that deny access to them and assign the ACLs in the per-session policy. F5 recommends that you create an ACL that rejects access to all connections and put it last in the ACL order.

Configure an ACL to reject all connections

You can place an access control list (ACL) that rejects all connections last in the ACL order to keep users from accessing any host and port combinations other than those to which they have been explicitly allowed access by the other ACLs assigned to the policy.
  1. On the Main tab, click
    Access Control Lists
    The User-defined ACLs screen opens.
  2. Click
    The New ACL screen opens.
  3. In the
    field, type a name for the access control list.
  4. From the
    list, retain the default value
  5. In the
    field, add a description of the access control list.
  6. From the
    ACL Order
    list, select
    to add the ACL at the last position in the list.
  7. Click the
    The ACL Properties screen displays.
  8. In the Access Control Entries area, click
    to add an entry.
    The New Access Control Entry screen displays.
  9. From the
    list, select
  10. For the
    Source IP Address
    Source Port(s)
    Destination IP Address
    , and
    Destination Port(s)
    fields, retain the default value
  11. From the
    list, select
    The reject action drops the packet. On TCP flows, it also sends a TCP RST message. On UDP flows, it also sends proper ICMP messages. On other protocols, it drops the packet silently.
  12. Click
To use the ACL, assign it to a session using an Advanced Resource Assign or ACL Assign action in a per-session policy.
If you assign this ACL and Network Access or Portal Access resources to the same policy, you might need to also create and assign ACLs that allow access for Network Access and Portal Access resources.

Configuring an app tunnel object

When you create an app tunnel object, that object becomes a simple container that holds app tunnel resources. Once you specify those resources from within the app tunnel resource, you can then assign the resource to an access policy.
  1. On the Main tab, click
    Connectivity / VPN
    App Tunnels
    The App Tunnels screen opens.
  2. Click
    The New App Tunnel Resource screen opens.
  3. Type a name and description for your app tunnel.
  4. Although an ACL is automatically created for your application object, you can choose to determine the order of your ACL as it appears in the ACL list. Use the
    ACL Order
    list to select the placement you want.
  5. Under Default Customization Settings, type a
    for the app tunnel.
    This caption identifies the app tunnel and enables it to appear on a full webtop.
  6. Click
You have just created an app tunnel object.

Configuring an application resource item for an app tunnel

The application resource item specifies how to create a particular tunnel. The application field serves as a hint to Access Policy Manager in order to help with special handling of specific protocols. Compression settings specify which compression codecs the tunnels can use, while the
Launch Application
field allows you to define an application that will run after you establish the resource tunnel.
  1. On the Main tab, click
    Connectivity / VPN
    App Tunnels
    The list of app tunnels opens.
  2. Click the name of the app tunnel you created.
    The Properties screen opens.
  3. Under Resource Items, click
    The New Resource Item screen opens.
  4. For the
    setting, specify whether the application destination
    is a host or an IP address.
    You cannot use the fully qualified domain name to connect to an application resource that is configured with an IP address destination type.
    If you specify a hostname, make sure that it is DNS-resolvable. After the application tunnel is assigned to a full webtop in an access policy, the application tunnel does not appear on the full webtop if the hostname is not DNS-resolvable.
  5. Specify your port or port range for the application.
  6. From the
    Application Protocol
    list, select the application protocol.
    Specifies that the app tunnel resource uses neither RPC or FTP protocols.
    Microsoft RPC
    Specifies that the resource uses the Microsoft RPC protocol.
    Microsoft Exchange RPC Server
    Specifies that the resource uses the Microsoft Exchange RPC Server protocol.
    Specifies that the resource uses FTP protocol.
  7. For the
    Application Path
    setting, optionally specify a path for an application to start after the application access tunnel is established.
  8. For the
    setting, specify any parameters associated with the application that starts with the
    Application Path
    . The parameters you can add are:
    • %host%
      - This is substituted with the loopback host address, for example
    • %port%
      - The loopback port. Use this if the original local port has changed due to conflicts with other software.
  9. Click
    The resource appears in the app tunnel object.

Adding an app tunnel to a per-session policy

Add an app tunnel to a per-session policy to provide a secure connection from a client to a network and to provide access to the resources configured for the tunnel.
Add ACLs to the policy to prevent access to any other resources.
  1. On the Main tab, click
    Profiles / Policies
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click
    Access Policy
  4. In the General Properties area, click the
    Edit Access Policy for Profile
    The visual policy editor opens the access policy in a separate screen.
  5. Click the
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. On the Assignment tab, select the
    Advanced Resource Assign
    agent, and then click
    Add Item
    The Resource Assignment screen opens.
  7. Click
    Add new entry
    entry displays.
  8. Click the
    link below the entry.
    The screen changes to display resources on multiple tabs.
  9. On the App Tunnel tab, select the app tunnel that you configured previously.
    A system-defined ACL for the app tunnel is automatically assigned to the policy. The ACL specifies the allow action for the resource items associated with the app tunnel.
  10. On the Static ACL tab, select an ACL that rejects all connections.
    Adding an ACL that is last in order and rejects all connections keeps users from accessing any host and port combinations other than those to which they have been explicitly allowed access by the other ACLs assigned to the policy.
  11. On the Webtop tab, select a full webtop.
  12. Select any other resources that you want to assign to the policy.
    If you assign a Network Access resource to the policy, be sure to also assign an ACL that allows access to the resources that you want users to have. Otherwise, the ACL that rejects all connections blocks access.
    If you assign a Portal Access resource to the policy, be sure to also assign an ACL that allows access to all parts of the web sites specified in the start URI or hosted content fields of the Portal Access configuration. Otherwise, the ACL that rejects all connections blocks access.
  13. Click
  14. Click the
    button to save changes to the access policy item.
An app tunnel and ACLs are now assigned to the policy.
To complete the process, you must apply the access policy, and associate the access policy and connectivity profile with a virtual server so users can launch an app tunnel session.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Attaching an access policy to the virtual server for app tunnels

When creating a virtual server for an access policy, specify an IP address for a single host as the destination address.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the
    Destination Address/Mask
    setting, confirm that the
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    , and an IPv6 address/prefix is
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    The IP address you type must be available and not in the loopback network.
  4. From the
    HTTP Profile (Client)
    list, select a previously-created HTTP/2 profile for client-side traffic.
  5. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  6. If you are using a connectivity profile, from the
    Connectivity Profile
    list, select the connectivity profile.
  7. If you are creating a virtual server to use with portal access resources in addition to app tunnels, from the
    Rewrite Profile
    list, select the default
    profile, or another rewrite profile you created.
  8. If you want to provide connections to allow Java rewriting for portal access or support a per-app VPN connection that is configured on a mobile device, select the
    Application Tunnels (Java & Per-App VPN)
    check box.
    You must enable this setting to make socket connections from a patched Java applet. If your applet does not require socket connections, or only uses HTTP to request resources, this setting is not required.
  9. If you want to provide native integration with an OAM server for authentication and authorization, select the
    OAM Support
    check box.
    You must have an OAM server configured in order to enable OAM support.
  10. Click
Your access policy is now associated with the virtual server.

Verify log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
Event Log
area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click
    Profiles / Policies
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click
    The access profile log settings display.
  4. Move log settings between the
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Logging is disabled when the
    list is empty.
  5. Click
An access profile is in effect when it is assigned to a virtual server.