Manual Chapter : Configuring Network Access Resources

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Configuring Network Access Resources

Creating a network access resource

You configure a network access resource to allow users access to your local network through a secure VPN tunnel.
  1. On the Main tab, click
    Access Policy
    Network Access
    .
    The Network Access List screen opens.
  2. Click the
    Create
    button.
    The New Resource screen opens.
  3. In the
    Name
    field, type a name for the resource.
  4. Type an optional description for the network access resource.
  5. For the
    Auto launch
    setting, only select the
    Enable
    check box if you want to automatically start this network access resource when the user reaches a full webtop.
    When assigning network access resources to a full webtop, only one network access resource can have auto launch enabled.
  6. Click
    Finished
    to save the network access resource.
The General Properties screen for the network access resource opens.

Configuring properties for a network access resource

You must create a Network Access resource, or open an existing resource, before you can perform this task.
You can configure the description of a network access resource with network access properties.
  1. On the Main tab, click
    Access Policy
    Network Access
    .
    The Network Access Resource List screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure the general properties for the network resource, click
    Properties
    on the menu bar.
  4. Click the
    Update
    button.
    Your changes are saved and the page refreshes.

Network access resource properties

Use these general properties to update settings for the network access resource.
Property setting
Value
Description
Name
A text string. Avoid using global reserved words in the name, such as all, delete, disable, enable, help, list, none, or show.
Name for the network access resource.
Partition
Typically,
Common
.
Partition under which the network access resource is created. You cannot change this value.
Description
Text.
Text description of the network access resource.
Auto launch
Enable
or
Disable
.
The network access resource starts automatically when the user reaches the full webtop, if this option is enabled.
When assigning network access resources to a full webtop, only one network access resource can have auto launch enabled.

Configuring network settings for a network access resource

You must create a Network Access resource, or open an existing resource, before you can perform this task.
You can use network settings to specify a lease pool for network access clients, and also to configure traffic options, client behavior, DTLS settings, and set up proxy behavior.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Network Access (VPN)
    Network Access Lists
    .
    The Network Access Lists screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure the network settings for the network access resource, click
    Network Settings
    on the menu bar.
  4. Click the
    Update
    button.
    Your changes are saved and the page refreshes.

Proxy ARP considerations

To configure proxy ARP, you must be aware of the following conditions.
  • Proxy ARP is not compatible with SNAT pools. You must disable SNAT Automap or a specific SNAT pool to use proxy ARP.
  • If you enable split tunneling, you must configure an entry for the server LAN segment in the
    LAN Address Space
    setting. You must also configure the LAN address spaces for any clients that will send traffic to each other.
  • In a high availability configuration, both BIG-IP systems must have interfaces on the same server LAN segment.
  • IP addresses that you reserve for tunnel clients cannot be used for self IPs, NATs, SNATs, or wildcard (port-0) virtual servers.

About GARP packets from APM

When Proxy ARP is enabled for a Network Access resource, Access Policy Manager (APM) generates gratuitous ARP (GARP) when a new VPN tunnel connection is established and at the time of tunnel reconnect. During either of these events, APM sends five gratuitous ARPs (GARPs) at one-second intervals. If multiple clients are connecting or reconnecting, the number of GARP packets increases.
For information about controlling the amount of GARP that APM sends, refer to
SOL11985: Overview of the arp.gratuitousrate and arp.gratuitousburst database variables
on the AskF5 web site at
http://support.f5.com/
.

Network settings for a network access resource

Network settings specify tunnel settings, session settings, and client settings.
Setting
Value
Description
Network Tunnel
Enable
When you enable a network tunnel, you configure the network access tunnel to provide network access. Clear the
Enable
option to hide all network settings and to disable the tunnel.
Supported IP Version
IPV4
or
IPV4&IPV6
Sets the Network Access tunnel to support either an IPv4 lease pool or both IPv4 and IPv6 lease pools.
Network access with IPv6 alone is not supported. An IPv6 tunnel requires a simultaneous IPv4 tunnel, which is automatically established when you assign IPv4 and IPv6 lease pools, and set the version to
IPv4&IPv6
.
General Settings
Basic/Advanced
Select
Advanced
to show settings for Proxy ARP, SNAT Pool, and Session Update.
IPv4 Lease Pool
List selection of existing IPv4 lease pools
Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the
+
sign next to
Lease Pool
.
IPv6 Lease Pool
List selection of existing IPv6 lease pools
Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the
+
sign next to
Lease Pool
.
Compression
No Compression
/
GZIP Compression
Select GZIP Compression to compress all traffic between the Network Access client and the Access Policy Manager, using the GZIP deflate method.
Proxy ARP
Enable
Proxy ARP allows remote clients to use IP addresses from the LAN IP subnet, and no configuration changes are required on other devices such as routers, hosts, or firewalls. IP address ranges on the LAN subnet are configured in a lease pool and assigned to network access tunnel clients. When this setting is enabled, a host on the LAN that sends an ARP query for a client address gets a response from Access Policy Manager with its own MAC address. Traffic is sent to the Access Policy Manager and forwarded to clients over network access tunnels.
SNAT Pool
List selection of
None
,
Auto Map
, or SNAT pool name
Specifies the name of a SNAT pool used for implementing selective and intelligent SNATs. The default is
Auto Map
. If you have defined a SNAT on the system, that SNAT is available as an option on this list. The following two options are always available.
  • None
    : specifies that the system uses no SNAT pool for this network resource.
  • Auto Map
    : specifies that the system uses all of the self IP addresses as the translation addresses for the pool.
To support CIFS/SMB and VoIP protocols, select
None
and configure routable IP addresses in the lease pool
Preserve Source Port Strict
Enable
Specifies that the system preserves the value configured for the source port. This setting applies on the last leg of the network access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the network access tunnel. This setting is disabled by default.
  • Enabled
    : select the check box to specify that the system preserves the value configured for the source port. To use this setting, you must select None for the SNAT Pool setting.
  • Disabled
    : when the
    Enabled
    is cleared, specifies that the system does not preserve the value configured for the source port.
Session Update Threshold
Integer (bytes per second)
Defines the average byte rate that either ingress or egress tunnel traffic must exceed, for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout, which is defined in the Access Profile, to the session.
Session Update Window
Integer (seconds)
Defines the time value in seconds that the system uses to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic.
Client Settings
Basic/Advanced
Select
Advanced
to configure client proxy, DTLS, domain reconnect settings, and client certificate options.
Force all traffic through tunnel
Enable/disable
Specifies that all traffic (including traffic to or from the local subnet) is forced over the VPN tunnel.
Use split tunneling for traffic
Enable/disable
Specifies that only the traffic targeted to a specified address space is sent over the network access tunnel. With split tunneling, all other traffic bypasses the tunnel. By default, split tunneling is not enabled. When split tunneling is enabled, all traffic passing over the network access connection uses this setting.
If you add a large number of addresses for split tunneling, Edge Client cannot establish a tunnel connection. The limits for these addresses are:
  • On Windows max limit is 20 KB (each Network Access property).
  • macOS max limit is 64 KB (all Network Access properties).
  • Linux max limit is 64 KB (all Network Access properties).
  • Mobile clients (Android, iOS, Chrome) do not have a limit, but may vary based on what the platforms support.
IPV4 LAN Address Space
IPv4 IP address, IP address and network mask
Provides a list of addresses or address/mask pairs describing the target LAN. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, type the IP address and the network mask and click
Add
.
IPV6 LAN Address Space
IPv6 IP address, IP address and network mask
Provides a list of IPv6 addresses or address/mask pairs describing the target LAN. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, type the IP address and the network mask and click
Add
. This list only appears when you select
IPV4&IPV6
in the
Supported IP Version
setting.
DNS Address Space
domain names, with or without wildcards
Provides a list of domain names describing the target LAN DNS addresses. This field only appears if you use split tunneling. You can add multiple address spaces to the list, one at a time. For each address space, type the domain name, in the form
site.siterequest.com
or
*.siterequest.com
, and click
Add
.
Exclude Address Space
IP address/network mask pairs
Specifies address spaces whose traffic is not forced through the tunnel. For each address space that you want to exclude, type the IP address and the network mask and click
Add
.
Allow Local Subnet
Enable/disable
Select this option to enable local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. When you enable this setting, the system does not support integrated IP filtering.
Client Side Security >
Prohibit routing table changes during Network Access connection
Enable/disable
This option closes the network access session if the client's IP routing table is modified during the session. The client, however, does permit routing table changes that do not affect the traffic routing decision.
Client Side Security >
Integrated IP filtering engine
Enable/disable
Select this option to protect the resource from outside traffic (traffic generated by network devices on the client's LAN), and to ensure that the resource is not leaking traffic to the client's LAN.
Client Side Security >
Allow access to local DHCP server
Enable/disable
This option appears when the
Integrated IP filtering engine
option is enabled. This option allows the client access to connect through the IP filtering engine, to use a DHCP server local to the client to renew the client DHCP lease locally. This option is not required or available when IP filtering is not enabled because clients can renew their leases locally.
This option does not renew the DHCP lease for the IP address assigned from the network access lease pool; this applies only to the local client IP address.
Client Traffic Classifier
List selection
Specifies a client traffic classifier to use with this network access tunnel, for Windows clients.
Client Options >
Client for Microsoft Networks
Enable/disable
Select this option to allow the client PC to access remote resources over a VPN connection. This option is enabled by default. This allows the VPN to work as a traditional VPN, so a user can access files and printers from the remote Microsoft network.
Client Options >
File and printer sharing for Microsoft networks
Enable/disable
Select this option to allow remote hosts to access shared resources on the client computer over the network access connection. This allows the VPN to work in reverse, and a VPN user to share file shares and printers with remote LAN users and other VPN users.
Provide client certificate on Network Access connection when requested
Enable/disable
If client certificates are required to establish an SSL connection, this option must always be enabled. However, you can disable this option if the client certificates are only requested in an SSL connection. In this case, the client is configured not to send client certificates.
Reconnect to Domain >
Synchronize with Active Directory policies on connection establishment
Enable/disable
When enabled, this option emulates the Windows logon process for a client on an Active Directory domain. Network policies are synchronized when the connection is established, or at logoff. The following items are synchronized:
  • Logon scripts are started as specified in the user profile.
  • Drives are mapped as specified in the user profile.
  • Group policies are synchronized as specified in the user profile. Group Policy logon scripts are started when the connection is established, and Group Policy logoff scripts are run when the network access connection is stopped.
Reconnect to Domain >
Run logoff scripts on connection termination
Enable/disable
This option appears when
Synchronize with Active Directory policies on connection establishment
is enabled. Enable this option if you want the system to run logoff scripts, as configured on the Active Directory domain, when the connection is stopped.
Client Interface Speed
Integer, bits per second
Specifies the maximum speed of the client interface connection, in bits per second.
Display connection tray icon
Enable/disable
When enabled, balloon notifications for the network access tray icon (for example, when a connection is made) are displayed. Disable this option to prevent balloon notifications.
Client Power Management
Ignore
,
Prevent
, or
Terminate
Specifies how network access handles client power management settings, for example, when the user puts the system in standby or closes the lid on a laptop.
  • Ignore
    - ignores client settings for power management.
  • Prevent
    - prevents power management events from occurring when the client is enabled.
  • Terminate
    - terminates the client when a power management event occurs.
DTLS
Enable/disable
When enabled, specifies that the network access connection uses Datagram Transport Level Security (DTLS). DTLS uses UDP instead of TCP, to provides better throughput for high-demand applications like VoIP or streaming video, especially with lossy connections.
DTLS Port
Port number
Specifies the port number that the network access resource uses for secure UDP traffic with DTLS. The default is
4433
.
Client Proxy Settings
Enable/disable
Enables several additional settings that specify client proxy connections for this network resource. Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
Use Local Proxy Settings
Enable/disable
Select this option to continue to use the proxy settings, as configured on the client, after establishing a network access connection.
Client Proxy Uses HTTP for Proxy Autoconfig Script
Enable/disable
Some applications, like Citrix MetaFrame, can not use the client proxy autoconfig script when the browser attempts to use the
file://
prefix to locate it. Select this option to specify that the browser uses
http://
to locate the proxy autoconfig file, instead of
file://
.
Client Proxy Autoconfig Script
URL
The URL for a proxy auto-configuration script, if one is used with this connection.
Client Proxy Address
IP address
The IP address for the client proxy server that network access clients use to connect to the Internet.
Client Proxy Port
Port number
The port number of the proxy server that network access clients use to connect to the Internet.
Bypass Proxy For Local Addresses
Enable/disable
Select this option if you want to allow local intranet addresses to bypass the proxy server.
Client Proxy Exclusion List
IP addresses, domain names, with wildcards
Specifies the web addresses that do not need to be accessed through your proxy server. You can use wildcards to match domain and host names, or addresses. For example,
www.*.com
,
128.*
,
240.8
,
8.
,
mygroup.*
,
*.*
.

Configuring DNS and hosts for a network access resource

You must create a Network Access resource, or open an existing resource, before you can perform this task.
You can configure DNS and hosts to configure how a user's tunnel connection resolves addresses.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Network Access (VPN)
    Network Access Lists
    .
    The Network Access Lists screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure DNS and hosts settings for the network access resource, click
    DNS/Hosts
    on the menu bar.
  4. Configure DNS and Hosts settings as required.
  5. Click the
    Update
    button.
    Your changes are saved and the page refreshes.

Network access resource DNS and hosts settings

DNS and hosts settings specify lookup information for remote tunnel clients. This table describes and lists these settings and values.
Setting
Value
Description
Primary Name Server
IP address
Type the IP address of the DNS server that network access conveys to the remote access point.
Secondary Name Server
IP address
Type a second IP address for the DNS server that network access conveys to the remote access point.
Primary WINS Server
IP address
Type the IP address of the WINS server in order to communicate to the remote access point. This address is needed for Microsoft Networking to function properly.
Secondary WINS Server
IP address
Type the IP address of the WINS server to be conveyed to the remote access point. This address is needed for Microsoft Networking to function properly.
DNS Default Domain Suffix
domain suffix
Type a DNS suffix to send to the client. If this field is left blank, the controller will send its own DNS suffix. For example,
siterequest.com
.
You can specify multiple default domain suffixes separated with commas.
Register this connection's addresses in DNS
check box
If your DNS server has dynamic update enabled, select this check box to register the address of this connection in the DNS server. This check box is cleared by default.
Use this connection's DNS suffix in DNS registration
check box
If your DNS server has dynamic update enabled, select this check box to register the default domain suffix when you register the connection in the DNS server. This check box is cleared by default.
Enforce DNS search order
check box
When this setting is enabled, Access Policy Manager (APM) continuously checks the DNS order on the network interface and sets the network access-supplied entries first in the list if they change during a session. To use your local DNS settings as primary and the network access-supplied DNS settings as secondary, clear this setting. This might be useful when split tunneling is in use and a client connects remotely. This check box is selected by default.
Static Hosts
host name/IP address pairs
To add host and IP addresses manually to a connection-specific hosts file, type the
Host Name
and the
IP Address
for that host, and click
Add
. APM supports static hosts for Windows, Mac, and Linux clients for network access. Rights requirements: Windows (with DNS Relay Proxy installed): admin rights not required. Windows (without DNS Relay proxy): admin rights required. Mac: admin rights required. Linux: admin/root privilege required.

Mapping drives for a network access resource

You must create a Network Access resource, or open an existing resource, before you can perform this task.
Use drive mappings to map network locations to drive letters on Windows-based client systems.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Network Access (VPN)
    Network Access Lists
    .
    The Network Access Lists screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure the drive mappings for the network access resource, click
    Drive Mappings
    on the menu bar.
  4. Click
    Add
    to add a new drive mapping.
  5. Type the
    Path
    , select the
    Drive
    letter, and type an optional
    Description
    for the drive mapping.
  6. Click
    Finished
    .
    The drive mapping is added to the network access resource.

Network access resource drive mapping settings

The table lists the drive mapping settings for a network access resource.
Setting
Value
Description
Path
A network path, for example
\\networkdrive\users
Specifies the path to the server network location.
Drive
Drive letter, list selection
Specifies the drive used.
Drive
is set to
D:
by default. Drive mapping is supported for Windows-based clients only.
Description
Text
An optional description of the drive mapping.

Launching applications on a network access connection

You must create a Network Access resource, or open an existing resource, before you can perform this task.
Use application launching to start applications on network access clients after the tunnel is established.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Network Access (VPN)
    Network Access Lists
    .
    The Network Access Lists screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure applications to start for clients that establish a Network Access connection with this resource, click
    Launch Applications
    on the menu bar.
  4. Click
    Add
    to add a new application.
  5. Type the
    Application Path
    , type any required
    Parameters
    letter, and select the
    Operating System
    .
  6. Click
    Finished
    .
    The application start configuration is added to the Launch Applications list, and the applications appropriate to the client operating system start when a client establishes a tunnel connection.

Network access launch applications settings

Specify launch application settings to control how applications are launched when the network access connection starts.
Setting
Value
Description
Display warning before launching applications
Enable or disable
If you enable this setting, the system displays security warnings before starting applications from network access, regardless of whether the site is considered a Trusted site. If the check box is not selected, the system displays security warnings if the site is not in the Trusted Sites list.
Application Path
An application path
Specifies the path to the application.
Parameters
Text
Parameters that govern the application launch.
Operating System
List selection
From the list, select whether the application launch configuration applies to Windows-based, Unix-based, Macintosh-based, or iOS clients.