Manual Chapter : Using Forward Error Correction with Network Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Using Forward Error Correction with Network Access

Overview: Using FEC on network access tunnels

Forward error correction (FEC) is a technique for controlling data transmission errors over unreliable or noisy communication channels. With FEC, the sender encodes messages with a little extra error-correcting code. FEC enables recovery of lost packets to avoid retransmission and increase throughput on lossy links. FEC is frequently used when retransmission is not possible or is costly.
In Access Policy Manager®, you can use FEC on network access tunnels. You can do this provided that you configure a network access resource for Datagram Transport Level Security (DTLS) and configure two virtual servers with the same IP address. Users connect on a TCP/HTTPS virtual server. Another virtual server handles DTLS for the network access resource.
FEC is not included on every BIG-IP system.

Creating a network access resource for DTLS

You configure a network access resource to allow users access to your local network through a secure VPN tunnel. You configure the resource to use Datagram Transport Level Security (DTLS) as a prerequisite for using forward error correcting (FEC) on the connection.
  1. On the Main tab, click
    Access Policy
    Network Access
    .
    The Network Access List screen opens.
  2. Click the
    Create
    button.
    The New Resource screen opens.
  3. In the
    Name
    field, type a name for the resource.
  4. Click
    Finished
    to save the network access resource.
  5. On the menu bar, click
    Network Settings
    .
  6. In the Enable Network Tunnel area, for
    Network Tunnel
    , retain the default setting
    Enable
    .
  7. In the General Settings area from the
    Supported IP Version
    list, retain the default setting
    IPV4
    , or select
    IPV4 & IPV6
    .
    If you select
    IPV4 & IPV6
    , the
    IPV4 Lease Pool
    and
    IPV6 Lease Pool
    lists are displayed. They include existing pools of IPv4 addresses and IPv6 addresses, respectively.
  8. Select the appropriate lease pools from the lists.
    APM assigns IP addresses to a client computer's virtual network from the lease pools that you specify.
  9. From the Client Settings list, select
    Advanced
    .
    Additional settings are displayed.
  10. Select the
    DTLS
    check box.
    A
    DTLS Port
    field displays with the default port,
    4433
    .
  11. Click
    Update
    .

Adding a FEC profile to a connectivity profile

You add a forward error correction (FEC) profile to a connectivity profile to apply on a network access tunnel.
A connectivity profile contains default settings for network access compression. However, compression is not active when a network access connection is configured for DTLS.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From the
    FEC Profile
    list, select the default profile,
    /Common/fec
    .
    A FEC profile is a network tunnel profile. You can configure a custom FEC profile in the Network area on the BIG-IP system.
  4. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Configuring a webtop for network access

A webtop allows your users to connect and disconnect from the network access connection.
  1. On the Main tab, click
    Access
    Webtops
    Webtop Lists
    .
    The Webtops screen displays.
  2. Click
    Create
    .
    The New Webtop screen opens.
  3. In the
    Name
    field, type a name for the webtop.
  4. Select the type of webtop to create.
    Network Access
    Select
    Network Access
    for a webtop to which you will assign only a single network access resource.
    Portal Access
    Select
    Portal Access
    for a webtop to which you assign only portal access resources.
    Full
    Select
    Full
    for a webtop to which you assign one or more network access resources, multiple portal access resources, and multiple application access app tunnel resources, or any combination of the three types.
  5. Click
    Finished
    .
The webtop is now configured, and appears in the list. You can edit the webtop further, or assign it to an access policy.
To use this webtop, it must be assigned to an access policy with an advanced resource assign action or with a webtop, links and sections assign action.

Create an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a unique name for the access profile.
  4. From the
    Profile Type
    list, select one these options:
    • ALL
      : Select to support LTM-APM and SSL-VPN access types.
    • LTM-APM
      : Select for a web access management configuration.
    • OAuth-Resource Server
      : For configuring APM to act as an OAuth resource server that provides an OAuth authorization layer into an API gateway.
    • RDG-RAP
      : Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SSL-VPN
      : Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • SSO
      : Select to configure matching virtual servers for Single Sign-On (SSO).
      No access policy is associated with this type of access profile
    • SWG - Transparent
      : Select to configure access using Secure Web Gateway transparent forward proxy.
    • SWG - Explicit
      : Select to configure access using Secure Web Gateway explicit forward proxy.
    • System Authentication
      : Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service
      : Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      You can edit Identity Service profile properties.
    Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. From the
    Profile Scope
    list, select one these options to define user scope:
    • Profile
      : Access to resources behind the profile.
    • Virtual Server
      : Access to resources behind the virtual server.
    • Global
      : Access to resources behind any access profile with global scope.
    • Named
      : Access for SSL Orchestrator users to resources behind any access profile with global scope.
    • Public
      : Access to resources that are behind the same access profile when the Named scope has configured the session and is checked based on the value and string configured in the Named scope field.
  6. For the
    Customization Type
    , use the default value
    Modern
    .
  7. In the Language Settings area, add and remove accepted languages, and set the default language.
    If no browser language matches one in the accepted languages list, the browser uses the default language.
  8. Click
    Finished
    .
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Verify log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
Access
Overview
Event Log
Settings
area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click
    Logs
    .
    The access profile log settings display.
  4. Move log settings between the
    Available
    and
    Selected
    lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Logging is disabled when the
    Selected
    list is empty.
  5. Click
    Update
    .
An access profile is in effect when it is assigned to a virtual server.

Adding network access to an access policy

Before you assign a network access resource to an access policy, you must:
  • Create a network access resource.
  • Create an access profile.
  • Define a network access webtop or a full webtop.
When you assign a network access resource to an access policy branch, a user who successfully completed the branch rule (which includes that access policy item) starts a network access tunnel.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click
    Access Policy
    .
  4. In the General Properties area, click the
    Edit Access Policy for Profile
    profile_name
    link.
    The visual policy editor opens the access policy in a separate screen.
  5. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. Select one of the following resource assignment actions and click
    Add
    .
    Resource Assign
    Select the
    Resource Assign
    action to add a network access resource only.
    Resource Assign
    does not allow you to add a webtop or ACLs. If you want to add ACLs, a webtop, or webtop links after you add a Resource Assign action, you can add them with the individual actions
    ACL Assign
    and
    Webtop, Links and Sections Assign
    .
    Webtop sections are for use with a full webtop only.
    Advanced Resource Assign
    Select the
    Advanced Resource Assign
    action to add network access resources, and optionally add a webtop, webtop links, webtop sections, and one or more ACLs.
  7. Select the resource or resources to add.
    • If you added an
      Advanced Resource Assign
      action, on the Resource Assignment screen, click
      Add New Entry
      , then click
      Add/Delete
      , and select and add resources from the tabs, then click
      Update
      .
    • If you added a
      Resource Assign
      action, next to Network Access Resources, click
      Add/Delete
      .
    If you add a full webtop and multiple network access resources, Auto launch can be enabled for only one network access resource. (With Auto launch enabled, a network access resource starts automatically when the user reaches the webtop.)
  8. Click
    Save
    .
  9. Click
    Apply Access Policy
    to save your configuration.
A network access tunnel is assigned to the access policy. You may also assign a network access or full webtop. On the full webtop, users can click the link for a network access resource to start the network access tunnel, or a network access tunnel (that is configured with Auto launch enabled) can start automatically.
After you complete the access policy, you must define a connectivity profile. In the virtual server definition, you must select the access policy and connectivity profile.

Creating an HTTPS virtual server for network access

Create a virtual server for HTTPS traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  5. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  6. From the
    HTTP Profile
    list, select
    http
    .
  7. If you use client SSL, for the
    SSL Profile (Client)
    setting, select a client SSL profile.
  8. If you use server SSL, for the
    SSL Profile (Server)
    setting, select a server SSL profile.
  9. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  10. In the Access Policy area, from the
    Connectivity Profile
    list, select the connectivity profile.
  11. Click
    Finished
    .
The HTTPS virtual server displays on the list.

Configuring a virtual server for DTLS

To configure DTLS mode for a network access connection, you must configure a virtual server specifically for use with DTLS.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1/32
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    .
    This is the same IP address as the TCP (HTTPS) virtual server to which your users connect.
  5. In the
    Service Port
    field, type the port number that you specified in the DTLS Port field in the network access resource configuration.
    By default, the DTLS port is 
    4433
    .
  6. From the
    Protocol
    list, select
    UDP
    .
  7. For the
    SSL Profile (Client)
    setting, in the
    Available
    box, select a profile name, and using the Move button, move the name to the
    Selected
    box.
  8. In the Access Policy area, from the
    Connectivity Profile
    list, select the connectivity profile.
    Use the same connectivity profile that you specified for the TCP (HTTPS) virtual server to which your users connect.
  9. Click
    Finished
    .

Network settings for a network access resource

Network settings specify tunnel settings, session settings, and client settings.
Setting
Value
Description
Network Tunnel
Enable
When you enable a network tunnel, you configure the network access tunnel to provide network access. Clear the
Enable
option to hide all network settings and to disable the tunnel.
General Settings
Basic/Advanced
Select
Advanced
to show settings for Proxy ARP, SNAT Pool, and Session Update.
Supported IP Version
IPV4
or
IPV4 & IPV6
Sets the Network Access tunnel to support either an IPv4 lease pool or both IPv4 and IPv6 lease pools.
Network access with IPv6 alone is not supported. An IPv6 tunnel requires a simultaneous IPv4 tunnel, which is automatically established when you assign IPv4 and IPv6 lease pools, and set the version to
IPv4 & IPv6
.
IPv4 Lease Pool
List selection of existing IPv4 lease pools
Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the
+
sign next to
Lease Pool
.
IPv6 Lease Pool
List selection of existing IPv6 lease pools
Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the
+
sign next to
Lease Pool
.
Compression
No Compression
/
GZIP Compression
Select GZIP Compression to compress all traffic between the Network Access client and the Access Policy Manager, using the GZIP deflate method.
Proxy ARP
Enable
Proxy ARP allows remote clients to use IP addresses from the LAN IP subnet, and no configuration changes are required on other devices such as routers, hosts, or firewalls. IP address ranges on the LAN subnet are configured in a lease pool and assigned to network access tunnel clients. When this setting is enabled, a host on the LAN that sends an ARP query for a client address gets a response from Access Policy Manager with its own MAC address. Traffic is sent to the Access Policy Manager and forwarded to clients over network access tunnels.
SNAT Pool
List selection of
None
,
Auto Map
, or SNAT pool name
Specifies the name of a SNAT pool used for implementing selective and intelligent SNATs. The default is
Auto Map
. If you have defined a SNAT on the system, that SNAT is available as an option on this list. The following two options are always available.
  • None
    : specifies that the system uses no SNAT pool for this network resource.
  • Auto Map
    : specifies that the system uses all of the self IP addresses as the translation addresses for the pool.
To support CIFS/SMB and VoIP protocols, select
None
and configure routable IP addresses in the lease pool
Preserve Source Port Strict
Enable
Specifies that the system preserves the value configured for the source port. This setting applies on the last leg of the network access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the network access tunnel. This setting is disabled by default.
  • Enabled
    : select the check box to specify that the system preserves the value configured for the source port. To use this setting, you must select None for the SNAT Pool setting.
  • Disabled
    : when the
    Enabled
    is cleared, specifies that the system does not preserve the value configured for the source port.
Session Update Threshold
Integer (bytes per second)
Defines the average byte rate that either ingress or egress tunnel traffic must exceed, for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout, which is defined in the Access Profile, to the session.
Session Update Window
Integer (seconds)
Defines the time value in seconds that the system uses to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic.
Client Settings
Basic/Advanced
Select
Advanced
to configure client proxy, DTLS, domain reconnect settings, and client certificate options.
Force all traffic through tunnel
Enable/disable
Specifies that all traffic (including traffic to or from the local subnet) is forced over the VPN tunnel.
Use split tunneling for traffic
Enable/disable
Specifies that only the traffic targeted to a specified address space is sent over the network access tunnel. With split tunneling, all other traffic bypasses the tunnel. By default, split tunneling is not enabled. When split tunneling is enabled, all traffic passing over the network access connection uses this setting.
If you add a large number of addresses for split tunneling, Edge Client cannot establish a tunnel connection. The limits for these addresses are:
  • On Windows max limit is 20 KB (each Network Access property).
  • macOS max limit is 64 KB (all Network Access properties).
  • Linux max limit is 64 KB (all Network Access properties).
  • Mobile clients (Android, iOS, Chrome) do not have a limit, but may vary based on what the platforms support.
IPV4 LAN Address Space
IPv4 IP address in CIDR notation
Provides a list of endpoint IP addresses or network addresses in a CIDR notation. This box only appears if you use split tunneling. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, enter the IP address or network address in the CIDR field and click
Add
. In CIDR notation, the IP address is written as a prefix, and the suffix indicates how many bits are in the address - for example, 192.0.1.0/24.
IPV6 LAN Address Space
IPv6 IP address in CIDR notation
Provides a list of endpoint IP addresses or network addresses in a CIDR notation. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, enter the IP address or network address in the CIDR field and click
Add
. In CIDR notation, the IP address is written as a prefix, and the suffix indicates how many bits are in the address - for example, 192.0.1.0/32. This box only appears when you select
IPV4 & IPV6
in the
Supported IP Version
setting and use split tunneling.
DNS Address Space
Domain names, with or without wildcards
Provides a list of domain names describing the target LAN DNS addresses. This field only appears if you use split tunneling. You can add multiple address spaces to the list, one at a time. For each address space, type the domain name, in the form
site.siterequest.com
or
*.siterequest.com
, and click
Add
.
IPV4 Exclude Address Space / IPV6 Exclude Address Space
IP address in CIDR notation
Specifies address spaces whose traffic is not forced through the tunnel. For each address space that you want to exclude, enter the IP address or network address in the
CIDR
field and click
Add
.
DNS Exclude Address Space
Domain names, with or without wildcards
Specifies DNS address spaces for which traffic is not forced through the tunnel. For each address space, type the domain name, in the form
site.siterequest.com
or
*.siterequest.com
, and click
Add
.
Dynamic LAN Address Spaces
List selection of Selected /Available address spaces
Specifies the dynamic address spaces for which the traffic passes through the tunnel. Dynamic address spaces use auto-discovery URL for selecting IP addresses and DNS names.
For each address space that you want to exclude, move the address space from the
Available
list to the
Selected
list by clicking the
<<
button. Similarly, to deselect the address space, click the
<<
button to move the address space from the
Selected
list to the
Available
list.
Dynamic Exclude Address Spaces
List selection of Selected /Available address spaces
Specifies the dynamic address spaces for which the traffic is not forced through the tunnel. Dynamic address spaces use auto-discovery URL for selecting IP addresses and DNS names.
For each address space that you want to exclude, move the address space from the
Available
list to the
Selected
list by clicking the
<<
button. Similarly, to deselect the address space, click the
<<
button to move the address space from the
Selected
list to the
Available
list.
Allow Local Subnet
Enable/disable
Select this option to enable local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. When you enable this setting, the system does not support integrated IP filtering.
Client Side Security >
Prohibit routing table changes during Network Access connection
Enable/disable
This option closes the network access session if the client's IP routing table is modified during the session. The client, however, does permit routing table changes that do not affect the traffic routing decision.
Client Side Security >
Integrated IP filtering engine
Enable/disable
Select this option to protect the resource from outside traffic (traffic generated by network devices on the client's LAN), and to ensure that the resource is not leaking traffic to the client's LAN.
Client Side Security >
Allow access to local DHCP server
Enable/disable
This option appears when the
Integrated IP filtering engine
option is enabled. This option allows the client access to connect through the IP filtering engine, to use a DHCP server local to the client to renew the client DHCP lease locally. This option is not required or available when IP filtering is not enabled because clients can renew their leases locally.
This option does not renew the DHCP lease for the IP address assigned from the network access lease pool; this applies only to the local client IP address.
Client Traffic Classifier
List selection
Specifies a client traffic classifier to use with this network access tunnel, for Windows clients.
Client Options >
Client for Microsoft Networks
Enable/disable
Select this option to allow the client PC to access remote resources over a VPN connection. This option is enabled by default. This allows the VPN to work as a traditional VPN, so a user can access files and printers from the remote Microsoft network.
Client Options >
File and printer sharing for Microsoft networks
Enable/disable
Select this option to allow remote hosts to access shared resources on the client computer over the network access connection. This allows the VPN to work in reverse, and a VPN user to share file shares and printers with remote LAN users and other VPN users.
Provide client certificate on Network Access connection when requested
Enable/disable
If client certificates are required to establish an SSL connection, this option must always be enabled. However, you can disable this option if the client certificates are only requested in an SSL connection. In this case, the client is configured not to send client certificates.
Reconnect to Domain >
Synchronize with Active Directory policies on connection establishment
Enable/disable
When enabled, this option emulates the Windows logon process for a client on an Active Directory domain. Network policies are synchronized when the connection is established, or at logoff. The following items are synchronized:
  • Logon scripts are started as specified in the user profile.
  • Drives are mapped as specified in the user profile.
  • Group policies are synchronized as specified in the user profile. Group Policy logon scripts are started when the connection is established, and Group Policy logoff scripts are run when the network access connection is stopped.
Reconnect to Domain >
Run logoff scripts on connection termination
Enable/disable
This option appears when
Synchronize with Active Directory policies on connection establishment
is enabled. Enable this option if you want the system to run logoff scripts, as configured on the Active Directory domain, when the connection is stopped.
Client Interface Speed
Integer, bits per second
Specifies the maximum speed of the client interface connection, in bits per second.
Display connection tray icon
Enable/disable
When enabled, balloon notifications for the network access tray icon (for example, when a connection is made) are displayed. Disable this option to prevent balloon notifications.
Client Power Management
Ignore
,
Prevent
, or
Terminate
Specifies how network access handles client power management settings, for example, when the user puts the system in standby or closes the lid on a laptop.
  • Ignore
    - ignores client settings for power management.
  • Prevent
    - prevents power management events from occurring when the client is enabled.
  • Terminate
    - terminates the client when a power management event occurs.
DTLS
Enable/disable
When enabled, specifies that the network access connection uses Datagram Transport Level Security (DTLS). DTLS uses UDP instead of TCP, to provides better throughput for high-demand applications like VoIP or streaming video, especially with lossy connections.
DTLS Port
Port number
Specifies the port number that the network access resource uses for secure UDP traffic with DTLS. The default is
4433
.
Client Proxy Settings
Enable/disable
Enables several additional settings that specify client proxy connections for this network resource. Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
Use Local Proxy Settings
Enable/disable
Select this option to continue to use the proxy settings, as configured on the client, after establishing a network access connection.
Client Proxy Uses HTTP for Proxy Autoconfig Script
Enable/disable
Some applications, like Citrix MetaFrame, can not use the client proxy autoconfig script when the browser attempts to use the
file://
prefix to locate it. Select this option to specify that the browser uses
http://
to locate the proxy autoconfig file, instead of
file://
.
Client Proxy Autoconfig Script
URL
The URL for a proxy auto-configuration script, if one is used with this connection.
Client Proxy Address
IP address
The IP address for the client proxy server that network access clients use to connect to the Internet.
Client Proxy Port
Port number
The port number of the proxy server that network access clients use to connect to the Internet.
Bypass Proxy For Local Addresses
Enable/disable
Select this option if you want to allow local intranet addresses to bypass the proxy server.
Client Proxy Exclusion List
IP addresses, domain names, with wildcards
Specifies the web addresses that do not need to be accessed through your proxy server. You can use wildcards to match domain and host names, or addresses. For example,
www.*.com
,
128.*
,
240.8
,
8.
,
mygroup.*
,
*.*
.