Manual Chapter :
About Network Access
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0
About Network Access
What is network access?
The BIG-IP
Access Policy Manager network access feature provides secure access to
corporate applications and data using a standard web browser, or the BIG-IP Edge
Client®. Using network access, employees, partners, and customers can have access to
corporate resources securely, from any location.
The network access feature provides users with the functionality of a traditional IPsec VPN
client. Unlike IPsec, however, network access does not require any pre-installed software or
configuration on the remote user's computer. It is also more robust than IPsec VPN against router
and firewall incompatibilities.
Network access features
Network access provides connections with the following features.
- Full access from any client
- Provides Windows, Macintosh, Linux, and mobile apps users with access to the complete set of IP-based applications, network resources, and intranet files available, as if they were physically working on the office network.
- Split tunneling of traffic
- Provides control over exactly what traffic is sent over the network access connection to the internal network and what is not. This feature offers better client application performance by allowing connections to the public Internet to go directly to their destinations, rather than being routed over the tunnel and then out to the public Internet.
- Dynamic Split tunneling using Address Space
- Provides the ability to create dynamic address space that contains IPv4, IPv6, and DNS names for Zoom and Office 365 applications by using their auto-discovery URL. You can also create custom address space objects by manually adding a static list of addresses for SaaS applications such as WebEx. This feature allows associating the address space to exclude traffic in the network access tunnels automatically. The traffic will then pass directly to the public internet instead of being routed over the tunnel.
- Client checking
- Detects operating system and browser versions, antivirus and firewall software, registry settings, and processes, and checks files during the login process to insure that the client configuration meets the organization's security policy for remote access.
- Compression of transferred data
- Compresses traffic with GZIP before it is encrypted, reducing the number of bytes transferred between the Access Policy Manager and the client system and improving performance.
- Routing table monitoring
- Monitors changes made in the client's IP routing table during a network access connection. You can configure this feature to stop the connection if the routing table changes, helping prevent possible information leaks. This feature applies to Windows clients only.
- Session inactivity detection
- Closes network access connections after a period below an inactivity threshold that you can configure. This feature helps prevent security breaches.
- Automatic application start
- Starts a client application automatically after establishing the network access connection. This feature simplifies user access to specific applications or sites.
- Automatic drive mapping
- Connects the user to a specific drive on the intranet. This feature simplifies user access to files.This feature is available only for Windows-based clients.
- Connection-based ACLs
- Filters network traffic by controlling whether packets are allowed, discarded, or rejected, based on specific criteria. For example, connections can be filtered by Layer 4 properties like source and destination IP address and port, protocol (TCP or UDP), and Layer 7 properties like scheme, host name, and paths. ACLs also support auditing capabilities with logging. ACLs allow groups of users or access policy users to have access to full client-server application support without opening up the entire network to each user.
- Dynamic IP address assignment
- Assigns client endpoint IP addresses dynamically from a configured pool of addresses. IP addresses can also be assigned with an external AAA server attribute.
- Traffic classification, prioritization, and marking
- Provides the ability to classify and prioritize traffic to ensure levels of service to users with defined characteristics.
About network access traffic
Network access implements a point-to-point network connection over SSL, which provides a secure solution
that works well with firewalls and proxy servers.
Network access settings specify IP address pools, which the Access Policy
Manager then uses to assign IP addresses to a client computer's virtual network adapter.
When an end user opens the address of the Access Policy Manager in a web browser, the browser
starts an SSL connection to the Access Policy Manager. The user can then log in to the Access
Policy Manager.
Network access connection diagram
The process flow of a network access connection is depicted
in this diagram.
Network access configuration elements
A network access configuration requires:
- A network access resource
- An access profile, with an access policy that assigns:
- A network access resource
- A network access or full webtop
- A lease pool that provides internal network addresses for tunnel clients
- A connectivity profile
- A virtual server that assigns the access profile
Network access elements are summarized in the following diagram.
Additional resources and documentation for BIG-IP Access Policy Manager
You can access all of the BIG-IP system documentation from
the AskF5 Knowledge Base located at
https://support.f5.com/
.Document |
Description |
---|---|
BIG-IP
Access Policy Manager: Application Access |
This guide contains information for an administrator to configure application
tunnels for secure, application-level TCP/IP connections from the client to the
network. |
BIG-IP Access Policy Manager:
Authentication Essentials |
This guide contains information to help an administrator understand authentication concepts, such as AAA server, SSL certificate, local user database, and so on. |
BIG-IP Access Policy Manager:
Authentication Methods |
This guide contains information describes different types of authentication, including Active Directory, LDAP and LDAPS, RSA SecurID, RADIUS, OCSP, CRLDP, Certificate, TACACS+, and so on. |
BIG-IP Access Policy Manager:
OAuth Concepts and Configuration |
This guide describes OAuth concepts and explains how to configure the system to use OAuth authorization servers, resource servers, and other examples. |
BIG-IP Access Policy Manager:
SAML Configuration |
This guide introduces SAML concepts and provides several examples using APM as a SAML IdP, as a SAML service provider, and others. |
BIG-IP Access Policy Manager:
Single Sign-On Concepts and Configuration |
This guide describes how to configure different types of single sign-on methods, such as HTTP basic, HTTP forms-based, NTLMV1, NTLMV2, Kerberos, OAuth Bearer. |
BIG-IP
Access Policy Manager: Customization |
This guide provides information about using the APM customization tool to provide
users with a personalized experience for access policy screens, and errors. An
administrator can apply your organization's brand images and colors, change messages
and errors for local languages, and change the layout of user pages and screens.
|
BIG-IP
Access Policy Manager: Edge Client and Application
Configuration |
This guide contains information for an administrator to
configure the BIG-IP system for browser-based access with the web client as well as
for access using BIG-IP Edge Client and F5 Access Apps. It also includes information
about how to configure or obtain client packages and install them for BIG-IP Edge
Client for Windows, Mac, and Linux, and Edge Client command-line interface for Linux. |
BIG-IP
Access Policy Manager: Implementations |
This guide contains implementations for synchronizing access policies across
BIG-IP systems, hosting content on a BIG-IP system, maintaining OPSWAT libraries,
configuring dynamic ACLs, web access management, and configuring an access policy for
routing. |
BIG-IP
Access Policy Manager: Network Access |
This guide contains information for an administrator to configure APM Network
Access to provide secure access to corporate applications and data using a standard
web browser. |
BIG-IP
Access Policy Manager: Portal Access |
This guide contains information about how to configure APM Portal Access. In
Portal Access, APM communicates with back-end servers, rewrites links in application
web pages, and directs additional requests from clients back to APM. |
BIG-IP
Access Policy Manager: Secure Web Gateway |
This guide contains information to help an administrator configure Secure Web
Gateway (SWG) explicit or transparent forward proxy and apply URL categorization and
filtering to Internet traffic from your enterprise. |
BIG-IP
Access Policy Manager: Third-Party Integration |
This guide contains information about integrating third-party products with
Access Policy Manager (APM). It includes implementations for
integration with VMware Horizon View, Oracle Access Manager, Citrix Web Interface
site, and so on. |
BIG-IP
Access Policy Manager: Visual Policy Editor |
This guide contains information about how to use the visual policy editor to
configure access policies. |
Release notes |
Release notes contain information about the current software release, including a
list of associated documentation, a summary of new features, enhancements, fixes,
known issues, and available workarounds. |
KB articles |
Knowledge base articles are responses and resolutions to known issues, additional configuration instructions, and how-to information. |