Manual Chapter :
Using Forward Error Correction with Network Access
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0
Using Forward Error Correction with Network Access
Overview: Using FEC on network access tunnels
Forward error correction (FEC) is a technique for controlling data transmission errors over
unreliable or noisy communication channels. With FEC, the sender encodes messages with a
little extra error-correcting code. FEC enables recovery of lost packets to avoid
retransmission and increase throughput on lossy links. FEC is frequently used when
retransmission is not possible or is costly.
In Access Policy Manager®, you can use FEC on network access tunnels.
You can do this provided that you configure a network access resource for Datagram Transport
Level Security (DTLS) and configure two virtual servers with the same IP address. Users
connect on a TCP/HTTPS virtual server. Another virtual server handles DTLS for the network
access resource.
FEC is not included on every BIG-IP system.
Creating a network access resource for DTLS
You configure a network access resource to allow users access to your local
network through a secure VPN tunnel. You configure the resource to use Datagram
Transport Level Security (DTLS) as a prerequisite for using forward error correcting
(FEC) on the connection.
- On the Main tab, click.The Network Access List screen opens.
- Click theCreatebutton.The New Resource screen opens.
- In theNamefield, type a name for the resource.
- ClickFinishedto save the network access resource.
- On the menu bar, clickNetwork Settings.
- In the Enable Network Tunnel area, forNetwork Tunnel, retain the default settingEnable.
- In the General Settings area from theSupported IP Versionlist, retain the default settingIPV4, or selectIPV4 & IPV6.If you selectIPV4 & IPV6, theIPV4 Lease PoolandIPV6 Lease Poollists are displayed. They include existing pools of IPv4 addresses and IPv6 addresses, respectively.
- Select the appropriate lease pools from the lists.APM assigns IP addresses to a client computer's virtual network from the lease pools that you specify.
- From the Client Settings list, selectAdvanced.Additional settings are displayed.
- Select theDTLScheck box.ADTLS Portfield displays with the default port,4433.
- ClickUpdate.
Adding a FEC profile to a connectivity profile
You add a forward error correction (FEC) profile
to a connectivity profile to apply on a network access tunnel.
A connectivity
profile contains default settings for network access compression. However,
compression is not active when a network access connection is configured for
DTLS.
- On the Main tab, click.A list of connectivity profiles displays.
- Select the connectivity profile that you want to update and clickEdit Profile.The Edit Connectivity Profile popup screen opens and displays General Settings.
- From theFEC Profilelist, select the default profile,/Common/fec.A FEC profile is a network tunnel profile. You can configure a custom FEC profile in the Network area on the BIG-IP system.
- ClickOK.The popup screen closes, and the Connectivity Profile List displays.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.
Configuring a
webtop for network access
A webtop allows your users to connect and
disconnect from the network access connection.
- On the Main tab, click.The Webtops screen displays.
- ClickCreate.The New Webtop screen opens.
- In theNamefield, type a name for the webtop.
- Select the type of webtop to create.Network AccessSelectNetwork Accessfor a webtop to which you will assign only a single network access resource.Portal AccessSelectPortal Accessfor a webtop to which you assign only portal access resources.FullSelectFullfor a webtop to which you assign one or more network access resources, multiple portal access resources, and multiple application access app tunnel resources, or any combination of the three types.
- ClickFinished.
The webtop is now configured, and appears in the list. You can edit the webtop further,
or assign it to an access policy.
To use this webtop, it must be assigned to an
access policy with an advanced resource assign action or with a webtop, links and
sections assign action.
Create an access profile
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- ClickCreate.The New Profile screen displays.
- In theNamefield, type a unique name for the access profile.
- From theProfile Typelist, select one these options:
- ALL: Select to support LTM-APM and SSL-VPN access types.
- LTM-APM: Select for a web access management configuration.
- OAuth-Resource Server: For configuring APM to act as an OAuth resource server that provides an OAuth authorization layer into an API gateway.
- RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
- SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
- SSO: Select to configure matching virtual servers for Single Sign-On (SSO).No access policy is associated with this type of access profile
- SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
- SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
- System Authentication: Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
- Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.You can edit Identity Service profile properties.
Depending on licensing, you might not see all of these profile types.Additional settings display. - From theProfile Scopelist, select one these options to define user scope:
- Profile: Access to resources behind the profile.
- Virtual Server: Access to resources behind the virtual server.
- Global: Access to resources behind any access profile with global scope.
- Named: Access for SSL Orchestrator users to resources behind any access profile with global scope.
- Public: Access to resources that are behind the same access profile when the Named scope has configured the session and is checked based on the value and string configured in the Named scope field.
- For theCustomization Type, use the default valueModern.
- In the Language Settings area, add and remove accepted languages, and set the default language.If any browser language does not match with the accepted languages list, the browser uses the default language.
- ClickFinished.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Verify log settings for the access profile
Confirm that the correct log settings are selected
for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
area of the product. They enable and disable logging for access
system and URL request filtering events. Log settings also specify log publishers
that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Adding network
access to an access policy
Before you assign a network access resource to an access policy, you must:
- Create a network access resource.
- Create an access profile.
- Define a network access webtop or a full webtop.
When you assign a network access resource to an
access policy branch, a user who successfully completed the branch rule (which includes
that access policy item) starts a network access tunnel.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- Click the name of the access profile for which you want to edit the access policy.The properties screen opens for the profile you want to edit.
- On the menu bar, clickAccess Policy.
- In the General Properties area, click theEdit Access Policy for Profilelink.profile_nameThe visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Select one of the following resource assignment actions and clickAdd.Resource AssignSelect theResource Assignaction to add a network access resource only.Resource Assigndoes not allow you to add a webtop or ACLs. If you want to add ACLs, a webtop, or webtop links after you add a Resource Assign action, you can add them with the individual actionsACL AssignandWebtop, Links and Sections Assign.Webtop sections are for use with a full webtop only.Advanced Resource AssignSelect theAdvanced Resource Assignaction to add network access resources, and optionally add a webtop, webtop links, webtop sections, and one or more ACLs.
- Select the resource or resources to add.
- If you added anAdvanced Resource Assignaction, on the Resource Assignment screen, clickAdd New Entry, then clickAdd/Delete, and select and add resources from the tabs, then clickUpdate.
- If you added aResource Assignaction, next to Network Access Resources, clickAdd/Delete.
If you add a full webtop and multiple network access resources, Auto launch can be enabled for only one network access resource. (With Auto launch enabled, a network access resource starts automatically when the user reaches the webtop.) - ClickSave.
- ClickApply Access Policyto save your configuration.
A network access tunnel is assigned to the access policy. You may also assign a network
access or full webtop. On the full webtop, users can click the link for a network access
resource to start the network access tunnel, or a network access tunnel (that is
configured with Auto launch enabled) can start automatically.
After you complete the access policy, you must
define a connectivity profile. In the virtual server definition, you must select the
access policy and connectivity profile.
Creating an HTTPS virtual server for network access
Create a virtual server for HTTPS traffic.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theHTTP Profilelist, selecthttp.
- If you use client SSL, for theSSL Profile (Client)setting, select a client SSL profile.
- If you use server SSL, for theSSL Profile (Server)setting, select a server SSL profile.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- In the Access Policy area, from theConnectivity Profilelist, select the connectivity profile.
- ClickFinished.
The HTTPS virtual server displays on the list.
Configuring a virtual server for DTLS
To
configure DTLS mode for a network access connection, you must configure a virtual server
specifically for use with DTLS.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Addressfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1/32or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64.This is the same IP address as the TCP (HTTPS) virtual server to which your users connect.
- In theService Portfield, type the port number that you specified in the DTLS Port field in the network access resource configuration.By default, the DTLS port is4433.
- From theProtocollist, selectUDP.
- For theSSL Profile (Client)setting, in theAvailablebox, select a profile name, and using the Move button, move the name to theSelectedbox.
- In the Access Policy area, from theConnectivity Profilelist, select the connectivity profile.Use the same connectivity profile that you specified for the TCP (HTTPS) virtual server to which your users connect.
- ClickFinished.
Network settings for a network access resource
Network settings specify tunnel settings, session
settings, and client settings.
Setting |
Value |
Description |
---|---|---|
Network Tunnel
|
Enable |
When you enable a network
tunnel, you configure the network access tunnel to provide network access. Clear
the Enable option to
hide all network settings and to disable the tunnel. |
General Settings
|
Basic/Advanced |
Select Advanced to show settings for
Proxy ARP, SNAT Pool, and Session Update. |
Supported IP Version
|
IPV4 or IPV4 & IPV6 |
Sets the Network Access
tunnel to support either an IPv4 lease pool or both IPv4 and IPv6 lease pools.
Network access with IPv6 alone
is not supported. An IPv6 tunnel requires a simultaneous IPv4 tunnel, which
is automatically established when you assign IPv4 and IPv6 lease pools, and
set the version to IPv4 &
IPv6 . |
IPv4 Lease Pool
|
List selection of
existing IPv4 lease pools |
Assigns internal IP
addresses to remote network access clients, using configured lease pools. Select
a lease pool from the drop-down list. To create a lease pool within this screen,
click the + sign next
to Lease Pool .
|
IPv6 Lease Pool
|
List selection of
existing IPv6 lease pools |
Assigns internal IP
addresses to remote network access clients, using configured lease pools. Select
a lease pool from the drop-down list. To create a lease pool within this screen,
click the + sign next
to Lease Pool .
|
Compression
|
No Compression /GZIP Compression |
Select GZIP Compression to
compress all traffic between the Network Access client and the Access Policy
Manager, using the GZIP deflate method. |
Proxy ARP
|
Enable |
Proxy ARP allows remote
clients to use IP addresses from the LAN IP subnet, and no configuration changes
are required on other devices such as routers, hosts, or firewalls. IP address
ranges on the LAN subnet are configured in a lease pool and assigned to network
access tunnel clients. When this setting is enabled, a host on the LAN that
sends an ARP query for a client address gets a response from Access Policy
Manager with its own MAC address. Traffic is sent to the Access Policy Manager
and forwarded to clients over network access tunnels. |
SNAT Pool
|
List selection of
None , Auto Map , or SNAT pool
name |
Specifies the name of a
SNAT pool used for implementing selective and intelligent SNATs. The default is
Auto Map . If you
have defined a SNAT on the system, that SNAT is available as an option on this
list. The following two options are always available.
To support CIFS/SMB and VoIP
protocols, select None and configure routable IP addresses in the lease
pool |
Preserve Source Port
Strict
|
Enable |
Specifies that the system
preserves the value configured for the source port. This setting applies on the
last leg of the network access tunnel connection between an internal ACL virtual
server and the backend. This setting applies to all traffic passing through the
network access tunnel. This setting is disabled by default.
|
Session Update
Threshold
|
Integer (bytes per
second) |
Defines the average byte
rate that either ingress or egress tunnel traffic must exceed, for the tunnel to
update a session. If the average byte rate falls below the specified threshold,
the system applies the inactivity timeout, which is defined in the Access
Profile, to the session. |
Session Update Window
|
Integer
(seconds) |
Defines the time value in
seconds that the system uses to calculate the EMA (Exponential Moving Average)
byte rate of ingress and egress tunnel traffic. |
Client Settings
|
Basic/Advanced |
Select Advanced to configure client
proxy, DTLS, domain reconnect settings, and client certificate
options. |
Force all traffic through
tunnel
|
Enable/disable |
Specifies that all traffic
(including traffic to or from the local subnet) is forced over the VPN
tunnel. |
Use split tunneling for
traffic
|
Enable/disable |
Specifies that only the
traffic targeted to a specified address space is sent over the network access
tunnel. With split tunneling, all other traffic bypasses the tunnel. By default,
split tunneling is not enabled. When split tunneling is enabled, all traffic
passing over the network access connection uses this setting. If you add a large number of addresses for split tunneling, Edge Client
cannot establish a tunnel connection. The limits for these addresses are:
|
IPV4 LAN Address Space
|
IPv4 IP address in CIDR
notation |
Provides a list of
endpoint IP addresses or network addresses in a CIDR notation. This box only
appears if you use split tunneling. When using split tunneling, only the traffic
to these addresses and network segments goes through the tunnel configured for
Network Access. You can add multiple address spaces to the list, one at a time.
For each address space, enter the IP address or network address in the CIDR
field and click Add .
In CIDR notation, the IP address is written as a prefix, and the suffix
indicates how many bits are in the address - for example,
192.0.1.0/24. |
IPV6 LAN Address Space
|
IPv6 IP address in CIDR
notation |
Provides a list of
endpoint IP addresses or network addresses in a CIDR notation. When using split
tunneling, only the traffic to these addresses and network segments goes through
the tunnel configured for Network Access. You can add multiple address spaces to
the list, one at a time. For each address space, enter the IP address or network
address in the CIDR field and click Add . In CIDR notation, the IP
address is written as a prefix, and the suffix indicates how many bits are in
the address - for example, 192.0.1.0/32. This box only appears when you
select IPV4 &
IPV6 in the Supported IP Version setting and use split
tunneling. |
DNS Address Space
|
Domain names, with or
without wildcards |
Provides a list of domain
names describing the target LAN DNS addresses. This field only appears if you
use split tunneling. You can add multiple address spaces to the list, one at a
time. For each address space, type the domain name, in the form site.siterequest.com or
*.siterequest.com ,
and click Add . |
IPV4 Exclude Address Space / IPV6
Exclude Address Space
|
IP address in CIDR
notation |
Specifies address spaces
whose traffic is not forced through the tunnel. For each address space that you
want to exclude, enter the IP address or network address in the
CIDR field and click Add . |
DNS Exclude Address
Space
|
Domain names, with or
without wildcards |
Specifies DNS address spaces for which traffic is not forced through the
tunnel. For each address space, type the domain name, in the form site.siterequest.com or
*.siterequest.com ,
and click Add . |
Dynamic LAN Address Spaces
|
List selection of Selected /Available address spaces |
Specifies the dynamic address spaces for which the traffic passes through
the tunnel. Dynamic address spaces use auto-discovery URL for selecting IP
addresses and DNS names.
For each address space that you want to exclude, move the address space from the
Available list to the Selected list by clicking the <<
button. Similarly, to deselect the address space, click the << button to move the address space from the Selected list to the Available
list. |
Dynamic Exclude Address
Spaces |
List selection of Selected /Available address spaces |
Specifies the dynamic address spaces for which the traffic is not forced
through the tunnel. Dynamic address spaces use auto-discovery URL for selecting
IP addresses and DNS names.
For each address space that you want to exclude, move the address space from the
Available list to the Selected list by clicking the <<
button. Similarly, to deselect the address space, click the << button to move the address space from the Selected list to the Available
list. |
Allow Local Subnet
|
Enable/disable |
Select this option to
enable local subnet access and local access to any host or subnet in routes that
you have specified in the client routing table. When you enable this setting,
the system does not support integrated IP filtering. |
Client Side Security >
Prohibit routing table changes
during Network Access connection |
Enable/disable |
This option closes the
network access session if the client's IP routing table is modified during the
session. The client, however, does permit routing table changes that do not
affect the traffic routing decision. |
Client Side Security >
Integrated IP filtering
engine |
Enable/disable |
Select this option to
protect the resource from outside traffic (traffic generated by network devices
on the client's LAN), and to ensure that the resource is not leaking traffic to
the client's LAN. |
Client Side Security >
Allow access to local DHCP
server |
Enable/disable |
This option appears when
the Integrated IP filtering
engine option is enabled. This option allows the client access
to connect through the IP filtering engine, to use a DHCP server local to the
client to renew the client DHCP lease locally. This option is not required or
available when IP filtering is not enabled because clients can renew their
leases locally. This option does
not renew the DHCP lease for the IP address assigned from the network access
lease pool; this applies only to the local client IP
address. |
Client Traffic
Classifier
|
List
selection |
Specifies a client traffic
classifier to use with this network access tunnel, for Windows
clients. |
Client Options >
Client for Microsoft
Networks |
Enable/disable |
Select this option to
allow the client PC to access remote resources over a VPN connection. This
option is enabled by default. This allows the VPN to work as a traditional VPN,
so a user can access files and printers from the remote Microsoft
network. |
Client Options >
File and printer sharing for
Microsoft networks |
Enable/disable |
Select this option to
allow remote hosts to access shared resources on the client computer over the
network access connection. This allows the VPN to work in reverse, and a VPN
user to share file shares and printers with remote LAN users and other VPN
users. |
Provide client certificate on
Network Access connection when requested
|
Enable/disable |
If client certificates are
required to establish an SSL connection, this option must always be enabled.
However, you can disable this option if the client certificates are only
requested in an SSL connection. In this case, the client is configured not to
send client certificates. |
Reconnect to Domain >
Synchronize with Active
Directory policies on connection establishment |
Enable/disable |
When enabled, this option
emulates the Windows logon process for a client on an Active Directory domain.
Network policies are synchronized when the connection is established, or at
logoff. The following items are synchronized:
|
Reconnect to Domain >
Run logoff scripts on
connection termination |
Enable/disable |
This option appears when
Synchronize with Active
Directory policies on connection establishment is enabled.
Enable this option if you want the system to run logoff scripts, as configured
on the Active Directory domain, when the connection is stopped. |
Client Interface Speed
|
Integer, bits per
second |
Specifies the maximum
speed of the client interface connection, in bits per second. |
Display connection tray
icon
|
Enable/disable |
When enabled, balloon
notifications for the network access tray icon (for example, when a connection
is made) are displayed. Disable this option to prevent balloon
notifications. |
Client Power Management
|
Ignore , Prevent , or Terminate |
Specifies how network
access handles client power management settings, for example, when the user puts
the system in standby or closes the lid on a laptop.
|
DTLS
|
Enable/disable |
When enabled, specifies
that the network access connection uses Datagram Transport Level Security
(DTLS). DTLS uses UDP instead of TCP, to provides better throughput for
high-demand applications like VoIP or streaming video, especially with lossy
connections. |
DTLS Port
|
Port number |
Specifies the port number
that the network access resource uses for secure UDP traffic with DTLS. The
default is 4433 . |
Client Proxy Settings
|
Enable/disable |
Enables several additional
settings that specify client proxy connections for this network resource. Client
proxy settings apply to the proxy behind the Access Policy Manager and do not
affect the VPN tunnel transport, or interact with the TLS or DTLS configuration.
Use client proxy settings when intranet web servers are not directly accessible
from the Access Policy Manager internal subnet. Client proxy settings apply only
to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with
a custom PAC file. |
Use Local Proxy
Settings
|
Enable/disable |
Select this option to
continue to use the proxy settings, as configured on the client, after
establishing a network access connection. |
Client Proxy Uses HTTP for Proxy
Autoconfig Script
|
Enable/disable |
Some applications, like
Citrix MetaFrame, can not use the client proxy autoconfig script when the
browser attempts to use the file:// prefix to locate it. Select this option to specify that
the browser uses http://
to locate the proxy autoconfig file, instead of file:// . |
Client Proxy Autoconfig
Script
|
URL |
The URL for a proxy
auto-configuration script, if one is used with this connection. |
Client Proxy Address
|
IP address |
The IP address for the
client proxy server that network access clients use to connect to the
Internet. |
Client Proxy Port
|
Port number |
The port number of the
proxy server that network access clients use to connect to the
Internet. |
Bypass Proxy For Local Addresses
|
Enable/disable |
Select this option if you
want to allow local intranet addresses to bypass the proxy server. |
Client Proxy Exclusion
List
|
IP addresses, domain
names, with wildcards |
Specifies the web
addresses that do not need to be accessed through your proxy server. You can use
wildcards to match domain and host names, or addresses. For example, www.*.com , 128.* , 240.8 , 8. , mygroup.* , *.* . |