Applies To:Show Versions
- 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
What is network access?
The BIG-IP Access Policy Manager network access feature provides secure access to corporate applications and data using a standard web browser, or the BIG-IP Edge Client. Using network access, employees, partners, and customers can have access to corporate resources securely, from any location.
The network access feature provides users with the functionality of a traditional IPsec VPN client. Unlike IPsec, however, network access does not require any pre-installed software or configuration on the remote user's computer. It is also more robust than IPsec VPN against router and firewall incompatibilities.
Network access features
Network access provides connections with the following features.
- Full access from any client
- Provides Windows, Macintosh, Linux, and Windows Mobile users with access to the complete set of IP-based applications, network resources, and intranet files available, as if they were physically working on the office network.
- Split tunneling of traffic
- Provides control over exactly what traffic is sent over the network access connection to the internal network, and what is not. This feature provides better client application performance by allowing connections to the public Internet to go directly to their destinations, rather than being routed over the tunnel and then out to the public Internet.
- Client checking
- Detects operating system and browser versions, antivirus and firewall software, registry settings, and processes, and checks files during the login process to insure that the client configuration meets the organization's security policy for remote access.
- Compression of transferred data
- Compresses traffic with GZIP before it is encrypted, reducing the number of bytes transferred between the Access Policy Manager and the client system and improving performance.
- Routing table monitoring
- Monitors changes made in the client's IP routing table during a network access connection. You can configure this feature to stop the connection if the routing table changes, helping prevent possible information leaks. This feature applies to Windows clients only.
- Session inactivity detection
- Closes network access connections after a period below an inactivity threshold that you can configure. This feature helps prevent security breaches.
- Automatic application start
- Starts a client application automatically after establishing the network access connection. This feature simplifies user access to specific applications or sites.
- Automatic drive mapping
- Connects the user to a specific drive on the intranet. This feature simplifies user access
to files. Note: This feature is available only for Windows clients.
- Connection-based ACLs
- Filters network traffic by controlling whether packets are allowed, discarded, or rejected, based on specific criteria. For example, connections can be filtered by Layer 4 properties like source and destination IP address and port, protocol (TCP or UDP), and Layer 7 properties like scheme, host name, and paths. ACLs also support auditing capabilities with logging. ACLs allow groups of users or access policy users to have access to full client-server application support without opening up the entire network to each user.
- Dynamic IP address assignment
- Assigns client endpoint IP addresses dynamically from a configured pool of addresses. IP addresses can also be assigned with an external AAA server attribute.
- Traffic classification, prioritization, and marking
- Provides the ability to classify and prioritize traffic to ensure levels of service to users with defined characteristics.
About network access traffic
Network access implements a point-to-point network connection over SSL, which provides a secure solution that works well with firewalls and proxy servers.
Network access settings specify IP address pools, which the Access Policy Manager then uses to assign IP addresses to a client computer's virtual network adapter. When an end user opens the address of the Access Policy Manager in a web browser, the browser starts an SSL connection to the Access Policy Manager. The user can then log in to the Access Policy Manager.
Network access configuration elements
A network access configuration requires:
- A network access resource
- An access profile, with an access policy that assigns:
- A network access resource
- A network access or full webtop
- A lease pool that provides internal network addresses for tunnel clients
- A connectivity profile
- A virtual server that assigns the access profile
Network access elements are summarized in the following diagram.