Manual Chapter : About Network Access

Applies To:

Show Versions Show Versions


  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2
Manual Chapter

What is network access?

The BIG-IP Access Policy Manager network access feature provides secure access to corporate applications and data using a standard web browser, or the BIG-IP Edge Client. Using network access, employees, partners, and customers can have access to corporate resources securely, from any location.

The network access feature provides users with the functionality of a traditional IPsec VPN client. Unlike IPsec, however, network access does not require any pre-installed software or configuration on the remote user's computer. It is also more robust than IPsec VPN against router and firewall incompatibilities.

Network access features

Network access provides connections with the following features.

Full access from any client
Provides Windows, Macintosh, Linux, and Windows Mobile users with access to the complete set of IP-based applications, network resources, and intranet files available, as if they were physically working on the office network.
Split tunneling of traffic
Provides control over exactly what traffic is sent over the network access connection to the internal network, and what is not. This feature provides better client application performance by allowing connections to the public Internet to go directly to their destinations, rather than being routed over the tunnel and then out to the public Internet.
Client checking
Detects operating system and browser versions, antivirus and firewall software, registry settings, and processes, and checks files during the login process to insure that the client configuration meets the organization's security policy for remote access.
Compression of transferred data
Compresses traffic with GZIP before it is encrypted, reducing the number of bytes transferred between the Access Policy Manager and the client system and improving performance.
Routing table monitoring
Monitors changes made in the client's IP routing table during a network access connection. You can configure this feature to stop the connection if the routing table changes, helping prevent possible information leaks. This feature applies to Windows clients only.
Session inactivity detection
Closes network access connections after a period below an inactivity threshold that you can configure. This feature helps prevent security breaches.
Automatic application start
Starts a client application automatically after establishing the network access connection. This feature simplifies user access to specific applications or sites.
Automatic drive mapping
Connects the user to a specific drive on the intranet. This feature simplifies user access to files.
Note: This feature is available only for Windows clients.
Connection-based ACLs
Filters network traffic by controlling whether packets are allowed, discarded, or rejected, based on specific criteria. For example, connections can be filtered by Layer 4 properties like source and destination IP address and port, protocol (TCP or UDP), and Layer 7 properties like scheme, host name, and paths. ACLs also support auditing capabilities with logging. ACLs allow groups of users or access policy users to have access to full client-server application support without opening up the entire network to each user.
Dynamic IP address assignment
Assigns client endpoint IP addresses dynamically from a configured pool of addresses. IP addresses can also be assigned with an external AAA server attribute.
Traffic classification, prioritization, and marking
Provides the ability to classify and prioritize traffic to ensure levels of service to users with defined characteristics.

About network access traffic

Network access implements a point-to-point network connection over SSL, which provides a secure solution that works well with firewalls and proxy servers.

Network access settings specify IP address pools, which the Access Policy Manager then uses to assign IP addresses to a client computer's virtual network adapter. When an end user opens the address of the Access Policy Manager in a web browser, the browser starts an SSL connection to the Access Policy Manager. The user can then log in to the Access Policy Manager.

Network access connection diagram

The process flow of a network access connection is depicted in this diagram.

Network access flow

Network access configuration elements

A network access configuration requires:

  • A network access resource
  • An access profile, with an access policy that assigns:
    • A network access resource
    • A network access or full webtop
  • A lease pool that provides internal network addresses for tunnel clients
  • A connectivity profile
  • A virtual server that assigns the access profile

Network access elements are summarized in the following diagram.

Network access elements Network access elements