Applies To:
Show VersionsBIG-IP APM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Configuring Network Access Resources
Creating a network access resource
Configuring properties for a network access resource
Network access resource properties
Use these general properties to update settings for the network access resource.
Property setting | Value | Description |
---|---|---|
Name | A text string. Avoid using global reserved words in the name, such as all, delete, disable, enable, help, list, none, or show. | Name for the network access resource. |
Partition | Typically, Common. | Partition under which the network access resource is created. You cannot change this value. |
Description | Text. | Text description of the network access resource. |
Auto launch | Enable or Disable. | The network access resource starts automatically when the user reaches the
full webtop, if this option is enabled.
Note: When assigning network access
resources to a full webtop, only one network access resource can have auto
launch enabled.
|
Configuring network settings for a network access resource
Proxy ARP considerations
To configure proxy ARP, you must be aware of the following conditions.
- Proxy ARP is not compatible with SNAT pools. You must disable SNAT Automap or a specific SNAT pool to use proxy ARP.
- If you enable split tunneling, you must configure an entry for the server LAN segment in the LAN Address Space setting. You must also configure the LAN address spaces for any clients that will send traffic to each other.
- In a high availability configuration, both BIG-IP® systems must have interfaces on the same server LAN segment.
- IP addresses that you reserve for tunnel clients cannot be used for self IPs, NATs, SNATs, or wildcard (port-0) virtual servers.
About GARP packets from APM
When Proxy ARP is enabled for a Network Access resource, Access Policy Manager® (APM®) generates gratuitous ARP (GARP) when a new VPN tunnel connection is established and at the time of tunnel reconnect. During either of these events, APM sends five gratuitous ARPs (GARPs) at one-second intervals. If multiple clients are connecting or reconnecting, the number of GARP packets increases.
For information about controlling the amount of GARP that APM sends, refer to SOL11985: Overview of the arp.gratuitousrate and arp.gratuitousburst database variables on the AskF5™ web site at http://support.f5.com/.
Network settings for a network access resource
Network settings specify tunnel settings, session settings, and client settings.
Setting | Value | Description |
---|---|---|
Network Tunnel | Enable | When you enable a network tunnel, you configure the network access tunnel to provide network access. Clear the Enable option to hide all network settings and to disable the tunnel. |
Supported IP Version | IPV4 or IPV4&IPV6 | Sets the Network Access tunnel to support either an IPv4 lease pool, or
both IPv4 and IPv6 lease pools.
Important: Network access with IPv6
alone is not supported. An IPv6 tunnel requires a simultaneous IPv4 tunnel,
which is automatically established when you assign IPv4 and IPv6 lease
pools, and set the version to
IPv4&IPv6.
|
General Settings | Basic/Advanced | Select Advanced to show settings for Proxy ARP, SNAT Pool, and Session Update. |
IPv4 Lease Pool | List selection of existing IPv4 lease pools | Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the + sign next to Lease Pool. |
IPv6 Lease Pool | List selection of existing IPv6 lease pools | Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the + sign next to Lease Pool. |
Compression | No Compression/GZIP Compression | Select GZIP Compression to compress all traffic between the Network Access client and the Access Policy Manager®, using the GZIP deflate method. |
Proxy ARP | Enable | Proxy ARP allows remote clients to use IP addresses from the LAN IP subnet, and no configuration changes are required on other devices such as routers, hosts, or firewalls. IP address ranges on the LAN subnet are configured in a lease pool and assigned to network access tunnel clients. When this setting is enabled, a host on the LAN that sends an ARP query for a client address gets a response from Access Policy Manager with its own MAC address. Traffic is sent to the Access Policy Manager and forwarded to clients over network access tunnels. |
SNAT Pool | List selection of None, Auto Map, or SNAT pool name | Specifies the name of a SNAT pool used for implementing selective and
intelligent SNATs. The default is Auto Map. If you have
defined a SNAT on the system, that SNAT is available as an option on this list.
The following two options are always available.
Note: To support CIFS/SMB and VoIP protocols, select
None and configure routable IP addresses in the
lease pool
|
Session Update Threshold | Integer (bytes per second) | Defines the average byte rate that either ingress or egress tunnel traffic must exceed, in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout, which is defined in the Access Profile, to the session. |
Session Update Window | Integer (seconds) | Defines the time value in seconds that the system uses to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic. |
Client Settings | Basic/Advanced | Select Advanced to configure client proxy, DTLS, domain reconnect settings, and client certificate options. |
Force all traffic through tunnel | Enable/disable | Specifies that all traffic (including traffic to or from the local subnet) is forced over the VPN tunnel. |
Use split tunneling for traffic | Enable/disable | Specifies that only the traffic targeted to a specified address space is sent over the network access tunnel. With split tunneling, all other traffic bypasses the tunnel. By default, split tunneling is not enabled. When split tunneling is enabled, all traffic passing over the network access connection uses this setting. |
IPV4 LAN Address Space | IPv4 IP address, IP address and network mask | Provides a list of addresses or address/mask pairs describing the target LAN. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, type the IP address and the network mask and click Add. |
IPV6 LAN Address Space | IPv6 IP address, IP address and network mask | Provides a list of IPv6 addresses or address/mask pairs describing the target LAN. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, type the IP address and the network mask and click Add. This list appears only when you select IPV4&IPV6 in the Supported IP Version setting. |
DNS Address Space | domain names, with or without wildcards | Provides a list of domain names describing the target LAN DNS addresses. This field only appears if you use split tunneling. You can add multiple address spaces to the list, one at a time. For each address space, type the domain name, in the form site.siterequest.com or *.siterequest.com, and click Add. |
Exclude Address Space | IP address/network mask pairs | Specifies address spaces whose traffic is not forced through the tunnel. For each address space that you want to exclude, type the IP address and the network mask and click Add. |
Allow Local Subnet | Enable/disable | Select this option to enable local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. When you enable this setting, the system does not support integrated IP filtering. |
Client Side Security > Prohibit routing table changes during Network Access connection | Enable/disable | This option closes the network access session if the client's IP routing table is modified during the session. |
Client Side Security > Integrated IP filtering engine | Enable/disable | Select this option to protect the resource from outside traffic (traffic generated by network devices on the client's LAN), and to ensure that the resource is not leaking traffic to the client's LAN. |
Client Side Security > Allow access to local DHCP server | Enable/disable | This option appears when the Integrated IP filtering
engine option is enabled. This option allows the client access
to connect through the IP filtering engine, to use a DHCP server local to the
client to renew the client DHCP lease locally. This option is not required or
available when IP filtering is not enabled, because clients can renew their
leases locally.
Important: This option does not renew the DHCP lease
for the IP address assigned from the network access lease pool; this applies
only to the local client IP address.
|
Client Traffic Classifier | List selection | Specifies a client traffic classifier to use with this network access tunnel, for Windows clients. |
Client Options > Client for Microsoft Networks | Enable/disable | Select this option to allow the client PC to access remote resources over a VPN connection. This option is enabled by default. This allows the VPN to work like a traditional VPN, so a user can access files and printers from the remote Microsoft network. |
Client Options > File and printer sharing for Microsoft networks | Enable/disable | Select this option to allow remote hosts to access shared resources on the client computer over the network access connection. This allows the VPN to work in reverse, and a VPN user to share file shares and printers with remote LAN users and other VPN users. |
Provide client certificate on Network Access connection when requested | Enable/disable | If client certificates are required to establish an SSL connection, this option must always be enabled. However, you can disable this option if the client certificates are only requested in an SSL connection. In this case, the client is configured not to send client certificates. |
Reconnect to Domain > Synchronize with Active Directory policies on connection establishment | Enable/disable | When enabled, this option emulates the Windows logon process for a client
on an Active Directory domain. Network policies are synchronized when the
connection is established, or at logoff. The following items are synchronized:
|
Reconnect to Domain > Run logoff scripts on connection termination | Enable/disable | This option appears when Synchronize with Active Directory policies on connection establishment is enabled. Enable this option if you want the system to run logoff scripts, as configured on the Active Directory domain, when the connection is stopped. |
Client Interface Speed | Integer, bits per second | Specifies the maximum speed of the client interface connection, in bits per second. |
Display connection tray icon | Enable/disable | When enabled, balloon notifications for the network access tray icon (for example, when a connection is made) are displayed. Disable this option to prevent balloon notifications. |
Client Power Management | Ignore, Prevent, or Terminate | Specifies how network access handles client power management settings, for
example, when the user puts the system in standby, or closes the lid on a laptop.
|
DTLS | Enable/disable | Specifies, when enabled, that the network access connection uses Datagram Transport Level Security (DTLS). DTLS uses UDP instead of TCP, to provides better throughput for high-demand applications like VoIP or streaming video, especially with lossy connections. |
DTLS Port | Port number | Specifies the port number that the network access resource uses for secure UDP traffic with DTLS. The default is 4433. |
Client Proxy Settings | Enable/disable | Enables several additional settings that specify client proxy connections for this network resource. Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file. |
Client Proxy Uses HTTP for Proxy Autoconfig Script | Enable/disable | Some applications, like Citrix® MetaFrame, can not use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it. Select this option to specify that the browser uses http:// to locate the proxy autoconfig file, instead of file://. |
Client Proxy Autoconfig Script | URL | The URL for a proxy auto-configuration script, if one is used with this connection. |
Client Proxy Address | IP address | The IP address for the client proxy server that network access clients use to connect to the Internet. |
Client Proxy Port | Port number | The port number of the proxy server that network access clients use to connect to the Internet. |
Bypass Proxy For Local Addresses | Enable/disable | Select this option if you want to allow local intranet addresses to bypass the proxy server. |
Client Proxy Exclusion List | IP addresses, domain names, with wildcards | Specifies the web addresses that do not need to be accessed through your proxy server. You can use wildcards to match domain and host names, or addresses. For example, www.*.com, 128.*, 240.8, 8., mygroup.*, *.*. |
Configuring DNS and hosts for a network access resource
Network access resource DNS and hosts settings
DNS and hosts settings specify lookup information for remote tunnel clients. This table describes and lists these settings and values.
Setting | Value | Description |
---|---|---|
Primary Name Server | IP address | Type the IP address of the DNS server that network access conveys to the remote access point. |
Secondary Name Server | IP address | Type a second IP address for the DNS server that network access conveys to the remote access point. |
Primary WINS Server | IP address | Type the IP address of the WINS server in order to communicate to the remote access point. This address is needed for Microsoft Networking to function properly. |
Secondary WINS Server | IP address | Type the IP address of the WINS server to be conveyed to the remote access point. This address is needed for Microsoft Networking to function properly. |
DNS Default Domain Suffix | domain suffix | Type a DNS suffix to send to the client. If this field is left blank, the
controller will send its own DNS suffix. For example,
siterequest.com.
Tip: You can specify
multiple default domain suffixes separated with commas.
|
Register this connection's addresses in DNS | check box | If your DNS server has dynamic update enabled, select this check box to register the address of this connection in the DNS server. This check box is cleared by default. |
Use this connection's DNS suffix in DNS registration | check box | If your DNS server has dynamic update enabled, select this check box to register the default domain suffix when you register the connection in the DNS server. This check box is cleared by default. |
Enforce DNS search order | check box | When this setting is enabled, Access Policy Manager® (APM®) continuously checks the DNS order on the network interface and sets the network access-supplied entries first in the list if they change during a session. To use your local DNS settings as primary and the network access-supplied DNS settings as secondary, clear this setting. This might be useful when split tunneling is in use and a client connects remotely. This check box is selected by default. |
Static Hosts | host name/IP address pairs | To add host and IP addresses manually to a connection-specific hosts file,
type the Host Name and the IP
Address for that host in the provided fields, and click
Add.
Note: APM supports static hosts for
BIG-IP®
Edge Client® for Windows and BIG-IP Edge Client for Mac
only.
|
Mapping drives for a network access resource
Network access resource drive mapping settings
The table lists the drive mapping settings for a network access resource.
Setting | Value | Description |
---|---|---|
Path | A network path, for example \\networkdrive\users | Specifies the path to the server network location. |
Drive | Drive letter, list selection | Specifies the drive used. Drive is set to D: by default. Drive mapping is supported for Windows-based clients only. |
Description | Text | An optional description of the drive mapping. |
Launching applications on a network access connection
Network access launch applications settings
Specify launch application settings to control how applications are launched when the network access connection starts.
Setting | Value | Description |
---|---|---|
Display warning before launching applications | Enable or disable | If you enable this setting, the system displays security warnings before starting applications from network access, regardless of whether the site is considered a Trusted site. If the check box is not selected, the system displays security warnings if the site is not in the Trusted Sites list. |
Application Path | An application path | Specifies the path to the application. You can type special application paths here:
|
Parameters | Text | Parameters that govern the application launch. |
Operating System | List selection | From the list, select whether the application launch configuration applies to Windows-based, Unix-based, Macintosh-based, or iOS clients. |
About APM ACLs
APM® access control lists (ACLs) restrict user access to host and port combinations that are specified in access control entries (ACEs). An ACE can apply to Layer 4 (the protocol layer), Layer 7 (the application layer), or both. A Layer 4 or Layer 7 ACL is used with network access, application access, or web access connections.
Configuring an ACL
Example ACE settings: reject all connections to a network
This example access control entry (ACE) rejects all connections to a specific network at 192.168.112.0/24.
Property | Value | Notes |
---|---|---|
Source IP Address | 0.0.0.0 | If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0 |
Source Mask | 0.0.0.0 | |
Source Ports | All Ports | |
Destination IP address | 192.168.112.0 | |
Destination Mask | 255.255.255.0 | |
Destination Ports | All Ports | |
Protocol | All Protocols | |
Action | Reject |
Example ACE settings: allow SSH to a specific host
This example access control entry (ACE) allows SSH connections to the internal host at 192.168.112.9.
Property | Value | Notes |
---|---|---|
Source IP Address | 0.0.0.0 | If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0 |
Source Mask | 0.0.0.0 | |
Source Ports | All Ports | |
Destination IP address | 192.168.112.9 | |
Destination Mask | 255.255.255.0 | |
Destination Ports | 22 (or select SSH) | |
Protocol | TCP | |
Action | Allow |
Example ACE settings: reject all connections to specific file types
This example access control entry (ACE) rejects all connections that attempt to open files with the extensions doc, exe, and txt.
Property | Value | Notes |
---|---|---|
Source IP Address | 0.0.0.0 | If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0 |
Source Mask | 0.0.0.0 | |
Source Ports | All Ports | |
Destination IP address | 0.0.0.0 | |
Destination Mask | 0.0.0.0 | |
Destination Ports | All Ports | |
Scheme | http | |
Paths | *.doc*.exe *.txt | |
Protocol | All Protocols | |
Action | Reject |