Manual Chapter : Configuring App Tunnel Access

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

What are app tunnels?

An app tunnel (application tunnel) provides secure, application-level TCP/IP connections from the client to the network. App tunnels are particularly useful for users with limited privileges who attempt to access particular web applications, as app tunnels do not require that the user has administrative privileges to install.

Additionally, optimization is available for app tunnels. With compression settings for app tunnels, you can specify the available compression codecs for client-to-server connections. The server compares the available compression types configured with the available compression types on the server, and chooses the most effective mutual compression setting. You configure compression for the server in the connectivity profile.

Note: Because app tunnels do not require administrative rights, some features of Network Access and Optimized Application tunnels are not available with app tunnels. For example, the application tunnel cannot easily resolve domain names in applications without a client-side DNS redirector, or modification of the system hosts file.
Important: For tunnels that access backend servers by using DNS resolution, use Optimized Application Tunnels in the Network Access menus instead. Optimized Applications require administrative rights on the local system.

Configuring an app tunnel object

When you create an app tunnel object, that object becomes a simple container that holds app tunnel resources. Once you specify those resources from within the app tunnel resource, you can then assign the resource to an access policy.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. Expand Connectivity / VPN and click App Tunnels.
  5. Click Create.
    The New App Tunnel screen opens.
  6. Type a name and description for your app tunnel.
  7. Although an ACL is automatically created for your application object, you can choose to determine the order of your ACL as it appears in the ACL list. Use the ACL Order list to select the placement you want.
  8. Under Default Customization Settings, type a Caption for the app tunnel.
    This caption identifies the app tunnel and enables it to appear on a full webtop.
  9. To save your changes, click the Save & Close button at the bottom of the screen.
You have just created an app tunnel object.

Resource Item properties

The application resource item specifies how to create a particular tunnel. The application field serves as a hint to the BIG-IQ system for special handling of specific protocols. Compression settings specify which compression codecs the tunnels can use, while the Launch Applications section allows you to define an application that will run after you establish the resource tunnel.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. Expand Connectivity / VPN and click App Tunnels.
  5. From the App Tunnels list, select an existing app tunnel.
  6. On the left side of the new screen, select Resource Items.
  7. Click Add.
    The New Resource Item screen opens.
  8. In the Description field, type a description of the application access resource.
  9. For the Destination setting, specify whether the application destination Type is a host or an IP address.
    You cannot use the fully qualified domain name to connect to an application resource that is configured with an IP address destination type.
    If you specify a hostname, make sure that it is DNS-resolvable. After the application tunnel is assigned to a full webtop in an access policy, the application tunnel does not appear on the full webtop if the hostname is not DNS-resolvable.
  10. Specify your port or port range for the application.
  11. From the Application Protocol list, select the application protocol.
    Option Description
    None Specifies that the app tunnel resource uses neither RPC or FTP protocols.
    Microsoft RPC Specifies that the resource uses the Microsoft® RPC protocol.
    Microsoft Exchange RPC Server Specifies that the resource uses the Microsoft Exchange RPC Server protocol.
    FTP Specifies that the resource uses FTP protocol.
  12. From the Log list, select Packet to log activity to the packet log, or None to disable logging for the app tunnel.
  13. From the Operating System list, select the platform on which a Java-based resource runs.
    The resource runs only on the platform that you select. This setting is applicable when Java Tunnel is enabled on the application tunnel.
  14. From the Compression list, select Enabled to display compression types and enable or disable them.
  15. From the Deflate list, select Enabled to enable Deflate compression. Deflate compression uses the least CPU resources, but compresses the least effectively.
  16. From the LZO list, select Enabled to enable LZO compression. LZO compression offers a balance between CPU resources and compression ratio, compressing more than deflate, but with less CPU resources than Bzip2.
  17. From the Bzip2 list, select Enabled to enable Bzip2 compression. Bzip2 compression uses the most CPU resources, but compresses the most effectively.
  18. From the Adaptive list, select Enabled to enable adaptive compression. Adaptive compression automatically selects the compression type based on network and traffic characteristics.
  19. For the Application Path setting, optionally specify a path for an application to start after the application access tunnel is established.
  20. For the Parameters setting, specify any parameters associated with the application that starts with the Application Path. The parameters you can add are:
    • %host% - This is substituted with the loopback host address, for example http://%host%/application/.
    • %port% - The loopback port. Use this if the original local port has changed due to conflicts with other software.
  21. To save your changes, click the Save & Close button at the bottom of the screen.