Applies To:

Show Versions Show Versions

Archived Manual Chapter: Configuring Network Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

The BIG-IP® Secure Access Manager network access feature provides secure access to corporate applications and data using a standard web browser. Using network access, employees, partners, and customers can have access to corporate resources securely, from any location.
The Secure Access Managers network access feature provides users with the functionality of a traditional IPsec VPN client. Unlike IPsec, however, network access does not require any pre-installed software or configuration on the remote users computer. It is also much more robust than IPsec VPN against router and firewall incompatibilities.
Users connected through network access have equivalent functionality to those users directly connected to the LAN. You can use access policies to control access to network access. For information about access policies, see Chapter 5, Creating Access Profiles and Access Policies.
Full access from any client
Provides Windows®, Macintosh®, and Linux® users with access to the complete set of IP-based applications, network resources, and intranet files available, as if they were working at their desktop in the office.
Split tunneling of traffic
Provides control over exactly what traffic is sent over the network access connection to the internal network and which is not. This feature provides better client application performance by allowing connections to the public Internet to go directly to the destination, rather than being routed down the tunnel and then out to the public Internet.
Client checking
Detects operating system and browser versions, antivirus and firewall software, registry settings, processes, and checks files during logon to ensure the client configuration meets the organizations security policy for remote access.
Note that client checks are available only for Windows clients.
Compression of transferred data
Utilizes GZIP compression to compress traffic before it is encrypted, reducing the number of bytes transferred between the Secure Access Manager and the client system, improving performance.
Routing table monitoring
Monitors changes made in the client's IP routing table during a network access connection. You can configure this feature to halt the connection if the routing table changes, helping prevent possible information leaks.
Session inactivity detection
Closes network access connections after a period of inactivity that you can configure. This feature helps prevent security breaches.
Automatic applications start
Starts a client application automatically after establishing the network access connection. This feature simplifies user access to specific applications or sites.
Automatic drive mapping
Connects the user to a specific drive on the intranet. This feature simplifies user access to files.
Note that automatic drive mapping is available only for Windows clients.
Connection-based ACLs
Access control lists filter network traffic by controlling whether packets are allowed, discarded, or rejected, based on criteria specified. For example, connections can be filtered by source IP address and port, destination IP address and port, and the Layer 4 protocol (TCP or UDP). Also supports auditing capabilities with logging. ACLs allow groups of users or access policy users to have access to full client-server application support without opening up the entire network to each user.
Dynamic IP address assignment
Assigns IP addresses dynamically from a configured pool of addresses. IP addresses can also be assigned with an external AAA server attribute.
The Secure Access Managers network access feature implements a point-to-point network connection over SSL. This is a secure solution that works well with firewalls and proxy servers. Network access gives remote users access to all applications and network resources. It uses standard HTTPS protocol and works through proxy servers.
Network access settings specify IP address pools that the Secure Access Manager uses to assign IP addresses to a client computers point-to-point protocol (PPP) adapter. When the end user opens the address of the Secure Access Manager in his web browser, the browser opens an SSL connection to the Secure Access Manager. The user can then log on to the Secure Access Manager. You can see a visual representation of how network access works in Figure 3.1, following.
On the Main tab of the navigation pane, expand Secure Connectivity, and click Network Access.
The Network Access Resource List screen opens.
Click Create.
The New Resource screen opens.
In the Name box, type a name for the network access resource.
See Understanding general settings, for more information.
See Understanding client settings, for more information.
Click Finished to save the network access resource.
The Network Access configuration screen opens, and you can configure the properties for the network access resource.
On the Main tab of the navigation pane, expand Secure Connectivity, and click Network Access.
The Network Access Resource List screen opens.
Click a network access resource on the Resource List.
The Network Access editing screen opens. This screen also opens immediately after you create a new network access resource.
You can use options on the Properties tab to configure favorite name, split tunneling operation, proxy settings for the client, and IP address assignment. The Client Settings screen presents options for specifying various settings.
Contains the name the end user sees in the Network Connections control panel in Windows.
A description of the network access connection. This is informational only.
General settings are settings that configure the network access connection on the server side, and are not specific to each client.
Basic view hides the SNAT Pool and Timeout settings. Select Advanced to display these options for configuration.
Lease Pool
Lease pools allow you to specify a collection of IP addresses as a single object, and associate that object with a network access resource. This allows a network access connection to be automatically assigned an unallocated IP address to use for the client IP address. Select a lease pool here to assign a lease pool to the network access resource. Click the plus sign () to create a new lease pool.
You use access control lists (ACLs) to restrict user access to specified host and port combinations. In BIG-IP Secure Access Manager, access control lists are resources that you can attach to network access resources, or that you can allocate dynamically in an access policy with the resource assign action. Select an ACL here to assign the ACL to the network access resource. Click the plus sign () to create a new ACL.
This setting compresses all VPN traffic between the network access client and the Secure Access Manager. Select GZIP Compression to compress traffic between the client and the Secure Access Manager. The default is No Compression.
You can select whether to use SNAT auto mapping.
By default, SNAT automapping is enabled. With SNAT Automapping enabled, active FTP connections fail, so you can only use passive FTP.
If you select None, make sure that your back-end servers are configured to route responses back to the device. If you must use active FTP, set the SNAT Pool option to None.
For more information on SNAT Automapping, see the Configuration Guide for BIG-IP® Local Traffic Management.
Timeout Threshold
Displays the timeout threshold. The timeout threshold defines, in bytes per second, the criterion for updating the session. If the average bitrate falls below the threshold, the session is considered inactive, and the session is ended according to the inactivity timeout settings defined in the access profile.
Timeout Window
Displays, in seconds, the period over which the bitrate is to be averaged. The timeout window is used with the timeout threshold to define when the session times out. Network access continues the session as long as the bitrate, averaged over the timeout window specified, exceeds the timeout threshold specified.
Important: If you set the bitrate threshold to zero, session timeouts are not applied.
Basic view shows only Traffic Options (split tunneling), Client Side Security, and Client Options. By default, the option Force all traffic through tunnel is checked. Basic view also shows LAN Address Space, DNS Address Space, and Exclude Address Space if you select Use split tunneling for traffic.
Use split tunneling for traffic
Directs through the network access tunnel all network traffic that is not destined for the LAN, specifically, the address specified in the LAN address space box. A tunnel is a secure connection between computers or networks over a public network. When you configure split tunneling, the Secure Access Manager directs all other traffic out of the local network connection. You can configure the LAN address space, the DNS address space, and the Exclude address space, following, when you enable this option.
LAN address space
Provides a list of addresses or address/mask pairs describing the target LAN. When you use split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for network access. You can add multiple address spaces and network masks to the list in their respective boxes, one at a time.
DNS address space
Provides a list of names describing the target LAN DNS addresses. This box appears only if you use split tunneling.
You can add multiple address spaces to the list, one at a time.
Exclude address space
Allows you to specify address spaces that will not be forced through the tunnel, when you use split tunneling.
Force all traffic through tunnel
Routes all traffic (including traffic to the local subnet) through the tunnel. In this case, there is no local subnet. Users cannot access local resources, such as their printers at home, until they disconnect from network access.
Allow Local Subnet
Check this box to permit local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. If you select this option, your controller will not support integrated IP filtering.
Client Side Security
Use these settings to configure options for the client on the tunneled network. The settings available are:
Prohibit routing table changes during Network Access connection
This option prevents modifications in the clients IP routing table during network access connection.
Integrated IP filtering engine
Select this option to protect the VPN from outside traffic (traffic generated by network devices on the clients LAN) and to ensure that the VPN traffic is not leaking traffic to the client's LAN.
Allow access to local DHCP server
Check this box if you want to use a DHCP server to obtain an IP address when the option Integrated IP filtering engine is enabled.
Client Options
Use these settings to configure Microsoft Networking options for the client.
Client for Microsoft Networks
Select this option to allow the client PC to access remote resources on a Microsoft network over the VPN connection. This option is functionally the same as using the Client for Microsoft Networks locally on the network, so if you enable this option on your local network, enable this option over the VPN connection to provide the same functionality. This option is enabled by default.
File and printer sharing for Microsoft Networks
Select this option to allow remote hosts to access Microsoft file shares and network printer resources on the client system over the VPN connection.
Client Interface Speed
Type the maximum rate available for secured client connections in bytes per second. The default rate is 5767168 bytes per second.
Client proxy settings
Directs network access clients to work through the specified proxy server on the remote network. This option requires the client computer to have Internet Explorer 5.0 or later installed. These options are available only when using the Advanced setting, with the Client proxy settings box checked.
Client Proxy Autoconfig Script
Contains the URL of the proxy-autoconfiguration script.
Client Proxy Address and Client Proxy Port
Contains the address and port number of the proxy server you want network access clients to use to connect to the Internet.
Bypass Proxy For Local Addresses
Indicates whether you want to use the proxy server for all local (intranet) addresses.
Client Proxy Exclusion List
Contains the Web addresses that do not need to be accessed through the proxy server. You can use wild card characters to match domain and host names or addresses. For example, you could specify www.*.com, 128.*, 240.*, *., mygroup.*, *x*, and so on. You can add each item separately.
Primary and Secondary Name Servers
Represents the IP addresses of the DNS server that network access assigns to the remote user. These should represent DNS server or servers that the internal company network uses.
Primary and Secondary WIN Servers
Represents the IP addresses of the WINS server to be conveyed to the remote access point. These are needed for Microsoft Networking to function fully. For fully functioning Microsoft network share browsing, you should configure the network access connection to use an SNAT pool. For more information, see Configuring network access settings.
DNS Default Domain Suffix
Represents the DNS suffix to use on the client computer. If this box is not specified, network access uses the first suffix from the Secure Access Manager server DNS setting.
Static Hosts
Here you can add, edit, and delete static host names. With static hosts, you can configure a list of static hosts for the network access client to use. The static hosts you configure modify a client computers local hosts table and override the configured DNS server, so you should use them only when you need to augment or override the existing DNS.
For this file-change operation, users on Windows platforms must have local administrative rights to modify the hosts file during the connection, or the administrator must change the attributes of the hosts file to allow non-administrative modification.
Use the Drive Mappings tab to add drive mappings. You can set options for specifying the UNC path to the network share, and the preferred drive letter to use for drive mapping, and you can add a description. If the drive letter is in use, the system uses another one at connection time.
Using drive mappings options, you can specify network shares to be mapped automatically on the client computer whenever a user logs on. Because the Secure Access Manager does not verify the accuracy of a path, you must make sure that the path is correct.
After establishing a network access connection, Windows needs a varying length of time before it can start using WINS for NetBIOS name resolution (depending on network speed and other factors, usually about one minute). During this time, the drive-mapping operation can fail and provide the message: The network resource type is not correct. If the UNC path is configured with the NetBIOS name, you may get the message: The network path was not found.
Use an IP addresses instead of NetBIOS names
For example, specify \\\share instead of \\server\share.
Use fully qualified DNS names
For example, specify \\\share instead of \\server\share.
Check the default domain suffix
Make sure that the Secure Access Manager is configured with the proper DNS suffixes.
Try the operation again
Advise users to retry mapping. Subsequent mapping attempts usually succeed after a 30 to 40-second delay. To retry, have the user click the Relaunch button in the user's network access popup window.
Use the Launch Applications tab to set options for configuring network access to start client-side applications. This feature is particularly useful for network access clients who connect to application servers for which they have a client-side component on their computers. For example, it is common to configure network access connections for directly accessing an internal Exchange server. In this case, when the client makes a network access connection, it automatically starts an Outlook client on the connecting computer. This makes access easier for the end user.
On the Launch Applications screen, to configure applications to launch automatically, specify the complete path in the Application Path box and any application parameters in the Parameters box, and select the target operating system from the Operating System list. The following examples contain strings for the Application Path and Parameters boxes.
Application Path:
Parameters: /f
For certain client systems, you can automatically run domain logon scripts after establishing a network access connection. The client systems must meet the following requirements:
\\domain_controller_ip_address %username%
domain_name %username%
The domain_name entry represents the target domain name, and the domain_controller_ip_address entry represents the IP address of the domain controller.
The Group Membership tab allows you to specify the resource groups to which the network access resource belongs. You can add one network access resource to a resource group.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)