Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Network Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The BIG-IP® Access Policy Manager network access feature provides secure access to corporate applications and data using a standard web browser, or the BIG-IP Edge Client. Using network access, employees, partners, and customers can have access to corporate resources securely, from any location.
The Access Policy Managers network access feature provides users with the functionality of a traditional IPsec VPN client. Unlike IPsec, however, network access does not require any pre-installed software or configuration on the remote users computer. It is also much more robust than IPsec VPN against router and firewall incompatibilities.
Users connected through network access have equivalent functionality to those users directly connected to the LAN. You can use access policies to control access to network access. For information about access policies, see Chapter 7, Creating Access Profiles and Access Policies.
Reviewing network access features
Full access from any client
Provides Windows®, Macintosh®, Linux®, and Windows Mobile users with access to the complete set of IP-based applications, network resources, and intranet files available, as if they were working at their desktop in the office.
Split tunneling of traffic
Provides control over exactly what traffic is sent over the network access connection to the internal network and which is not. This feature provides better client application performance by allowing connections to the public Internet to go directly to the destination, rather than being routed down the tunnel and then out to the public Internet.
Client checking
Detects operating system and browser versions, antivirus and firewall software, registry settings, processes, and checks files during logon to ensure the client configuration meets the organizations security policy for remote access.
Compression of transferred data
Utilizes GZIP compression to compress traffic before it is encrypted, reducing the number of bytes transferred between the Access Policy Manager and the client system, improving performance.
Routing table monitoring
Monitors changes made in the client's IP routing table during a network access connection. You can configure this feature to halt the connection if the routing table changes, helping prevent possible information leaks. This feature applies to Windows clients only.
Session inactivity detection
Closes network access connections after a period below an inactivity threshold that you can configure. This feature helps prevent security breaches.
Automatic applications start
Starts a client application automatically after establishing the network access connection. This feature simplifies user access to specific applications or sites.
Automatic drive mapping
Connects the user to a specific drive on the intranet. This feature simplifies user access to files.
Note: automatic drive mapping is available only for Windows clients.
Connection-based ACLs
Filters network traffic by controlling whether packets are allowed, discarded, or rejected, based on criteria specified. For example, connections can be filtered by Layer 4 properties like source and destination IP address and port, protocol (TCP or UDP), and Layer 7 properties like scheme, host name, and paths. ACLs also support auditing capabilities with logging. ACLs allow groups of users or access policy users to have access to full client-server application support without opening up the entire network to each user.
Dynamic IP address assignment
Assigns client endpoint IP addresses dynamically from a configured pool of addresses. IP addresses can also be assigned with an external AAA server attribute.
Traffic classification, prioritization, and marking
Provides the ability to classify and prioritize traffic to ensure levels of service to users with defined characteristics.
Network access implements a point-to-point network connection over SSL. This is a secure solution that works well with firewalls and proxy servers. Network access gives remote users access to all applications and network resources.
Network access settings specify IP address pools that the Access Policy Manager uses to assign IP addresses to a client computers virtual network adapter. When the end user opens the address of the Access Policy Manager in his web browser, the browser opens an SSL connection to the Access Policy Manager. The user can then log on to the Access Policy Manager. You can see a visual representation of how network access works in Figure 2.1, following.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Network Access.
The Network Access Resource List screen opens.
2.
Click Create.
The New Resource screen opens.
3.
In the Name box, type a name for the network access resource.
4.
Configure the general settings for the network access resource.
For detailed information on these settings, see Configuring general network access server settings.
5.
Configure the client settings for the network access resource.
For detailed information on these settings, see Configuring settings on network access clients.
6.
Click Finished to save the network access resource.
The Network Access Properties screen opens, and you can configure the properties for the network access resource.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Network Access.
The Network Access Resource List screen opens.
2.
Click a network access resource on the resource list.
The Network Access Properties screen opens. This screen also opens immediately after you create a new network access resource.
3.
Configure the properties for the network access resource on the Properties tab.
For detailed information on these settings, see Setting up network access.
4.
Configure the DNS and host settings for the network access resource on the DNS/Hosts tab.
For detailed information on these settings, see Setting DNS and hosts options.
5.
Configure drive mappings for the network access resource on the Drive Mappings tab.
For detailed information on these settings, see Mapping drives with network access.
6.
Setting up network access
You use options on the Network Access Properties screen to configure general tunnel information, tunneling and network settings, proxy settings for the client, and IP address assignment. You can also configure client behavior, map network drives, and set applications to start when network access connects.
Setting general properties
Name
Specifies a name for the connections. This is the name the end user sees in the Network Connections control panel in Windows.
Description
A description of the network access connection. This is informational only.
Configuring general network access server settings
General settings are settings that configure the network access connection on the server side, and are not specific to each client.
Basic/Advanced
Basic view hides the SNAT Pool and Timeout settings. Select Advanced to display these options for configuration.
Lease Pool
Lease pools allow you to specify a collection of IP addresses as a single object, and associate that object with a network access resource. This allows a network access connection to be automatically assigned an unallocated IP address to use for the client IP address. Select a lease pool here to assign a lease pool to the network access resource.
Compression
This setting compresses all VPN traffic between the network access client and the Access Policy Manager. Select GZIP Compression to compress traffic between the client and the Access Policy Manager. The default is No Compression.
Compression is not active when the network access connection is configured for DTLS.
SNAT Pool
You can select whether to use SNAT auto mapping or a specific SNAT pool. When a client starts a network access connection, it receives a dynamic IP address assignment to use for the PPP tunnel connection. The connection usually receives the next IP address available from the lease pool, or is assigned an address with another method.

Once the client gets an IP address, that IP address is typically what the end device sees. For example, if a network access client is dynamically assigned the address 10.1.1.1 from the lease pool, and the SNAT Pool setting is None, when the user connects to an internal server; the source address seen by the internal server is 10.1.1.1.

In the same situation, if the SNAT Pool setting is Automap, the address seen by the internal server is the internal address of the Access Policy Manager. For many client-server applications, SNAT Automap is adequate. However, it is not supported by Microsoft® networking, and SNAT automapping may not be sufficient for network access connections with large numbers of client users.

For these more advanced situations, you can create an SNAT pool, then select the name of the SNAT pool from SNAT Pool list.
By default, SNAT automapping is enabled. With SNAT Automapping enabled, active FTP connections fail, so you can only use passive FTP.
If you select None, make sure that your back-end servers are configured to route responses back to the device. If you must use active FTP, set the SNAT Pool option to None.
For more information on SNAT Automapping, see the Configuration Guide for BIG-IP® Local Traffic Manager.
Session Update Threshold
Displays the session update threshold. The session update threshold defines, in bytes per second, the criterion for updating the session. If the average bitrate falls below the threshold, the session is considered inactive, and the session is ended according to the inactivity timeout settings defined in the access profile.
Session Update Window
Displays, in seconds, the period over which the bitrate is to be averaged. The session update window is used with the session update threshold to define when the session is inactive. If the average bit rate exceeds the session update threshold, the session is updated, and if it is below the threshold, it is not updated. If the session is not updated within the time specified for the inactivity timeout, the session expires.
Important: If you set the bitrate threshold to zero, session update timeouts are not applied.
Configuring settings on network access clients
Basic/Advanced
Basic view shows only Traffic Options (split tunneling), Client Side Security options, Allow Local Subnet options, and Client Options. By default, the option Force all traffic through tunnel is enabled. Basic view also shows settings for LAN Address Space and DNS Address Space if you select Use split tunneling for traffic. You must select the Advanced view to configure DTLS mode, specify a client traffic classifier, or specify an exclude address space with split tunneling.
Use split tunneling for traffic
Directs through the network access tunnel all network traffic that is destined for the LAN, specifically, the address specified in the LAN address space box. A tunnel is a secure connection between computers or networks over a public network. When you configure split tunneling, the Access Policy Manager directs all other traffic out of the local network connection. You can configure the LAN address space, the DNS address space, and the Exclude address space (in Advanced mode only), when you enable split tunneling.
LAN address space
Provides a list of addresses or address/mask pairs describing the target LAN. When you use split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for network access. You can add multiple address spaces and network masks to the list in their respective boxes, one at a time.
DNS address space
Provides a list of names describing the target LAN DNS addresses. This box appears only if you use split tunneling.
You can add multiple address spaces to the list, one at a time.
Exclude address space
Specifies addresses for traffic that is not forced through the tunnel, when you use split tunneling. Use this to exclude an address or range of addresses from the LAN address space.
Force all traffic through tunnel
Routes all traffic (including traffic to the local subnet) through the tunnel. In this case, there is no local subnet. Users cannot access local resources, such as their printers at home, until they disconnect from network access. This is useful if you want to limit access to certain sites while the user is connected through the network access connection.
Allow Local Subnet
Check this box to permit local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. If you select this option, clients cannot use the integrated IP filtering engine.
Client Side Security
Use these settings to configure options for the client on the tunneled network. The settings available are:
Prohibit routing table changes during Network Access connection
This option terminates client connections when the clients IP routing table changes during a network access session.
Integrated IP filtering engine
Select this option to protect the VPN from outside traffic (traffic generated by network devices on the clients LAN) and to ensure that the VPN traffic is not leaking traffic to the client's LAN.
Allow access to local DHCP server
Check this box if you want to allow clients to obtain renewed IP addresses from their local DHCP servers when their DHCP leases expire. This is used when the option Integrated IP filtering engine is enabled.
Client Traffic Classifier
Specifies a client traffic classifier to perform client traffic control. For more information, see Configuring traffic control.
Client Options
Use these settings to configure Microsoft Networking options for the client.
Client for Microsoft Networks
Select this option to allow the client PC to access remote resources over a VPN connection. For example, the user can access shared network drives on the remote network.
File and printer sharing for Microsoft Networks
Select this option to allow remote hosts to access shared resources on the client system over the VPN connection. For example, users on the remote network can access files on the clients computer.
Provide client certificate on Network Access connection when requested
If client certificates are required to establish an SSL connection, this option must always be enabled. However, you can disable this option if the client certificates are requested only in an SSL session. If the client certificates are requested, but not required, to establish the SSL connection, the client is not configured to send client certificates.
Reconnect To Domain
Select the check box Synchronize with Active Directory policies on connection establishment to synchronize the client with the Active Directory network policies when the connection is established. This option, when checked, enables a second check box, Execute logoff scripts on connection termination. Select this check box to run logoff scripts configured on the Active Directory domain when the connection is terminated.
Client Interface Speed
Type the interface rate to display for secured client connections in bytes per second. The default rate is 100000000 bits per second. The rate you specify in this box is for display only, and does not affect the actual speed of the network access connection.
DTLS
Select this option to use Datagram Transport Level Security with the network access connection. This option uses UDP as the transport to provide better throughput for latency-sensitive applications like VoIP or streaming video, especially with lossy connections. If the port used by DTLS is blocked by an intermediate firewall or gateway, or not available, the connection automatically falls back to TLS or SSL.
If you enable the DTLS option, you must configure another virtual server for DTLS with the same IP address as the TCP virtual server to which a user connects to start the Access Policy Manager session. See Creating a virtual server for DTLS, for more information.
DTLS Port
Type the port number that the network access resource uses for secure UDP traffic with DTLS. The default port is 4433.
Client proxy settings
Directs network access clients to work through the specified proxy server on the remote network. This option requires the client computer to have Internet Explorer 5.0 or later installed. These options are available only when using the Advanced setting, when you select the Client proxy settings option.
Client Proxy Autoconfig Script
Contains the URL of the proxy-autoconfiguration script.
Client Proxy Address and Client Proxy Port
Contains the address and port number of the proxy server you want network access clients to use to connect to the Internet.
Bypass Proxy For Local Addresses
Indicates whether you want to use the proxy server for all local (intranet) addresses.
Client Proxy Exclusion List
Contains the Web addresses that do not need to be accessed through the proxy server. You can use wild card characters to match domain and host names or addresses. For example, you could specify www.*.com, 128.*, 240.*, *., mygroup.*, *x*, and so on. You can add each item separately.
Setting DNS and hosts options
Primary and Secondary Name Servers
Represents the IP addresses of the DNS server that network access assigns to the remote user. These should represent DNS server or servers that the internal company network uses.
Primary and Secondary WIN Servers
Represents the IP addresses of the WINS server to be conveyed to the remote access point. These are needed for Microsoft Networking to function fully. For fully functioning Microsoft network share browsing, you should configure the network access connection to use an SNAT pool. For more information, see Configuring network access settings.
DNS Default Domain Suffix
Represents the DNS suffix to use on the client computer. If you do not specify a default domain suffix, network access uses the first suffix from the Access Policy Manager server DNS setting.
Static Hosts
Here you can add, edit, and delete static host names. With static hosts, you can configure a list of static hosts for the network access client to use. The static hosts you configure modify a client computers local hosts table and override the configured DNS server, so you should use them only when you need to augment or override the existing DNS. You can also use static hosts when the client machine is locked down, and the DNS relay service is installed, to provide host resolution.
For this file-change operation, users on Windows platforms must have local administrative rights to modify the hosts file during the connection, or the administrator must change the attributes of the hosts file to allow non-administrative modification, or the system must have the DNS Relay service installed.
Static hosts are supported on Windows clients only.
Mapping drives with network access
Use the Drive Mappings tab to map network drives when a network access connection is established. You can set options for specifying the UNC path to the network share, and the preferred drive letter to use for drive mapping, and you can add a description. If the drive letter is in use, the user is allowed to select any free drive letter.
Using drive mappings options, you can specify network shares to be mapped automatically on the client computer whenever a user logs on. Because the Access Policy Manager does not verify the accuracy of a path, you must make sure that the path is correct.
After establishing a network access connection, Windows needs a varying length of time before it can start using WINS for NetBIOS name resolution (depending on network speed and other factors, usually about one minute). During this time, the drive-mapping operation can fail and provide the message: The network resource type is not correct. If the UNC path is configured with the NetBIOS name, you may get the message: The network path was not found.
Use an IP addresses instead of NetBIOS names
For example, specify \\192.168.191.1\share instead of \\server\share.
Use fully qualified DNS names
For example, specify \\server.domain.com\share instead of \\server\share.
Check the default domain suffix
Make sure that the Access Policy Manager is configured with the proper DNS suffixes.
Try the operation again
Advise users to retry mapping. Subsequent mapping attempts usually succeed after a 30 to 40-second delay. To retry, have the user click the Relaunch button in the user's network access popup window.
The relaunch option is available only with the web client, not with the BIG-IP Edge Client.
Launching applications with network access connections
Use the Launch Applications tab to set options for configuring network access to start client-side applications. This feature is particularly useful for network access clients who connect to application servers for which they have a client-side component on their computers. For example, it is common to configure network access connections for directly accessing an internal Exchange server. In this case, when the client makes a network access connection, it automatically starts an Outlook client on the connecting computer. This makes access easier for the end user.
On the Launch Applications screen, under General Properties, check the Display warning before launching applications box to display a warning to the network access user before any applications start.
You can configure multiple applications to launch by adding applications to the application list. For each application you configure, specify the complete path in the Application Path box and any application parameters in the Parameters box, and select the target operating system from the Operating System list. The following examples contain strings for the Application Path and Parameters boxes.
Parameters:
http://internal_application.siterequest.com
Application Path:
%SystemRoot%\System32\mstsc.exe
Parameters:
/v:internalterminalserver.siterequest.com /f
For certain client systems, you can automatically run domain logon scripts after establishing a network access connection. The client systems must meet the following requirements:
Parameters:
\\domain_controller_ip_address %username%
or
domain_name %username%
The domain_name entry represents the target domain name, and the domain_controller_ip_address entry represents the IP address of the domain controller.
A lease pool specifies a collection of IP addresses as a single object. You can use a lease pool to associate that collection of IP addresses with a network access resource. Use a lease pool with a network access connection to automatically assign an unallocated IP address to a network access client.
1.
On the Main tab of the navigation pane, expand Access Policy, use the cursor to point to Network Access, and click Lease Pools.
The Lease Pool List screen opens.
2.
Click the Create button.
The New Lease Pool screen opens.
3.
In the Name box, type a name for the lease pool.
The initial character for a lease pool name must be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
To add a single IP address, in the Member List area, select IP Address for the type. In the IP Address box, type the IP address, and click the Add button.
To add a range of IP addresses, in the Member List area, select IP Address Range for the type. In the Start IP Address box, type the first IP address, and in the End IP Address box, type the last IP address. Click the Add button.
To delete an IP address or IP address range, select the IP address or IP address range in the member list, and click the Delete button.
5.
When you have finished adding IP addresses to the list, click the Finished button.
You can click the Repeat button to create and save the lease pool, then immediately create another lease pool with the same members, and a blank name.
1.
On the Main tab of the navigation pane, expand Access Policy, hover over Network Access, and click Lease Pools.
The Lease Pool List screen opens.
2.
To add a single IP address, in the Member List area, select IP Address for the type. In the IP Address box, type the IP address, and click the Add button.
To add a range of IP addresses, in the Member List area, select IP Address Range for the type. In the Start IP Address box, type the first IP address, and in the End IP Address box, type the last IP address. Click the Add button.
To delete an IP address or IP address range, select the IP address or IP address range in the member list, and click the Delete button.
5.
To delete the lease pool, click the Delete button, then click OK on the dialog that appears.
1.
On the Main tab of the navigation pane, expand Access Policy and click Network Access.
The Network Access Resource List screen opens.
2.
In the Name column, click the name of the network access resource to which you want to assign the lease pool.
The Network Access Properties screen opens.
3.
In the General Settings area, from the Lease Pool list, select the lease pool to assign.
Used together, traffic classifiers and client rate classes provide traffic shaping features on secure access connections. You configure a client traffic classifier, which defines source and destination IP addresses or networks, and can also define a protocol. The client traffic classifier is then associated with one or more client rate classes, which define base and peak rates for traffic to which it applies, and other traffic shaping features. A client traffic classifier is assigned in a network access resource.
Base Rate - Specifies the base data rate defined for the client rate class. You can select the units for this number from the list. Options include bps (bits per second), Kbps (kilobits per second), Mbps (megabits per second), or Gbps (gigabits per second).
Ceiling Rate - Specifies the peak data rate defined for the client rate class. You can select the units for this number from the list: Options include bps (bits per second), Kbps (kilobits per second), Mbps (megabits per second), or Gbps (gigabits per second).
Burst Size - Specifies the amount of traffic that is allowed to reach the peak rate defined for the traffic rate class. You can select the units for this number from the list: Options include bytes, Kilobytes, Megabytes, or Gigabytes.
DSCP - If you select Override, you can specify an optional DSCP code for the client rate class. DSCP is a way of classifying traffic for Quality of Service. Traffic is classified using six-bit values, and then routers on the network interpret the traffic priority based on their configurations and prioritize traffic for QoS accordingly.
Service Type - Specifies the service type in use for the client rate class. The following service types are available.
Best Effort - Specifies that Windows traffic control creates a flow for this client traffic class, and traffic on the flow is handled with the same priority as other Best Effort traffic.
Controlled Load - Specifies that traffic control transmits a very high percentage of packets for this client rate class to its intended receivers. Packet loss for this service type closely approximates the basic packet error rate of the transmission medium. Transmission delay for a very high percentage of the delivered packets does not greatly exceed the minimum transit delay experienced by any successfully delivered packet.
Guaranteed - Guarantees that datagrams arrive within the guaranteed delivery time and are not discarded due to queue overflows, provided the flow's traffic stays within its specified traffic parameters. This service type is intended for applications that require guaranteed packet delivery.
Mode - Displays the traffic shaping mode in use for the client rate class. The following modes are available.
Shape - Delays packets submitted for transmission until they conform to the specified traffic profile.
Discard - Discards packets that do not conform to the specified traffic control profile.
Borrow - Allows traffic on the client rate class to borrow resources from other flows that are temporarily idle. Traffic that borrows resources is marked as nonconforming, and receives a lower priority.
After you configure a client rate class using the procedure in To configure traffic shaping with a client rate class, you define a client traffic classifier, in which you select that client rate class, using the procedure To create a client traffic classifier. Next, you assign the client traffic classifier to a network access resource. The client rate class rate shaping features are then applied to traffic that matches the criteria defined in the client traffic classifier filter.
1.
On the Main tab of the navigation pane, expand Access Policy, use the cursor to point to Network Access, point to Client Traffic Control, and click Client Rate Classes.
The Client Rate Class List screen opens.
2.
Click Create.
The New client rate class screen opens.
3.
In the Name box, type the name for the new client rate class.
4.
In the Base Rate box, type the base rate for the client rate class. Select the units for the base rate from the list (bps, Kbps, Mbps, or Gbps).
The base rate is the minimum rate available to the traffic you specify.
5.
In the Peak Rate box, type the peak rate for the client rate class. Select the units for the peak rate from the list (bps, Kbps, Mbps, or Gbps).
The peak rate is the maximum rate available to the traffic you specify.
6.
(Optional) If you are using a differential services network, you can specify the DSCP value with which to mark this traffic in the DSCP box.
7.
From the Mode list, select the traffic shaping mode.
8.
From the Interface list, select the interface on which the client rate class will operate.
9.
Click Finished when you are done.
1.
On the Main tab of the navigation pane, expand Access Policy, use the cursor to point to Network Access, point to Client Traffic Control, and click Client Traffic Classifiers.
The Client Traffic Classifier List screen opens.
2.
Click Create.
The New Client Traffic Classifier screen opens.
3.
In the Name box, type the name for the new client traffic classifier.
4.
Click Create to create the client traffic classifier.
The Client Traffic Classifier List screen opens.
5.
Click the name of the client traffic classifier you just created.
The Client Traffic Classifier Properties screen opens.
6.
Under a rules section, click Add to add a client traffic classifier entry.
You add rules to only the interfaces on the client computer for which you must shape traffic. You can apply rules to the virtual adapter (Virtual Network Access Interface), local physical adapters (Local Physical Interfaces), or all adapters (Virtual Network Access and Local Physical Interfaces).
7.
From the Client Rate Class list, select the client rate class to which this client traffic classifier entry applies.
8.
From the Protocol list, select TCP, UDP, or All Protocols.
9.
In the Destination Address area, select the type of destination address (Any, Host, or Network), then provide required details: if you selected Host, in the Address box, type the IP address. If you selected Network, in the Address box, type the network address, and in the Mask box, type the network mask.
10.
In the Destination port box, type a port number, or select an application from the list. To apply the client traffic classifier to all ports, select All Ports.
11.
In the Source Address area, select the type of source address (Any, Host, or Network), then provide required details: if you selected Host, in the Address box, type the IP address. If you selected Network, in the Address box, type the network address, and in the Mask box, type the network mask.
This area appears only if you select Advanced.
12.
In the Source port box, type a port number, or select an application from the list. To apply the client traffic classifier to all ports, select All Ports.
This box appears only if you select Advanced.
13.
Click Finished when you are done.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)