Manual Chapter : Configuring Network Access Resources

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Creating a network access resource

You configure a network access resource to allow users access to your local network through a secure VPN tunnel.
  1. On the Main tab, click Access Policy > Network Access. The Network Access List screen opens.
  2. Click the Create button. The New Resource screen opens.
  3. In the Name field, type a name for the resource.
  4. Type an optional description for the network access resource.
  5. For the Auto launch setting, only select the Enable check box if you want to automatically start this network access resource when the user reaches a full webtop. When assigning network access resources to a full webtop, only one network access resource can have auto launch enabled.
  6. Click Finished to save the network access resource.
The General Properties screen for the network access resource opens.

Configuring properties for a network access resource

You must create a network access resource, or open an existing resource, before you can perform this task.
You can configure the description of a network access resource with network access properties.
  1. On the Main tab, click Access Policy > Network Access. The Network Access Resource List screen opens.
  2. Click the name to select a network access resource on the Resource List. The Network Access editing screen opens.
  3. To configure the general properties for the network resource, click Properties on the menu bar.
  4. Click the Update button. Your changes are saved and the page refreshes.

Network access resource properties

Use these general properties to update settings for the network access resource.

Property setting Value Description
Name A text string. Avoid using global reserved words in the name, such as all, delete, disable, enable, help, list, none, or show. Name for the network access resource.
Partition Typically, Common. Partition under which the network access resource is created. You cannot change this value.
Description Text. Text description of the network access resource.
Auto launch Enable or Disable. The network access resource starts automatically when the user reaches the full webtop, if this option is enabled.
Note: When assigning network access resources to a full webtop, only one network access resource can have auto launch enabled.

Configuring network settings for a network access resource

You must create a network access resource, or open an existing resource, before you can perform this task.
You can use network settings to specify a lease pool for network access clients, and also to configure traffic options, client behavior, DTLS settings, and set up proxy behavior.
  1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens.
  2. Click the name to select a network access resource on the Resource List. The Network Access editing screen opens.
  3. To configure the network settings for the network access resource, click Network Settings on the menu bar.
  4. Click the Update button. Your changes are saved and the page refreshes.

Proxy ARP considerations

To configure proxy ARP, you must be aware of the following conditions.

  • Proxy ARP is not compatible with SNAT pools. You must disable SNAT Automap or a specific SNAT pool to use proxy ARP.
  • If you enable split tunneling, you must configure an entry for the server LAN segment in the LAN Address Space setting. You must also configure the LAN address spaces for any clients that will send traffic to each other.
  • In a high availability configuration, both BIG-IP® systems must have interfaces on the same server LAN segment.
  • IP addresses that you reserve for tunnel clients cannot be used for self IPs, NATs, SNATs, or wildcard (port-0) virtual servers.

Network settings for a network access resource

Network settings specify tunnel settings, session settings, and client settings.

Setting Value Description
Network Tunnel Enable When you enable a network tunnel, you configure the network access tunnel to provide network access. Clear the Enable option to hide all network settings and to disable the tunnel.
Supported IP Version IPV4 or IPV4&IPV6 Sets the Network Access tunnel to support either an IPv4 lease pool, or both IPv4 and IPv6 lease pools.
Important: Network access with IPv6 alone is not supported. An IPv6 tunnel requires a simultaneous IPv4 tunnel, which is automatically established when you assign IPv4 and IPv6 lease pools, and set the version to IPv4&IPv6.
General Settings Basic/Advanced Select Advanced to show settings for Proxy ARP, SNAT Pool, and Session Update.
IPv4 Lease Pool List selection of existing IPv4 lease pools Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the + sign next to Lease Pool.
IPv6 Lease Pool List selection of existing IPv6 lease pools Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the + sign next to Lease Pool.
Compression No Compression/GZIP Compression Select GZIP Compression to compress all traffic between the Network Access client and the Access Policy Manager®, using the GZIP deflate method.
Proxy ARP Enable Proxy ARP allows remote clients to use IP addresses from the LAN IP subnet, and no configuration changes are required on other devices such as routers, hosts, or firewalls. IP address ranges on the LAN subnet are configured in a lease pool and assigned to network access tunnel clients. When this setting is enabled, a host on the LAN that sends an ARP query for a client address gets a response from Access Policy Manager with its own MAC address. Traffic is sent to the Access Policy Manager and forwarded to clients over network access tunnels.
SNAT Pool List selection of None, Auto Map, or SNAT pool name Specifies the name of a SNAT pool used for implementing selective and intelligent SNATs. The default is Auto Map. If you have defined a SNAT on the system, that SNAT is available as an option on this list. The following two options are always available.
  • None specifies that the system uses no SNAT pool for this network resource.
  • Auto Map specifies that the system uses all of the self IP addresses as the translation addresses for the pool.
Note: To support CIFS/SMB and VoIP protocols, select None and configure routable IP addresses in the lease pool
Session Update Threshold Integer (bytes per second) Defines the average byte rate that either ingress or egress tunnel traffic must exceed, in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout, which is defined in the Access Profile, to the session.
Session Update Window Integer (seconds) Defines the time value in seconds that the system uses to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic.
Client Settings Basic/Advanced Select Advanced to configure client proxy, DTLS, domain reconnect settings, and client certificate options.
Force all traffic through tunnel Enable/disable Specifies that all traffic (including traffic to or from the local subnet) is forced over the VPN tunnel.
Use split tunneling for traffic Enable/disable Specifies that only the traffic targeted to a specified address space is sent over the network access tunnel. With split tunneling, all other traffic bypasses the tunnel. By default, split tunneling is not enabled. When split tunneling is enabled, all traffic passing over the network access connection uses this setting.
IPV4 LAN Address Space IPv4 IP address, IP address and network mask Provides a list of addresses or address/mask pairs describing the target LAN. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, type the IP address and the network mask and click Add.
IPV6 LAN Address Space IPv6 IP address, IP address and network mask Provides a list of IPv6 addresses or address/mask pairs describing the target LAN. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, type the IP address and the network mask and click Add. This list appears only when you select IPV4&IPV6 in the Supported IP Version setting.
DNS Address Space domain names, with or without wildcards Provides a list of domain names describing the target LAN DNS addresses. This field only appears if you use split tunneling. You can add multiple address spaces to the list, one at a time. For each address space, type the domain name, in the form site.siterequest.com or *.siterequest.com, and click Add.
Exclude Address Space IP address/network mask pairs Specifies address spaces whose traffic is not forced through the tunnel. For each address space that you want to exclude, type the IP address and the network mask and click Add.
Allow Local Subnet Enable/disable Select this option to enable local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. When you enable this setting, the system does not support integrated IP filtering.
Client Side Security > Prohibit routing table changes during Network Access connection Enable/disable This option closes the network access session if the client's IP routing table is modified during the session.
Client Side Security > Integrated IP filtering engine Enable/disable Select this option to protect the resource from outside traffic (traffic generated by network devices on the client's LAN), and to ensure that the resource is not leaking traffic to the client's LAN.
Client Side Security > Allow access to local DHCP server Enable/disable This option appears when the Integrated IP filtering engine option is enabled. This option allows the client access to connect through the IP filtering engine, to use a DHCP server local to the client to renew the client DHCP lease locally. This option is not required or available when IP filtering is not enabled, because clients can renew their leases locally.
Important: This option does not renew the DHCP lease for the IP address assigned from the network access lease pool; this applies only to the local client IP address.
Client Traffic Classifier List selection Specifies a client traffic classifier to use with this network access tunnel, for Windows clients.
Client Options > Client for Microsoft Networks Enable/disable Select this option to allow the client PC to access remote resources over a VPN connection. This option is enabled by default. This allows the VPN to work like a traditional VPN, so a user can access files and printers from the remote Microsoft network.
Client Options > File and printer sharing for Microsoft networks Enable/disable Select this option to allow remote hosts to access shared resources on the client computer over the network access connection. This allows the VPN to work in reverse, and a VPN user to share file shares and printers with remote LAN users and other VPN users.
Provide client certificate on Network Access connection when requested Enable/disable If client certificates are required to establish an SSL connection, this option must always be enabled. However, you can disable this option if the client certificates are only requested in an SSL connection. In this case, the client is configured not to send client certificates.
Reconnect to Domain > Synchronize with Active Directory policies on connection establishment Enable/disable When enabled, this option emulates the Windows logon process for a client on an Active Directory domain. Network policies are synchronized when the connection is established, or at logoff. The following items are synchronized:
  • Logon scripts are started as specified in the user profile.
  • Drives are mapped as specified in the user profile.
  • Group policies are synchronized as specified in the user profile. Group Policy logon scripts are started when the connection is established, and Group Policy logoff scripts are run when the network access connection is stopped.
Reconnect to Domain > Run logoff scripts on connection termination Enable/disable This option appears when Synchronize with Active Directory policies on connection establishment is enabled. Enable this option if you want the system to run logoff scripts, as configured on the Active Directory domain, when the connection is stopped.
Client Interface Speed Integer, bits per second Specifies the maximum speed of the client interface connection, in bits per second.
Display connection tray icon Enable/disable When enabled, balloon notifications for the network access tray icon (for example, when a connection is made) are displayed. Disable this option to prevent balloon notifications.
Client Power Management Ignore, Prevent, or Terminate Specifies how network access handles client power management settings, for example, when the user puts the system in standby, or closes the lid on a laptop.
  • Ignore - ignores the client settings for power management.
  • Prevent - prevents power management events from occurring when the client is enabled.
  • Terminate - terminates the client when a power management event occurs.
DTLS Enable/disable Specifies, when enabled, that the network access connection uses Datagram Transport Level Security (DTLS). DTLS uses UDP instead of TCP, to provides better throughput for high-demand applications like VoIP or streaming video, especially with lossy connections.
DTLS Port Port number Specifies the port number that the network access resource uses for secure UDP traffic with DTLS. The default is 4433.
Client Proxy Settings Enable/disable When selected, provides configuration settings for client proxy connections for this network access resource. This option requires the client computer to have Internet Explorer 5.0 or later installed. These options are available only when using the Advanced setting, when you select the Client proxy settings option.
Client Proxy Uses HTTP for Proxy Autoconfig Script Enable/disable Some applications, like Citrix® MetaFrame, can not use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it. Select this option to specify that the browser uses http:// to locate the proxy autoconfig file, instead of file://.
Client Proxy Autoconfig Script URL The URL for a proxy auto-configuration script, if one is used with this connection.
Client Proxy Address IP address The IP address for the client proxy server that network access clients use to connect to the Internet.
Client Proxy Port Port number The port number of the proxy server that network access clients use to connect to the Internet.
Bypass Proxy For Local Addresses Enable/disable Select this option if you want to allow local intranet addresses to bypass the proxy server.
Client Proxy Exclusion List IP addresses, domain names, with wildcards Specifies the web addresses that do not need to be accessed through your proxy server. You can use wildcards to match domain and host names, or addresses. For example, www.*.com, 128.*, 240.8, 8., mygroup.*, *.*.

Configuring DNS and hosts for a network access resource

You must create a network access resource, or open an existing resource, before you can perform this task.
You can configure DNS and hosts to configure how a user's tunnel connection resolves addresses.
  1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens.
  2. Click the name to select a network access resource on the Resource List. The Network Access editing screen opens.
  3. To configure DNS and hosts settings for the network access resource, click DNS/Hosts on the menu bar.
  4. Configure DNS and Hosts settings as required.
  5. Click the Update button. Your changes are saved and the page refreshes.

Network access resource DNS and hosts settings

DNS and hosts settings specify lookup information for remote tunnel clients. This table describes and lists these settings and values.

Setting Value Description
Primary Name Server IP address Type the IP address of the DNS server that network access conveys to the remote access point.
Secondary Name Server IP address Type a second IP address for the DNS server that network access conveys to the remote access point.
Primary WINS Server IP address Type the IP address of the WINS server in order to communicate to the remote access point. This address is needed for Microsoft Networking to function properly.
Secondary WINS Server IP address Type the IP address of the WINS server to be conveyed to the remote access point. This address is needed for Microsoft Networking to function properly.
DNS Default Domain Suffix domain suffix Type a DNS suffix to send to the client. If this field is left blank, the controller will send its own DNS suffix. For example, siterequest.com.
Tip: You can specify multiple default domain suffixes separated with commas.
Register this connection's addresses in DNS check box If your DNS server has dynamic update enabled, select this check box to register the address of this connection in the DNS server. This check box is cleared by default.
Use this connection's DNS suffix in DNS registration check box If your DNS server has dynamic update enabled, select this check box to register the default domain suffix when you register the connection in the DNS server. This check box is cleared by default.
Enforce DNS search order check box When this setting is enabled, APM continuously checks the DNS order on the network interface and sets the network access-supplied entries first in the list if they change during a session. To use your local DNS settings as primary and the network access-supplied DNS settings as secondary, clear this setting. This might be useful when split tunneling is in use and a client connects remotely. This check box is selected by default.
Static Hosts host name/IP address pairs To add host and IP addresses manually to a connection-specific hosts file, type the Host Name and the IP Address for that host in the provided fields, and click Add.

Mapping drives for a network access resource

You must create a network access resource, or open an existing resource, before you can perform this task.
Use drive mappings to map network locations to drive letters on Windows®-based client systems.
  1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens.
  2. Click the name to select a network access resource on the Resource List. The Network Access editing screen opens.
  3. To configure the drive mappings for the network access resource, click Drive Mappings on the menu bar.
  4. Click Add to add a new drive mapping.
  5. Type the Path, select the Drive letter, and type an optional Description for the drive mapping.
  6. Click Finished. The drive mapping is added to the network access resource.

Network access resource drive mapping settings

The table lists the drive mapping settings for a network access resource.

Setting Value Description
Path A network path, for example \\networkdrive\users Specifies the path to the server network location.
Drive Drive letter, list selection Specifies the drive used. Drive is set to D: by default. Drive mapping is supported for Windows-based clients only.
Description Text An optional description of the drive mapping.

Launching applications on a network access connection

You must create a network access resource, or open an existing resource, before you can perform this task.
Use application launching to start applications on network access clients after the tunnel is established.
  1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens.
  2. Click the name to select a network access resource on the Resource List. The Network Access editing screen opens.
  3. To configure applications to start for clients that establish a network access connection with this resource, click Launch Applications on the menu bar.
  4. Click Add to add a new application.
  5. Type the Application Path, type any required Parameters letter, and select the Operating System.
  6. Click Finished. The application start configuration is added to the Launch Applications list, and the applications appropriate to the client operating system start when a client establishes a tunnel connection.

Network access launch applications settings

Specify launch application settings to control how applications are launched when the network access connection starts.

Setting Value Description
Display warning before launching applications Enable or disable If you enable this setting, the system displays security warnings before starting applications from network access, regardless of whether the site is considered a Trusted site. If the check box is not selected, the system displays security warnings if the site is not in the Trusted Sites list.
Application Path An application path Specifies the path to the application. You can type special application paths here:
  • reconnect_to_domain - Type this application path to specify that the client reconnects to the domain after the network access tunnel starts. Use this if, for example, the network access tunnel is established before the domain controller logon occurs.
  • /gpo_logoff_scripts - Type this in the application path field to run group policy object (GPO) logoff scripts on the client when the network access tunnel is stopped.
Parameters Text Parameters that govern the application launch.
Operating System List selection From the list, select whether the application launch configuration applies to Windows-based, Unix-based, Macintosh-based, or iOS clients.

About APM ACLs

APM® access control lists (ACLs) restrict user access to host and port combinations that are specified in access control entries (ACEs). An ACE can apply to Layer 4 (the protocol layer), Layer 7 (the application layer), or both. A Layer 4 or Layer 7 ACL is used with network access, application access, or web access connections.

Configuring an ACL

You use access control lists (ACLs) to restrict user access to host and port combinations that you specify in access control entries (ACEs).
  1. On the Main tab, click Access Policy > ACLs. The ACLs screen opens.
  2. Click Create. The New ACL screen opens.
  3. In the Name field, type a name for the access control list.
  4. From the Type list, select Static.
  5. Optional: In the Description field, add a description of the access control list.
  6. Optional: From the ACL Order list, specify the relative order in which to add the new ACL respective to other ACLs:
    • Select After to add the ACL after a specific ACL and select the ACL.
    • Select Specify and type the specific order number.
    • Select Last to add the ACL at the last position in the list.
  7. From the Match Case for Paths list, select Yes to match case for paths, or No to ignore path case. This setting specifies whether alphabetic case is considered when matching paths in an access control entry.
  8. Click the Create button. The ACL Properties screen opens.
  9. In the Access Control Entries area, click Add to add an entry. For an ACL to have an effect on traffic, you must configure at least one access control entry. The New Access Control Entry screen appears.
  10. From the Type list, select the layers to which the access control entry applies:
    • L4 (Layer 4)
    • L7 (Layer 7)
    • L4+L7 (Layer 4 and Layer 7)
  11. From the Action list, select the action for the access control entry:
    • Allow Permit the traffic.
    • Continue Skip checking against the remaining access control entries in this ACL and continue evaluation at the next ACL.
    • Discard Drop the packet silently.
    • Reject Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols.
      Note: If HTTP traffic matches a Layer 4 ACL, APM sends a TCP RST message. If traffic matches a Layer 7 ACL and is denied, APM sends the ACL Deny page.
    To create a default access control list, complete this step, then skip to the last step in this procedure.
  12. In the Source IP Address field, type the source IP address. This specifies the IP address to which the access control entry applies.
  13. In the Source Mask field, type the network mask for the source IP address. This specifies the network mask for the source IP address to which the access control entry applies.
  14. For the Source Port setting, select Port or Port Range. This setting specifies whether the access control entry applies to a single port or a range of ports.
  15. In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control entry applies. To simplify this choice, you can select from the list of common applications, to the right of the Port field, to add the typical port or ports for that protocol.
  16. In the Destination IP Address field, type the IP address to which the access control entry controls access.
  17. In the Destination Mask field, type the network mask for the destination IP address.
  18. For the Destination Ports setting, select Port or Port Range. This setting specifies whether the access control entry applies to a single port or a range of ports.
  19. In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control entry applies. To simplify this choice, you can select from the list of common applications, to the right of the Port field, to add the typical port or ports for that protocol.
  20. From the Scheme list, select the URI scheme for the access control entry:
    • http
    • https
    • any
    The scheme any matches either HTTP or HTTPS traffic.
  21. In the Host Name field, type a host to which the access control entry applies. The Host Name field supports shell glob matching: you can use the asterisk wildcard (*) to match match zero or more characters, and the question mark wildcard (?) to match a single character. *.siterequest.com matches siterequest.com with any prefix, such as www.siterequest.com, mail.siterequest.com, finance.siterequest.com, and any others with the same pattern. n?t.siterequest.com matches the hosts net.siterequest.com and not.siterequest.com, but not neet.siterequest.com, nt.siterequrest.com, or note.siterequest.com.
  22. In the Paths field, type the path or paths to which the access control entry applies. You can separate multiple paths with spaces, for example, /news /finance. The Paths field supports shell glob matching. You can use the wildcard characters * and question mark (?) to represent multiple or single characters, respectively. You can also type a specific URI, for example, /finance/content/earnings.asp, or a specific extension, for example, *.jsp.
  23. From the Protocol list, select the protocol to which the access control entry applies.
  24. From the Log list, select the log level for this access control entry:
    • None Log nothing.
    • Packet Log the matched packet.
    When events occur at the selected log level, the server records a log message.
  25. Click Finished.
You have configured an ACL with one access control entry. (You can configure additional entries.)
To use the ACL, assign it to a session using an Advanced Resource Assign or ACL Assign action in an access policy.

Example ACE settings: reject all connections to a network

This example access control entry (ACE) rejects all connections to a specific network at 192.168.112.0/24.

Property Value Notes
Source IP Address 0.0.0.0 If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0
Source Mask 0.0.0.0
Source Ports All Ports
Destination IP address 192.168.112.0
Destination Mask 255.255.255.0
Destination Ports All Ports
Protocol All Protocols
Action Reject

Example ACE settings: allow SSH to a specific host

This example access control entry (ACE) allows SSH connections to the internal host at 192.168.112.9.

Property Value Notes
Source IP Address 0.0.0.0 If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0
Source Mask 0.0.0.0
Source Ports All Ports
Destination IP address 192.168.112.9
Destination Mask 255.255.255.0
Destination Ports 22 (or select SSH)
Protocol TCP
Action Allow

Example ACE settings: reject all connections to specific file types

This example access control entry (ACE) rejects all connections that attempt to open files with the extensions doc, exe, and txt.

Property Value Notes
Source IP Address 0.0.0.0 If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0
Source Mask 0.0.0.0
Source Ports All Ports
Destination IP address 0.0.0.0
Destination Mask 0.0.0.0
Destination Ports All Ports
Scheme http
Paths *.doc*.exe *.txt
Protocol All Protocols
Action Reject