APM clientless inquiry

Hi

It sounds like you have got SNAT enabled in the Network Access settings of your APM policy

So when you use SNAT Automap in the Policy, the client will get an IP address from the DHCP range that you have configured in the Network Access settings. However, SNAT is applied to client traffic when it goes through APM and onto your network - this is normally to ensure the return path.

If your routing is such that the DHCP APM range will route back to the APM then you don't need to enable SNAT. This way, when you look at the traffic you will see the source IP as being the DHCP address rather than the F5.

Further reading can be found here

When you say Clientless, what do you mean?

Clientless-mode refers to how the APM session is setup. When you use clientless-mode, APM doesn't send back HTTP redirects to the client and proxies the Authentication attempt - typically this is used for server-to-server type traffic flows or Bespoke client to APM authentication flows.

However, the term clientless can also mean access to the APM policy via a browser rather than using the full-fat client - BIG-IP Edge Client for instance.

If you are referring to the latter, then this is concerned about how the user initiates an APM session. Unless you have specific logic in your APM policy to handle these connections differently then functionality is broadly the same. In that, both client type can access APM resources - Portal, Network, RDP etc - it's just the means that the user has connected is different.