Forum Discussion

AhmedSaied_2402's avatar
AhmedSaied_2402
Icon for Altostratus rankAltostratus
Mar 20, 2018

APM clientless inquiry

Hello

 

Can we consider network access in APM as a client connection not clientless ?!

 

Why we are giving connected users by clicking on network access IP from assigned pool ?!

 

In normal clientless VPN when user connectes termination device uses his IP to contact servers right ?

 

When I got a packet capture from backend server I found that there is no connection coming from user IP which take from pool but all connections from F5 local self IP

 

  • When you say Clientless, what do you mean?

     

    Clientless-mode refers to how the APM session is setup. When you use clientless-mode, APM doesn't send back HTTP redirects to the client and proxies the Authentication attempt - typically this is used for server-to-server type traffic flows or Bespoke client to APM authentication flows.

     

    However, the term clientless can also mean access to the APM policy via a browser rather than using the full-fat client - BIG-IP Edge Client for instance.

     

    If you are referring to the latter, then this is concerned about how the user initiates an APM session. Unless you have specific logic in your APM policy to handle these connections differently then functionality is broadly the same. In that, both client type can access APM resources - Portal, Network, RDP etc - it's just the means that the user has connected is different.

     

  • So when you use SNAT Automap in the Policy, the client will get an IP address from the DHCP range that you have configured in the Network Access settings. However, SNAT is applied to client traffic when it goes through APM and onto your network - this is normally to ensure the return path.

     

    If your routing is such that the DHCP APM range will route back to the APM then you don't need to enable SNAT. This way, when you look at the traffic you will see the source IP as being the DHCP address rather than the F5.

     

    Further reading can be found here

     

  • Hi

     

    It sounds like you have got SNAT enabled in the Network Access settings of your APM policy