For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bjennis_8288's avatar
bjennis_8288
Icon for Nimbostratus rankNimbostratus
Feb 08, 2010

AppTunnel not working when remote host is an IP address

Hi all!,

 

 

We use SafeBoot (McAfee Endpoint Encryption) on all our machines. This has an application installed on every client. This Application connects with the Management server. It tries to reach the server on its IP address over TCP port 5555.

 

 

So the client tries to sync to: IP_ADDRESS:5555

 

 

I have made a AppTunnel with a static tunnel.

 

See the attachment for the configuration.

 

When i logon on a client machine and try to sync while the apptunnel is running... nothing nope nada.

 

 

Searched and searched... nothing, so i thought, lets try this:

 

 

I change the IP_ADDRESS in de application on the client to the DNS host of the management server.

 

So the client tries to sync to: DNS_HOSTNAME:5555

 

And i changed the IP_ADDRESS in the F5 configuration to the DNS_HOSTNAME.

 

 

Restarted the session, i see that the F5 adjusts my hosts file.

 

And the synchronization works!

 

But this is not do-able in our company. It must sync to the IP_ADDRESS!

 

 

Why wont the apptunnel route the traffic trough the tunnel while using an IP_ADDRESS as remote host????

 

Anyone a clue?
BIG-IP Access Policy Manager (APM)
remote access
security

6 Replies

  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Feb 08, 2010
    Well for one the Remote Host needs to be the IP address of the server.

     

     

    For instance:

     

     

    A/V Server is 172.12.24.111:5555

     

     

    You place 172.12.24.111:5555 into the Remote Host. You then pick a local host like above to be 127.97.147.40:5555. At this point you route all client traffic to 127.97.147.40:5555 and it should connect to the A/V Server.
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Feb 09, 2010
    Correct, maybe F5 came up with something but how does it know where to send traffic if it is set to IP_ADDRESS instead of the actual IP?

     

     

    Maybe you are using an advanced custom variable?
  • bjennis_8288's avatar
    bjennis_8288
    Icon for Nimbostratus rankNimbostratus
    Feb 09, 2010
    Yes yes but only in this example! In the real configuration the text IP_ADDRESS is an number like 192.168.0.1 for example!

     

     

    So when i made the screenshot i replaced the real IP addresses with the text IP_ADDRESS. it wouldn't work like in the example.

     

  • bjennis_8288's avatar
    bjennis_8288
    Icon for Nimbostratus rankNimbostratus
    Feb 09, 2010
    I even tried this:

     

     

    I installed a IIS webserver. The homepage shows the IIS 7 logo when i visit the server on its IP number on port 80 with Internet Explorer.

     

    I made a App Tunnel with a Static Tunnel.

     

    As remote host I filled in the IP address of the IIS webserver.

     

     

    I logon to the F5 with a client machine. Click the App Tunnel. App Tunnel runs without error and I see (the IP addresses are examples): 192.169.0.1:80 => 127.205.172.157:80

     

    I open a browser. Enter the IP address of the IIS webserver an press enter.

     

    Nope nothing nada! no traffic going trough the tunnel.

     

     

    Looks like a bug to me.

     

     

  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Feb 09, 2010
    No, that is not a bug. You have to use the local IP port.

     

     

    So instead of the IIS server IP in the browser you put in 127.205.172.157:80