Can APM provide access to a specific subnet...

Question

I am new to APM and have been asked to provide an external vendor to connectivity to a specific internal subnet through our existing APM SSL VPN. I know how to add App tunnels and RDP access, I just cannot put my finger on how to grant access to an entire subnet. Would it be a custom ACL? Grasping at straws here. Thanks in advance for any assistance.

amiles_377865 · Answer

Hello Tyson,&nbsp;
I think creating a custom access control list attached to a full webtop seems like the perfect way to solve your problem.  There's an f5 article on ACLs here that would be a good place to get started on implementing them into your existing SSL VPN set-up.&nbsp;
Basically, I would have the ACL limit access to a specific destination IP address range (the range being the subnet) for this external vendor.  There's a couple different ways of doing it but the basic principle would be the same across the board.  The benefit of an ACL is that it is highly customizable; you can set it up however you want.  
&nbsp;
Feel free to ask if you have any follow-up questions,&nbsp;
Austin&nbsp;

youssef1 · Answer

Hi Tyson,&nbsp;
For you need you will have to implement a specific VPN. So if you want to restrict access to a specific Vlan I suppose you wil use split tunneling for traffic. In this case you will be able to specify only the vlan that you want to reach trough your VPN (for other traffic, it will go directly on the internet ).&nbsp;
The second point, in order to enhance security you have to create an specific acl in order to allow the desired network. Once you create the acl you can add it on your VPE.&nbsp;
let me know if you need more details.&nbsp;
regards&nbsp;

tyson_james · Answer

Thanks for the feedback. So, I have created a custom ACL and applied it to a full webtop. I have no ideas what this vendor intends on doing once connected ( RDP or SSH into a server, something else???, etc ), so I guess my question now becomes, how to they access what they need? They are used to having a full VPN client, connect to our network and just open up the native Windows applications they need to use. Now, it would seem that any application access would need to be initiated through the webtop. Am I correct in this thinking? If so, how would they do that, since just opening the native Windows applications would bypass the SSL VPN and try to go out their standard Internet connection.

Forum Discussion

Can APM provide access to a specific subnet...

Recent Discussions

AFM deny log level

History Current Connections from Local pool Traffic.

Persistent hash iRule

F5 DNS Generic Host

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

Related Content

F5 APM as Service Provider (SP) and Microsoft AzureAD as Identity Provider (IDP)

Enable SAML Service Provider on F5 Distributed Cloud Application

F5 BIG-IP and NetApp StorageGRID - Providing Fast and Scalable S3 API for AI apps

Service Discovery and authentication options for Kubernetes providers (EKS, AKS, GCP)

F5 Terraform providers – Helping to implement Infrastructure as Code

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS