Forum Discussion

Nimbostratus

Nov 19, 2014

Cant use windows remote assistance to VPN clients

While testing several of my remote sales employees with the F5 Edge client we found that after they connect, our helpdesk team cannot use remote assistance, remote control, or RDP to the remote sales...

BIG-IP Access Policy Manager (APM)

Nimbostratus

Is it any different if you split tunnel or not? At one point I could route back if all traffic was in the tunnel but did not when split.. but then I got that to work too..

Things that seemed to have solved it: 1. No SNAT - Source Address Translation set to None on virtual server. 2. Preserve Source Port Strict set to ALL on the network stttings of the access profile (advanced). 2. Network must route the VPN pool subnet traffic back to the F5.

At one time I had also put the VPN pool subnet in the tunnel address space, but then I found it wasn't needed. It is probably implied.

I also found clients weren't resolving DNS. Well the DNS servers were internal IP's so those IP's also have to be in the split tunnel IP list in order for the queries to be routed through the VPN. Alternative would be to have the VPN use an external/public DNS/NS.

We are also using DTLS and it works well-- this is a VoIP application.

Think that was all, but it was a struggle to get it going.

Mark_129802

Nimbostratus

Jun 08, 2015

I'm just doing Full Tunnel: 1. No SNAT - Check set to none on the Virtual Server and Snat Pool none on NA Network Settings 2. Perserve Source Port Strict - Check enabled in NA Network Settings 3. Return Route - Check, route is in place pointing to the Inside vIP of the BIG-IP 3 I suspect is fine as I can initiate connections from Edge Client NA to the servers and receive traffic back. I just can initiate connections from the Network Side. If I point my return route anywhere else (vIP of Virtual Server) Both ways break. So I think the route is okay. I did a tcpdump in the tunnel and I can't even sing icmp requests when intiated from the Network Side, Client side I see the request and reply just fine. I'll have to open a case I suppose.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Cant use windows remote assistance to VPN clients

Recent Discussions

Problem with lets encrypt and redirect after update

where can find silverline ddos protect config guide?

iRule for client certificate verification and inserting CN

Earth Simnavaz

Should config via cli rather than gui?

Related Content

Windows edge client - Trusted Sites

Re: Welcome to the F5 BIG-IP Migration Assistant

Windows Critical RCE Vulnerability, Malicious Solana-py, and EDRKillShifter

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

iRule to assist with CVE-2022-22965 mitigation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS