Forum Discussion
Lucas_Thompson
Jan 29, 2024Employee
When you provision APM, BIG-IP adds two "hidden" virtual servers to handle the APM tunnel traffic so the admin doesn't have to explicitly set it up. To override it, the virtual server that accepts the traffic must be:
1- More specific than the hidden virtual's destination address of 0.0.0.0/0. Alternatively you can use a source address set to the lease pool net of the VPN users. Consult that link for details.
2- Connectivity profile (TMM's virtual PPP access-concentrator interface) is selected in the VLANs selector, or VLAN selector set to All Vlans.
Afterwards, TMM should select this virtual for traffic ingressing from the VPN users.
If you want to direct user traffic to different internal routers, there are a lot of different ways to do it:
- you can use multiple routing virtuals with multiple connectivity profiles (some users get one, some get another).
- you can use multiple routing virtuals and give your VPN users different lease pools and use the VS's Source selector so TMM selects these different VSs for different users.
- you can use an iRule that fires on ACCESS_ACL_ALLOWED and sets nexthop to the desired router based on some APM user session data (AD groups, names, etc).