Forum Discussion

MichaelJordan_1's avatar
MichaelJordan_1
Icon for Nimbostratus rankNimbostratus
Dec 13, 2015

Network Access without SNAT

Hi   We are using an APM policy to reach our local resources. After clients connected, we can reach their machines to help them to solve IT related issues via RDP or MSRA. Here is the my question;...
application delivery
BIG-IP Access Policy Manager (APM)
msra
network access
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Dec 15, 2015

    In order to get iRules to fire on traffic traversing SSLVPN, you need to use "Related iRules" configuration from the main APM virtual. You can't do this in the GUI, you have to use tmsh.

     

    like: tmsh modify ltm virtual xxxx related-rules { yyyy }

     

    where xxxx is your virtual server and yyyy is the irule name you want.

     

    This function is pretty new, and I haven't personally tested very much with it. But what happens is that the irule you've specified in "related-rules" gets automatically pushed into the special Network Access listener virtual servers. It's avilable in:

     

    • 11.4.1 hf9+
    • 12.0
    • 11.6.0 hf6+
    • 11.5.3 hf2+

    I think also that the system may need to be restarted for these changes to take effect (bigstart restart or reboot).

     

Amine_Kadimi's avatar
Amine_Kadimi
Icon for MVP rankMVP
Dec 14, 2015

Hi,

 

It can help if you can provide your clients with a VS IP instead of the real server IP. In the VS, set up SNAT and optionally a source network if you want to limit the VS to your clients' pool scope. The pool of the VS will contain the real servers.