Forum Discussion

JustCooLpOOLe's avatar
JustCooLpOOLe
Icon for Cirrocumulus rankCirrocumulus
Jan 08, 2021

SSL VPN - APM and Self-IPs

Hi, I am new to configuring SSL VPNs via APM and I have a question around the lease pools and any correlation to local and floating Self-IPs. Say I have the following:

 

Active/Standby configuration consisting of two BIG-IPs

SSL VPN via APM including a lease pool of 10.0.1.0/23

Static ACL on SSL VPN to allow access to site1.com and site2.com

 

My question: Is there a need to have a local and floating self-ip on these BIG-IP devices that exist in the address space assigned to the lease pool?

 

Thanks in advance!

  • If the IPs in the lease pool are routable, then I would say yes. If they're just locally significant (ie. only valid between the F5 and the user's client device), then I say no.

     

    There are different ways to do VPN on the F5, and using APM gives you some nice options (checking user ID vs active directory for the group they're in, adding two-factor auth like DUO, sorting users into different groups with their own access profiles, etc). Lastly, be sure your license covers the number of expected users.

     

    Hopefully this answers your question - good luck!

  • If the IPs in the lease pool are routable, then I would say yes. If they're just locally significant (ie. only valid between the F5 and the user's client device), then I say no.

     

    There are different ways to do VPN on the F5, and using APM gives you some nice options (checking user ID vs active directory for the group they're in, adding two-factor auth like DUO, sorting users into different groups with their own access profiles, etc). Lastly, be sure your license covers the number of expected users.

     

    Hopefully this answers your question - good luck!

    • JustCooLpOOLe's avatar
      JustCooLpOOLe
      Icon for Cirrocumulus rankCirrocumulus

      Thank you for the reply! Once a user lands on the VPN and given an IP from the lease pool, they will need to access resources that may not be on the F5 so that makes sense that we'll need to add Self-IPs in that address space.

       

      Thanks again!