For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Configuring a Per-App VPN Using F5 App Tunnels

So if anyone of you has sat in a tech talk of mine, I am sure you have heard me mention the use of F5 app tunnels or split tunnel VPN's. The capability is very similar to the article I wrote about in...
Published Nov 28, 2018
Version 1.0
application delivery
BIG-IP Access Policy Manager (APM)
security
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Steve_Lyons's avatar
Steve_Lyons
Ret. Employee
May 03, 2021

Q1:  , since the writing of this article, F5 replaced NPAPI plug-ins with F5 Helper Applications for all browsers except Internet Explorer, and then replaced ActiveX control for Internet Explorer in version 14.1.0. To my knowledge, the EPS helper app required for app tunnels does not require administrative privilege's to install.

 

AskF5 | Release Notes: F5 Helper Applications for Chrome, Firefox, and Edge Browsers for BIG-IP 13.0

 

The helper app then updates routes based on the app tunnel configuration object. This defines an app to network association which is much different than a full VPN network tunnel which you can certainly do using the Edge client but that requires administrative privilege's to install.

 

Q2: In my experience I have always used a static resource, however I do believe you can configure an IP range of resources. From a security standpoint though, I would be very cautious to not allow users access to an entire enterprise unless additional end point checks, etc. are performed. To limit the resources users can access, simply define an ACL on the app tunnel resource object.

 

Hope this helps.