Configuring a Per-App VPN Using F5 App Tunnels

So if anyone of you has sat in a tech talk of mine, I am sure you have heard me mention the use of F5 app tunnels or split tunnel VPN's. The capability is very similar to the article I wrote about in...
Published Nov 28, 2018
Version 1.0
application delivery
BIG-IP Access Policy Manager (APM)
security
Steve_Lyons's avatar
Steve_Lyons
Ret. Employee
May 03, 2021

Q1:  , since the writing of this article, F5 replaced NPAPI plug-ins with F5 Helper Applications for all browsers except Internet Explorer, and then replaced ActiveX control for Internet Explorer in version 14.1.0. To my knowledge, the EPS helper app required for app tunnels does not require administrative privilege's to install.

 

AskF5 | Release Notes: F5 Helper Applications for Chrome, Firefox, and Edge Browsers for BIG-IP 13.0

 

The helper app then updates routes based on the app tunnel configuration object. This defines an app to network association which is much different than a full VPN network tunnel which you can certainly do using the Edge client but that requires administrative privilege's to install.

 

Q2: In my experience I have always used a static resource, however I do believe you can configure an IP range of resources. From a security standpoint though, I would be very cautious to not allow users access to an entire enterprise unless additional end point checks, etc. are performed. To limit the resources users can access, simply define an ACL on the app tunnel resource object.

 

Hope this helps.