Introduction

In this article we are exploring Virtual Private Networks (VPN) solutions on F5 BIG-IP Access Policy Manager (APM), In today's digital landscape, secure connectivity is paramount, and BIG-IP APM stands at the forefront, offering a diverse array of VPN options to suit various needs. In this article, we'll delve into the world of BIG-IP APM VPNs, from their different flavors to the tight integration with other modules that enrich the overall solution. Join us as we unravel the complexities, uncover the nuances, and discover how F5 Networks empowers organizations to craft robust, tailored VPN solutions for their unique requirements.

BIG-IP APM VPN Solutions

VPN is a mean to connect trusted sites over untrusted medium, a user to a corporate portal, branch to main office or between different data centeres.

What makes VPN solutions unique with BIG-IP APM is not just the VPN element but the whole ecosystem within your hands, with multiple Multi-Factor Authenticaiton (MFA) and Single Sign-On (SSO) supported protocols. In addition to tight integration with different modules in BIG-IP. All this gives you as Solution Architect the flexibility to come up with different solutions that suits organizations security posture and expand well in the future for any new requirements. 

IPSEC VPN

You can configure an IPsec tunnel to secure traffic that traverses a wide area network (WAN), from a BIG-IP system to third-party device. You start by configuring an IKE peer to negotiate Phase 1 Internet Security Association and Key Management Protocol (ISAKMP) security associations for the secure channel between two systems. You can also configure a custom traffic selector and a custom IPsec policy that use this secure channel to generate IPsec Tunnel mode (Phase 2) security associations (SAs).

While IPSEC is configured via BIG-IP LTM, I've added this one here to cover the different VPN solutions, interesting set of articles already published covering different use cases and troubleshooting items for IPSEC VPN via BIG-IP. 

• BIG-IP to Azure Dynamic IPsec Tunneling
• Securing ExpressRoute with the BIG-IP and IPsec 
• Simple BIG-IP to BIG-IP, On-prem to Public Cloud IPsec Configuration Guide 
• Understanding IPSec IKEv1 negotiation on Wireshark
• Understanding IPSec IKEv2 negotiation on Wireshark
• Passthrough IPSec with AFM

SSL VPN

Because an SSL VPN uses standard web browsers and technologies, it gives users secure remote access to enterprise applications without requiring the installation and maintenance of separate client software on each user’s computer. Most SSL VPNs also integrate with multiple authentication mechanisms.

With the growth of the remote workforce, SSL VPNs are critical to keeping employees connected to the work applications they need—and for IT to ensure that only authorized users gain access. SSL VPNs provide a secure way for your workforce, contractors, and partners worldwide to gain access to sensitive information from virtually any computer or device. Furthermore, they give IT full, granular control over data access. SSL VPNs are becoming more common in the workplace, and the learning curve to implement and use them is minimal. Below are some of the use cases and education resources for VPN deployments via BIG-IP APM. 

• Deploying a VPN on the BIG-IP APM
• Creating a SSL VPN Using F5 Full Webtop
• F5 VPN Client from Raspberry Pi
• SSL VPN Split Tunneling and Office 365
• Scaling SSL VPN using BIG-IP Local Traffic Manager (LTM)
• Rate Limiting SSL VPN User Traffic 
• VPN Split Tunneling: The Benefits and Risks 
• SSL VPN Split Tunneling and Office 365 
• Remote Desktop Protocol (RDP) using an SSL VPN 
• VPN Access with MFA using Edge Client 7.2.1 and APM 16.0 
• Connect to the F5 VPN with BIG-IP Edge Client 
• How to optimize SSL VPN connections when BIG-IP is reaching 100% CPU

Per-App VPN 

The Per-Application (Per-App) VPN feature makes sure that specific mobile applications and their data remain secure and protected, and only data relevant from the application is sent to the internal network. With the Per-App VPN capabilities of the BIG-IP APM, combined with a mobile device management (MDM) solution, enterprise organizations can be sure only authenticated and authorized mobile users are able to access and send data to the organization from approved mobile applications or mobile containers.

Per-App VPN deploys using an existing MDM solution. Depending on the authentication in use, Per-App VPN can offer a seamless or relatively simple way to access internal resources. You can apply per-user bandwidth policies and ACLs to make sure that users comply with network use policies. Detailed user activity auditing is also possible with ACL logging or solutions based on iRules.

You must create the following BIG-IP components for this implementation:

• A connectivity profile
• An application tunnel profile (Java and per-App VPN)
• An MDM-enrolled mobile device
• An MDM-deployed application
• BIG-IP Edge Client 2.0.1+ for L3 and Per-App VPN

Application tunnel 

An application tunnel provides secure, application-level TCP/IP connections from the client to the internal network.

Application tunnels use iSession, an F5 proprietary protocol for transport. Application tunnels can be started using native Windows binary components or with a browser-based Java applet on Windows, Mac, and Linux platforms. Per-user session-level bandwidth policy and ACLs can be applied to application tunnels.

You must create the following BIG-IP components for this implementation:

• A connectivity profile
• A full webtop
• An application tunnel resource
• An access policy that assigns a webtop and an application tunnel resource

 

 

 

Related content 

• Configuring a Per-App VPN Using F5 App Tunnels
• Deploying a VPN on the BIG-IP APM
• Creating a SSL VPN Using F5 Full Webtop
• F5 VPN Client from Raspberry Pi
• SSL VPN Split Tunneling and Office 365
• Scaling SSL VPN using BIG-IP Local Traffic Manager (LTM)
• How to optimize SSL VPN connections when BIG-IP is reaching 100% CPU
• BIG-IP to Azure Dynamic IPsec Tunneling
• Understanding IPSec IKEv1 negotiation on Wireshark
• Understanding IPSec IKEv2 negotiation on Wireshark
• Passthrough IPSec with AFM
• K08200035: Use cases | BIG-IP APM operations guide 
• Configuring IPsec in Tunnel Mode between a Remote Device and BIG-IP using Dynamic Template