Creating a SSL VPN Using F5 Full Webtop
As we continue our discussions into additional use cases for your BIG-IP, I wanted to provide some details and a guide on how to implement a SSL VPN using F5.
So, what is network access? Using your F5 BIG-IP, it is a way to provide your users secure access to internal applications and data. Some of you may be familiar with F5’s Webtop to provide links to common applications, though did you know you could also use that same Webtop to implement a network access solution? On the other hand, if you wanted an always on solution or a client on a workstation you could also use F5’s edge client.
With that, let’s talk about two network access features provided by F5; full access and split tunnel VPN's. The difference between the two is pretty straight forward. The use of a full access VPN simply means you are forcing all network traffic through a single network tunnel. Whereas the split tunnel VPN is forwarding only traffic that has been defined using an application which is often times deployed using the F5 Webtop. All other traffic not destined to the network where the application resides is then routed directly to the public internet rather than the users corporate or internal network.
Now that we have gone over a few details around the F5 network access solution, let us get started deploying it. The use case we are going to complete is deploying a network access solution using the F5 Webtop.
In order to begin the deployment and configuring the Webtop, let us validate APM has been provisioned.
From the traffic management user interface, navigate to System > Resource Provisioning.
Ensure there is a check box enabling APM as shown in the screenshot below. If it is not, check the box, configure resources to be provisioned and click Submit.
Now that we have validated the provisioning of APM, lets begin the deployment!
Navigate to Access > Webtops > Webtop Lists: Create
From the drop down select Full for the type of Webtop you will be deploying, provide a name and select Finished.
Now that we have created a Webtop, we will go ahead and create a lease pool in order to provide our VPN client's an IP address once they successfully establish a VPN connection.
IN order to do this, navigate to Access > Connectivity / VPN > Network Access (VPN) > IPV4 Lease Pools: Create
Type: IP Address Range
Start IP Address: xxx.xxx.xxx.xxx
End IP Address: xxx.xxx.xxx.xxx
Once you have completed creating the lease pool, you will now create the Network Access resource.
Navigate to Access > Connectivity / VPN > Network Access (VPN) > Network Access Lists: Create
Caption: Demo VPN
After clicking finish, the page will refresh presenting you with the page below allowing you to define lease pools, primary and secondary DNS servers, drives to map upon successful connection or even applications to launch once the end user has connected.
At this point, select the Network Settings tab where we will define the lease pool for our demo VPN solution.
Using the drop down, select demo_lease pool for our IPV4 Lease Pool. Leave all additional settings in their default options and click Update.
Edited: With a recommendation from one reader of this article, I wanted include the configuration of DNS within the network resource configuration as well.
After configuring the lease pool, select the DNS/Hosts tab.
IPV4 Primary Name Server: xxx.xxx.xxx.xxx
Static Hosts: demo-dc xxx.xxx.xxx.xxx and demo-dc.demo.lab xxx.xxx.xxx.xxx
Once complete, navigate to Access > Connectivity / VPN > Connectivity > Profiles: Add
While there are many customization options within a connectivity profile, for demo purposes we will only define a profile name and parent profile.
Profile Name: demo_connectivity_profile
Parent Profile: /Common/connectivity
Next we will create our AAA server for active directory authentication. While there are numerous authentication methods provided within APM, we are going to perform AD authentication for demo purposes. If you would like to determine how to configure CAC, PIV, Radius, Tacacs+, multi factor authentication, etc. please perform a search using your favorite search engine for "CAC auth site:devcentral.f5.com" or "radius site:f5.com" to name a few examples.
Navigate to Access > Authentication > Active Directory: Create
Domain Name: demo.com
Server Connection: Direct
Domain Controller: xxx.xxx.xxx.xxx
Admin Name: administrator
Now that we have created our lease pool, network access resource, connectivity profile and AAA server, we ware now able to begin creating our access profile.
Navigate to Access > Profiles / Policies > Access Profiles (Per-Session Policies): Create
Profile Type: All
Languages: Define the language of your choice
Upon selecting Finished, you will be redirected to the list of all access policies. Locate the Access Profile Name you created in the previous step and select Edit which will then launch the APM visual policy editor (VPE).
The default VPE begins with a Start and Deny and nothing more. Between the two, select the + symbol in order to add items. We will begin by adding a logon page which is completely customization though outside the scope of this article. Select the Logon tab, select the radio button next to Logon Page and select Add Item.
You will then be presented with a customization page though accept all defaults and select Save.
Next select the + symbol between Logon Page and Deny. Once again you will be presented with a pop up window where we will select AD Auth and Add Item. Now this is a guide on how to implement remote access but I want you to take a second and look at all of the authentication methods supported natively by APM. I wasn't able to capture them all in a screenshot though I have included a link at the end of this article to view them all. Pretty cool, huh?
When you are presented by the AD Auth options, select /Common/demo_ad from the drop down and click Save.
Up to this point we have created a logon page, added an authentication method so now we must assign a resource.
Following the Successful branch, select the + symbol between AD Auth and the Deny ending. Once we add our resource we will modify the ending to allow. When the pop up appears, select the Assignment tab, click the Advanced Resource Assign radio and click Add Item.
When the Resource Assignment options appear, click Add new entry. From Expression 1, click Add/Delete.
On the following screen, select the Network Access tab, click within the box next to our VPN resource.
Click the Webtop tab, select demo_webtop and Update.
When returned to the previous screen, click Save.
Now that we have a authentication method and resources assigned we will modify our ending to allow and apply the access policy. Select Deny following Advanced Resource Assign and change the radio from Deny to Allow and click Save. Once saved, select the Apply Access Policy link in the upper left hand corner and Close.
Because the BIG-IP is a default deny device, we now need to create a method for the BIG-IP to listen and respond to client requests. To do this we will create a new virtual server.
Navigate to Local Traffic > Virtual Servers > Virtual Server List: Create
Service Port: 443
HTTP profile: http
SSL Profile (Client): clientssl
Access Profile: demo_network_access
Connectivity Profile: demo_connectivity_profile
For demo purposes, we will use default settings unless otherwise defined.
Now that we have deployed all of the necessary resources to establish a VPN connection to our internal network, lets test the configuration.
Log into your development workstation and attempt to connect to the virtual server we configured whether it be by IP or host name if a DNS record has been configured.
Note: If using the following browser versions, NPAPI plugin support has been discontinued. For these browsers, functionality that was previously installed with NPAPI plugins is now handled by helper applications, which are installed on the user's machine, and handled with protocol handlers. We install an Endpoint Check application and a Network Access application. These clients can be downloaded from the APM administration console and can be distributed for download by users, installed by group policy, or installed by device management solutions.
- Chrome 45 or later
- Firefox 52 or later
- Safari 10 or later
- Edge browsers
Once you have authenticated to the F5 Webtop, select the Network Access resource that we created in previous steps.
Now, if you have never used the VPN or other F5 solutions you will be required to install an Active X Controller to allow the VPN to function.
After the successful installation of the controller, you should see the pop up screen which shows the tunnel initializing, connecting, finalizing and then connected!
You have now successfully deployed an SSL VPN solution with something you potentially already have in your data center! I hope this was useful everyone out there reading and I look forward to writing the next article. Please feel free to provide feedback whether positive or negative.