So if anyone of you has sat in a tech talk of mine, I am sure you have heard me mention the use of F5 app tunnels or split tunnel VPN's. The capability is very similar to the article I wrote about in regards to network access on DevCentral which can be found here though in this case, we are using a split tunnel capability to allow VPN access to a single application.
When might this be useful? Well the use cases I have seen are for logical Out of Band management solutions and in the event, a user requires network access to internal resources though they do not have permissions to install a VPN client on their workstation.
LTM licensed and provisioned
APM licensed and provisioned
Create a Connectivity Profile
Navigate to Access >> Connectivity / VPN >> Profiles.
Profile Name*: demo_connectivity_profile
Parent Profile*: /Common/connectivity
Create a Webtop
Navigate to Access >> Webtops >> Webtop Lists.
Create an App Tunnel Object
When you create an app tunnel object, that object becomes a simple container that holds app tunnel resources. Once you specify those resources from within the app tunnel resource, you can then assign the resource to an access policy.
Note: This is the application on the client side that will be launched when the app tunnel is selected from the webtop. I am using Chrome as an example though real-world use cases can also include other apps such as putty to access resources in an organizations DMZ over port 22.
Note: If using Host Name, ensure the hostname or fqdn is resolvable by the client that will be connecting to this resource. If you use DNS and it does not show up on the webtop, it is due to the client being unable to resolve that resource.
When redirected back to the Access Profiles page, select Edit in the same row as the access policy created in the previous step.
Between Start and Deny click +.
From the Assignment tab, select Advanced Resource Assign.
Click Add Item.
Click Add new entry.
From the App Tunnel tab, select the app tunnel created in previous steps.
From the Webtop tab, select demo_webtop.
Select Deny from the Visual Policy Editor (VPE).
Change the ending to Allow.
Click Apply Access Policy.
Create a Virtual Server and Assign Resources
Navigate to Local Traffic >> Virtual Servers.
Destination Address/Mask: 10.1.10.123
Service Port: 443
Protocol Profile (Client): f5-tcp-wan
HTTP Profile: http
SSL Profile (Client): clientssl
SSL Profile (Server): serverssl
Source Address Translation: Auto Map
Access Profile: demo_ap
Connectivity Profile: demo_connectivity_profile
Validating App Tunnel Functionality
Navigate to a browser of your choice and attempt to access the IP or hostname of the virtual server created in the previous step.
From the webtop, click demo_app_tunnel.
If prompted with a Security Alert regarding a Network Access/Application Tunnel attempt, click either the Add or Allow option.
If prompted regarding launching an application, click Yes.
In this example, Chrome is launched and navigated to the portal access resource created in the steps above.
You can also launch the F5 VPN icon in the system tray which will show the results of your tunnel.
In this how-to guide, we successfully created a per-app VPN to the BIG-IP Traffic Management User Interface as a quick example. So I didn't lose everyone, I did not include authentication or endpoint checks as it would have certainly increased the size of this guide significantly. However, to give you an idea of what a complete solution may look like, take a look at the VPE below. Until next time!